none
Autodiscover

    Question

  • Hi all,

    I've two problems with autodiscover. Here's my Setup:

    Exchange 2010 SP3 , all roles on one server

    OWA / ActiveSync is published via Apache Frontend Server (Reverse Proxy). Outlook anywhere is disabled. Internal AD Domain is company.local, external mail domain ist company.at

    Self signed Exchange certificates via internal AD PKI

    Apache has a self signed wildcard certificate

    Problem 1:

    Main Mailadress domain on Exchange is company.at. If i start Outlook 2010 on a domain-joined client autodiscover ist working fine (all settings are automatically filled, Outlook Connection Test without errors). But everytime I restart Outlook the Password prompt dialog appears, if i cancel the dialog everythings seems to be working (Outlook is connected to Exchange).

    In the Outlook Logfile (%Temp% -> olkdisc.log) the following error appears:

    Thread    Tick Count    Date/Time    DescriptionAccount Configuration Version 14.0.6131.01848    0x002647BA    06/05/13 08:50:18    AutoErmittlungssuche für E-Mail-Adresse starten1848    0x00264875    06/05/13 08:50:19    AutoErmittlungssuche für E-Mail-Adresse Erfolgreich (0x00000000).1848    0x00264884    06/05/13 08:50:19    +++++++++++++++++++++++++++++++1848    0x00264884    06/05/13 08:50:19    AUTODISCOVER GET SETTINGS BEGIN1848    0x00264884    06/05/13 08:50:19      LegacyDN=/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=9cd4f2898e2e4b9288f2d271543b6165-brumic1848    0x00264884    06/05/13 08:50:19      SMTP=xxx@company.local1848    0x002648F2    06/05/13 08:50:19    Die über den Dienstverbindungspunkt gefundene URL https://webmail.company.local/autodiscover/autodiscover.xml wird ausprobiert.1848    0x002648F2    06/05/13 08:50:19    AutoErmittlung für https://webmail.company.local/autodiscover/autodiscover.xml wird gestartet.1848    0x00264940    06/05/13 08:50:19    GetLastError=0; httpStatus=401.1848    0x00264940    06/05/13 08:50:19    AutoDiscover disabled auth schemes:1848    0x00264940    06/05/13 08:50:19      <NONE>1848    0x00264940    06/05/13 08:50:19    AutoDiscover supported auth schemes:1848    0x00264940    06/05/13 08:50:19      Negotiate1848    0x00264940    06/05/13 08:50:19      NTLM1848    0x00264940    06/05/13 08:50:19      Basic1848    0x00264940    06/05/13 08:50:19    AutoDiscover attempting Auto-Negotiate with Desktop Credentials.1848    0x00264940    06/05/13 08:50:19    AutoDiscover USING pcreds->dwAuthScheme:1848    0x00264940    06/05/13 08:50:19      Negotiate1848    0x0026495F    06/05/13 08:50:19    GetLastError=0; httpStatus=200.1848    0x0026495F    06/05/13 08:50:19    Autodiscover XML Received1848  ---BEGIN XML---<?xml version="1.0" encoding="utf-8"?><Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">  <Response>    <Error Time="08:50:19.0997790" Id="1690816174">      <ErrorCode>500</ErrorCode>      <Message>Mail address not fund</Message>      <DebugData />    </Error>  </Response></Autodiscover>1848  ----END XML----1848    0x0026495F    06/05/13 08:50:19    AutoErmittlung für https://webmail.company.local/autodiscover/autodiscover.xml Fehlgeschlagen (0x800C8203).1848    0x0026495F    06/05/13 08:50:19    AutoErmittlung für https://company.local/autodiscover/autodiscover.xml wird gestartet.1848    0x002670CC    06/05/13 08:50:29    GetLastError=12029; httpStatus=0.1848    0x002670CC    06/05/13 08:50:29    AutoErmittlung für https://company.local/autodiscover/autodiscover.xml Fehlgeschlagen (0x800C8203).1848    0x002670CC    06/05/13 08:50:29    AutoErmittlung für https://autodiscover.company.local/autodiscover/autodiscover.xml wird gestartet.1848    0x002670EB    06/05/13 08:50:29    GetLastError=12007; httpStatus=0.1848    0x002670FB    06/05/13 08:50:29    AutoErmittlung für https://autodiscover.company.local/autodiscover/autodiscover.xml Fehlgeschlagen (0x800C8203).1848    0x002670FB    06/05/13 08:50:29    Lokale AutoErmittlung für company.local wird gestartet.1848    0x002670FB    06/05/13 08:50:29    Lokale AutoErmittlung für company.local Fehlgeschlagen (0x8004010F).1848    0x002670FB    06/05/13 08:50:29    Umleitungsprüfung für http://autodiscover.company.local/autodiscover/autodiscover.xml wird gestartet.1848    0x0026711A    06/05/13 08:50:29    Diensteintragssuche für http://autodiscover.company.local/autodiscover/autodiscover.xml Fehlgeschlagen (0x80072EE7).1848    0x0026711A    06/05/13 08:50:29    Diensteintragssuche für company.local wird gestartet.1848    0x00267149    06/05/13 08:50:29    Diensteintragssuche für company.local Fehlgeschlagen (0x8004010F).1848    0x00267149    06/05/13 08:50:29    AUTODISCOVER GET SETTINGS END1848    0x00267158    06/05/13 08:50:29    -----------------------------6600    0x0026734C    06/05/13 08:50:30    Looking for cached XML file:6600    0x0026736B    06/05/13 08:50:30    C:\Users\xxx\AppData\Local\Microsoft\Outlook\24ed1fd1e2550441bd9b3f05a522a5ce - Autodiscover.xml6600    0x0026736B    06/05/13 08:50:30    Autodiscover XML Received

    On the next line in the log, autodiscover seems to work properly again.

    Things I've already checked:

    IIS Virtual Directorys Permissions -> ok

    AutoDiscoverServiceInternalUri-> ok

    AD SCP -> ok

    Exchange Certificate has all neccessary SANs -> ok

    direct access to https://webmail.company.local/autodiscover/autodiscover.xml works also (in a Browser)

    Problem 2:

    Autodiscover on external clients does not work.

    The Exchange connectivity tools gives me the following error:

    ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.xxx.at/AutoDiscover/AutoDiscover.xml for user xxx@company.at

    ExRCA failed to obtain an Autodiscover XML response.

    Additional Details       

    An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).

    Any suggestions on this? thank you

    Michael

    Thursday, June 06, 2013 6:46 AM

Answers

  • Hi,

    Thanks for your assist in that case. I finally got the correct settings for apache:

    Add this in you VHost Configuration on the Apache. Finally all ExRCA Test were successful!

    # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
      Header unset WWW-Authenticate
      Header add WWW-Authenticate "Basic realm=webmail.domain.com"  

    Best regards,

    Michael

    Thursday, June 06, 2013 1:20 PM

All replies

  • Hi Michael,

    Try to clear your Password Manager, use: control userpasswords2 in your command prompt.

    Enable Outlook anywhere

    You can also create a A record for autodiscover.xxx.at and point it to the CAS Server

    Thursday, June 06, 2013 8:02 AM
  • Hi,

    Clear Password Manager has no effect. A Record also does not work, because the internal DNS is only authoritative for company.local

    Company.at Domain has an external DNS service...

    Thursday, June 06, 2013 8:18 AM
  • Autodiscover on Outlook try to connect using different method : check SCP in AD (that why it work internal), then try mydomain.com/autodiscover/autodiscover.xml, then autodiscover.mydomain.com/autodiscover/autodiscover.xml, then check for SRV record on mydomain.com

    You can either put a autodiscover record on your public DNS and publish your autodiscover, or you can disable Outlook SRV and DNS check using reg key http://support.microsoft.com/kb/221290


    Bruce Jourdain de Coutance - Consultant Exchange http://brucejdc.blog.free.fr


    Thursday, June 06, 2013 8:22 AM
  • Hi Bruce,

    SCP in AD is working.

    SRV Record on external DNS is not possible (not allowed by DNS Service Hoster). Autodiscover CNAME record on external DNS is set to my apache OWA. This is working correctly, because ExRCA comes to the Exchange IIS (then the error: "An HTTP 401 Unauthorized response was received from the remote Unknown server." comes up)

    The link you posted is dead. do you mean this: http://support.microsoft.com/kb/2612922

    best regards,

    Michael

    Thursday, June 06, 2013 8:48 AM
  • For the KB it is not the same KB but the same subject yes, you can set via GPO a excludehttps, you also have a better description here : http://blogs.technet.com/b/mspfe/archive/2013/05/01/so-you-want-to-block-exchange-2010-autodiscover-why-would-anyone-do-that.aspx

    (if the link work :))

    What is the authentication methods avalaible for autodiscover on your CAS? If you want it to work externally you need basic (and user will be prompted for user / password), also I dont know how it interract with your reverse proxy.


    Bruce Jourdain de Coutance - Consultant Exchange http://brucejdc.blog.free.fr

    Thursday, June 06, 2013 8:56 AM
  • The link works ;) - thx

    My authentication methods for autdisocver are windows - basic and anonymous -> according to http://technet.microsoft.com/en-us/library/gg247612%28v=exchg.141%29.aspx

    If i browse from to the autodiscover website from outside .../autodiscover.xml the password prompt appears.

    Enter username/pass does not work (prompt appears once again) and then the error:"You are not authorized to view this page". And this is already an IIS error, so the apache seem to work correct.

    The IIS Log says:

    2013-06-06 09:05:21 10.24.100.10 GET /autodiscover/AutoDiscover.xml - 443 - 10.124.100.6 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 401 1 2148074248

    (10.24.100.10 is the Exchange, 10.124.100.6 is the Apache in the DMZ)

    regards,

    Michael

    Thursday, June 06, 2013 9:08 AM
  • Did you enter your username with the domain (like mydomain\user) ? You can set the default realm in IIS on the basic auth tab, else it may use the server name as realm.

    Bruce Jourdain de Coutance - Consultant Exchange http://brucejdc.blog.free.fr

    Thursday, June 06, 2013 9:22 AM
  • hehe. I've found the following in the IIS logs:

    a browser request from outside (via apache) produces this line:

    2013-06-06 09:05:21 10.24.100.10 GET /autodiscover/AutoDiscover.xml - 443 - 10.124.100.6 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 401 1 2148074248

    a browser request inside direct on the CAS:

    2013-06-06 10:04:07 10.24.100.10 GET /autodiscover/autodiscover.xml - 443 domain\user 10.124.100.6 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/5.0) 200 0 0 0

    See the difference? Inside request contains the domain/username information

    It seems that the IIS server will reject the client response because its inbound connection (from apache) does not match with the clients information in the NTLM message.

    For test purposes I've disabled now the windows authentication on the autodisover vdirectory on iis -> and voila': autdiscover from outside is working now.

    But of course autodiscover of domain joined clients from the internal network is now out of function (http 500) because of missing windows authentication :(.

    Is there any fix possible or do I have to use ISA/TMG as OWA Frontend?

    thanks

    Thursday, June 06, 2013 10:14 AM
  • Sorry I  didn't have much feedback on apache reverse over Exchange, officially it is not supported last I heard of.

    Bruce Jourdain de Coutance - Consultant Exchange http://brucejdc.blog.free.fr

    Thursday, June 06, 2013 11:36 AM
  • Sorry I  didn't have much feedback on apache reverse over Exchange, officially it is not supported last I heard of.

    Bruce Jourdain de Coutance - Consultant Exchange http://brucejdc.blog.free.fr

    Correct. 

    Unless you can configure Apache to not change the traffic and just do the SSL bridge then I'd look at something else.  TMG can do this, as can Load Balancers with their app modules. 


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, June 06, 2013 12:37 PM
  • Hi,

    Thanks for your assist in that case. I finally got the correct settings for apache:

    Add this in you VHost Configuration on the Apache. Finally all ExRCA Test were successful!

    # Rewrite the WWW-Authenticate header to strip out Windows Integrated
      # Authentication (NTLM) and only use Basic-Auth
      SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
      Header unset WWW-Authenticate
      Header add WWW-Authenticate "Basic realm=webmail.domain.com"  

    Best regards,

    Michael

    Thursday, June 06, 2013 1:20 PM