Hi,I have a newly installed Windows 2008/Exchange 2007 domain. The clients are a mixture of Office 2003and 2007 (all running Win XP SP3), the problems I experience do not affect 2003 clients; only 2007 clients. All users are connected to the domain, I have no external users.Whenever Outlook 2007 is launched, I get a series of 9 logon boxes - the first three allask me toauthenticate to the Exchange box, the second three as me to authenticate to the e-mail domain (NOT my network domain) and the last three ask me to authenticate with autodiscover.e-mail domain. If the correct Windows credentials are entered on the first of the 9 boxes you can just press Esc past the remaining 8 and then the "Connected to Microsoft Exchange" notification appears in the bottom right.As all appears to be ok with 2003 clients I have been working on the assumption that my autodiscover configuration is incorrect. If I run a Test E-Mail Configuration with just the Use AutoDiscover option ticked, it prompts the logon boxes again but regardless of what you put in it returns "Autoconfiguration was unable to determine your settings!"I've then gone to the EMS and run Test-OutlookWebServices for one of the users; Id : 1003Type : InformationMessage : About to test AutoDiscover with the e-mail address user.address@e-maildomain.co.uk. Id : 1006Type : InformationMessage : The Autodiscover service was contacted at https://CAS01.networkdomain.local/autodiscover/autodiscover.xml. Id : 1016Type : SuccessMessage : [EXCH]-Successfully contacted the AS service at https://CAS01.networkdomain.local/EWS/Exchange.asmx. The elapsed time was 44 milliseconds. Id : 1015Type : SuccessMessage : [EXCH]-Successfully contacted the OAB service at https://CAS01.networkdomain.local/EWS/Exchange.asmx. The elapsed time was 0 milliseconds. Id : 1014Type : SuccessMessage : [EXCH]-Successfully contacted the UM service at https://CAS01.networkdomain.local/UnifiedMessaging/Service.asmx. The elapsed time was 7 milliseconds.Id : 1006Type : SuccessMessage : The Autodiscover service was tested successfully.I have checked the paths to the autodiscover.xml from IE and when navigating to there I am again requested to login. IIS is a bit of a mystery to me but I've checked the Autodiscover section under my Default Web Site and authentication is enabled for Basic and Windows Authentication.I have not configured external access at all as it is not needed in my network.Any help would be gratefully appreciated!!Thanks

I would check out your Certificate that you have on the CAS server. Is it Self Signed? Do you have an internal CA that you can use to assign a new private cert to the CAS box?Also, what happens if you lauch outlook, and do a ctrl right click on the outlook icon in the sys tray? There should be an option to test connectivity.Also, have you tried to do any Test-Outlookwebservices and Test-OWAConnectivity?SF - MCITP:EMA, MCTS

Hi Scott, thanks for replying. In answer to your questions;I am using a self signed certificate. That is to say, I understand that Exchange generates a certificate on installation. I would assume "to assign a new private cert to the CAS box" that I will be using the cmdlet New-ExchangeCertificate but this is an area that I know very little about. Could you provide some detailed steps as to what I need to do?Running the test connectivity after ctrl right click on the outlook icon in the sys tray with just the Use AutoDiscover option ticked, it prompts the logon boxes again but regardless of what you put in it returns "Autoconfiguration was unable to determine your settings!"Test-OutlookWebServices returns the details in my original post.Test-OWAConnectivity didn't go very smoothly! When I first run it I got;WARNING: Test user 'CAS_a9060008b61b4f95' cannot be accessed. Therefore, thiscmdlet will be unable to test Mailbox server 'CAS01.domain.local'.Test-OwaConnectivity : Could not find or log on with user domain.local\CAS_a9060008b61b4f95. If this task is being run without credentials, log on as a Domain Administrator, and then run the new-TestCasConnectivityUser.ps1 to verify that the user exists on Mailbox server CAS01.domain.localAt line:1 char:21+ Test-OwaConnectivity <<<< > c:\owaconnectivity.txtWARNING: No Client Access servers were tested.In short, I couldn't find an account in AD with anything like that name. I run the ps1 script mentioned above which generated a new account. I then reran Test-OwaConnectivity;AuthenticationMethod : FBAClientAccessServer : CAS01.domain.localScenario : LogonScenarioDescription : Log on to Outlook Web Access and verify the response page.PerformanceCounterName : Logon LatencyResult : SuccessMailboxServer : CAS01.domain.localStartTime : 8/8/2009 8:35:23 AMLatency : 00:00:00.0459002SecureAccess : TrueError : UserName : CAS_a9060008b61b4f95VirtualDirectoryName : owa (Default Web Site)Url : https://CAS01.domain.local/owa/UrlType : InternalEventType : SuccessPort : 0ConnectionType : PlaintextRegards,Graeme

Check info: 1. Please check the authentication on all virtual directories, refer to Xiu Zhanges post in this thread 2. Go to AutoDiscover section in IIS, ensure that Ignore has been selected in the SSL Settings 3. Is there any error event in the application log on the CAS server after reproduced the issue? 4. Please enable the troubleshooting logging on the problematic PC, and reproduce the issue. Then, check the log file (Reference) 5. Please check if Proxy settings has been enabled in the IE configuration on the problematic PC 6. Please run the ExBPA for a health check

Do you have an internal Domain CA that you could use to generate a new certificate? I have seen this before when there was a cert issue.Read here for more info on Certs: Certificate Use in Exchange Server 2007 http://technet.microsoft.com/en-us/library/bb851505.aspxExchange 2007 lessons learned - generating a certificate with a 3rd party CAhttp://msexchangeteam.com/archive/2007/02/19/435472.aspxDigicerts Exchange 2007 toolhttps://www.digicert.com/easy-csr/exchange2007.htmInstall Windows Server 2003 CAhttp://www.petri.co.il/install_windows_server_2003_ca.htmSF - MCITP:EMA, MCTS

Hi Graeme,1. Does the issue happen only if clients are in cached mode? If so, it could be an issue with oab download. Try to manually download OAB and see if you're able to repro it.2. If it happens in online mode as well, try the following thingsa. start-run-controlkeymgr.dll and remove cached passwords.b. Uncheck the option for outlook anywhere. see if this resolves the issue.c. Tools->Account Settings-Change->Security and select "Password Authentication". This could rule out Kerberos issues. If this resolves the issue check kb 297801.Hope this helps.Satishna

Hello all, thank you all for your suggestions. I'll answer your questions/suggestions in turn;James,1. I've reset authentication on all virtual directories - I had some errors along the way which resulted in a reinstall of .NET, CAS and IIS but all is checking out their now I think.2. Autodiscover is set torequire SSL but ignore client certificates3. I have 1 error coming up in the Event Viewer on CAS - The RPC over HTTP Proxy component is not installed or is not configured correctly. At present I have no need for this but it does tie in with a problem highlighted by Satish's suggestions - see later on!4. I switched logging on, the log gives me the following details;604134998408/11/09 13:51:49Attempting URL https://CAS01.localdomain.local/Autodiscover/Autodiscover.xml found through SCP604134998408/11/09 13:51:49Autodiscover to https://CAS01.localdomain.local/Autodiscover/Autodiscover.xml starting604135007808/11/09 13:51:49Autodiscover to https://CAS01.localdomain.local/Autodiscover/Autodiscover.xml FAILED (0x80040413)604135007808/11/09 13:51:49Autodiscover to https://emaildomain.co.uk/autodiscover/autodiscover.xml starting604135017108/11/09 13:51:50Autodiscover to https://emaildomain.co.uk/autodiscover/autodiscover.xml FAILED (0x80040413)604135017108/11/09 13:51:50Autodiscover to https://autodiscover.emaildomain.co.uk/autodiscover/autodiscover.xml starting604135026508/11/09 13:51:50Autodiscover to https://autodiscover.emaildomain.co.uk/autodiscover/autodiscover.xml FAILED (0x80040413)604135026508/11/09 13:51:50Local autodiscover for emaildomain.co.uk starting604135026508/11/09 13:51:50Local autodiscover for emaildomain.co.uk FAILED (0x8004010F)604135026508/11/09 13:51:50Redirect check to http://autodiscover.emaildomain.co.uk/autodiscover/autodiscover.xml starting604135028108/11/09 13:51:50Redirect check to http://autodiscover.emaildomain.co.uk/autodiscover/autodiscover.xml FAILED (0x80004005)604135028108/11/09 13:51:50Srv Record lookup for emaildomain.co.uk starting604135028108/11/09 13:51:50Srv Record lookup for emaildomain.co.uk FAILED (0x8007251D)I think Autodiscover is failing :-)5. All of our client machines are configured to run through a proxy that requires a seperate login, the internal domain has been set up as a bypass address.6. When I run ExBPA I am getting a Certificate SAN mismatch. "The subject alternative name (SAN) of SSL certificate for does not appear to match the host address." The address it is referring to is an external DNS entry I set up a while ago whilst providing some OWA access for a few staff members. It is no longer needed.Scott,I generated a new Certificate using the New-ExchangeCertificate cmdlet. Reading through the links you supplied, my cert needed to include autodiscover.domain.local so I used the -UseAutoDiscover switch. My new certificate now looks like this;AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule}CertificateDomains : {cas01.internaldomain.local, cas01, autodiscover.internaldomain.local}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=cas01.internaldomain.localNotAfter : 8/11/2010 1:19:03 PMNotBefore : 8/11/2009 1:19:03 PMPublicKeySize : 2048RootCAType : NoneSerialNumber : 0BA27BE26CCFD4AA427D0A65A76EC917Services : IMAP, POP, IIS, SMTPStatus : ValidSubject : CN=cas01.internaldomain.localThumbprint : 95A45DEA274BF3B59841BDA1BC6760F311438B68I now have 3 certificates and I think that may be confusing things - one doesn't look after any services and the other 2 operate IMAP,POP and SMTP.If I go to the web page for owa, I get the Invalid certificate warning before I can get to log in. Does this mean I've not done this right or is that a seperate issue?Satish,1. This happens regardless of whether cached mode is enabled.Once again, any further help would be gratefully received!Regards,Graeme

ADDITIONAL: I disabled Outlook Anywhere and I couldn't connect to Exchange at all - Server unavailable......

1. Could you reproduce the issue if you connect directly? (bypass the proxy from IE) Autodiscover/EWS have knowns issues with transparent proxies. Also, if your clients are connecting within your corporate network, they should be connecting over Rpc/Mapi and not Rpc-http.2. Your certificate has to be trusted by the client ideally.3. Same cert has to be used if you have multiple CAS servers.4. Is outlook anywhere configured for ntlm authentication?Please uncheck "encrypt traffic between outlook and exchange" from Tools->Account Settings-Change->Security and collect a network trace from a client and send it across if possible.ThanksSatish.na

Disable the proxy setting on one of the problematic machine, and check the result Please also refer the steps in KB 940726 to troubleshoot The subject alternative name (SAN) of SSL certificate for does not appear to match the host address indicates a discrepancy with the Exchange server name between the registry and Active Directory, please refer the following resources to verify the name: DSA Computer name mismatch Server name mismatch There is a discrepancy with the Exchange server name between the registry and Active Directory If all the names above match correctly, please check the DNS setting on the exchange server, ensure it points to the right DNS server which contains the right DNS record for exchange server. And, also check the Hosts file on the exchange server, if theres any entry for exchange server, please confirm it has right name and IP address

Hi,Thank you for your help. I had two conflicting GPO's on my network for proxy bypass settings; one had the domain name included and the other did not. Once this conflict was removed and the only proxy gpo included the domain name in the bypass settings all began to work perfectly.Regards,Graeme