Autodiscover Errors
-
2012년 4월 2일 월요일 오전 2:57
Hope someone can help me see the wood from the trees:
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.company.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.company.com, OU=Domain Control Validated, O=mail.company.com, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.company.com was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=mail.company.com, OU=Domain Control Validated, O=mail.company.com.
One or more certificate chains were constructed successfully.
Additional Details
A total of 2 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Analyzing the certificate chains for compatibility problems with versions of Windows.
No Windows compatibility problems were identified.
Additional Details
The certificate chain has been validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 2/12/2012 4:14:28 AM, NotAfter = 2/8/2015 9:22:45
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml for user tom_day@company.com.
ExRCA failed to obtain an Autodiscover XML response.
Tell me more about this issue and how to resolve it Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.company.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 208.181.105.239
Testing TCP port 80 on host autodiscover.company.com to ensure it's listening and open.
The port was opened successfully.
ExRCA is checking the host autodiscover.company.com for an HTTP redirect to the Autodiscover service.
ExRCA failed to get an HTTP redirect response for Autodiscover.
Tell me more about this issue and how to resolve it Additional Details
An HTTP 403 error was received because ISA Server denied the specified URL.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.company.com in DNS.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
모든 응답
-
2012년 4월 3일 화요일 오후 4:54How are your ISA publishing rules configured? On your Outlook Anywhere rule, is autodiscover.company.com assigned as a public name? Do you have the /AutoDiscover/* directory published as a path in the rule?
-
2012년 4월 3일 화요일 오후 7:23
/AutoDiscover/* is published as a path in the Paths tab on ISA, within the Outlook Anywhere rule.
The Test Rule works within ISA but the ExRCA is full of errors; so i'm trying to figure out where the best place to start is.
-
2012년 4월 3일 화요일 오후 7:28
How are your ISA publishing rules configured? On your Outlook Anywhere rule, is autodiscover.company.com assigned as a public name? Do you have the /AutoDiscover/* directory published as a path in the rule?
I'm wondering if this article describes what i need:
http://clintboessen.blogspot.ca/2010/10/autodiscover-issue-with-isa2006-or.html
and assign the name as you say.
-
2012년 4월 3일 화요일 오후 7:47
I added autodiscover.company.com to the public name and i now get this:
ExRCA is attempting to test Autodiscover for tom_day@company.com. Testing Autodiscover failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://company.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name company.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 208.181.105.243
Testing TCP port 443 on host company.com to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Tell me more about this issue and how to resolve it
Additional Details
A network error occurred while communicating with the remote host.
Attempting to test potential Autodiscover URL https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.company.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 208.181.105.239
Testing TCP port 443 on host autodiscover.company.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.company.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.company.com, OU=Domain Control Validated, O=mail.company.com, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.company.com was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=mail.company.com, OU=Domain Control Validated, O=mail.company.com.
One or more certificate chains were constructed successfully.
Additional Details
A total of 2 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Analyzing the certificate chains for compatibility problems with versions of Windows.
No Windows compatibility problems were identified.
Additional Details
The certificate chain has been validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network.
esting the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 2/12/2012 4:14:28 AM, NotAfter = 2/8/2015 9:22:45 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml for user tom_day@company.com.
ExRCA failed to obtain an Autodiscover XML response.
Additional Details
An HTTP 401 Unauthorized response was received from the remote ISA server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.company.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 208.181.105.239
Testing TCP port 80 on host autodiscover.company.com to ensure it's listening and open.
The port was opened successfully.
ExRCA is checking the host autodiscover.company.com for an HTTP redirect to the Autodiscover service.
The redirect (HTTP 301/302) response was received successfully.
Additional Details
Redirect URL: https://autodiscover.company.com/Autodiscover/Autodiscover.xml
Attempting to test potential Autodiscover URL https://autodiscover.company.com/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.company.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 208.181.105.239
Testing TCP port 443 on host autodiscover.company.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.company.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.company.com, OU=Domain Control Validated, O=mail.company.com, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.company.com was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=mail.company.com, OU=Domain Control Validated, O=mail.company.com.
One or more certificate chains were constructed successfully.
Additional Details
A total of 2 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Analyzing the certificate chains for compatibility problems with versions of Windows.
No Windows compatibility problems were identified.
Additional Details
The certificate chain has been validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 2/12/2012 4:14:28 AM, NotAfter = 2/8/2015 9:22:45 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.company.com/Autodiscover/Autodiscover.xml for user tom_day@company.com.
ExRCA failed to obtain an Autodiscover XML response.
Additional Details
An HTTP 401 Unauthorized response was received from the remote ISA server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.company.com in DNS.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
-
2012년 4월 3일 화요일 오후 8:26
By default, Autodiscover is going to try the following connection attempts:
- HTTPS - domain.com/autodiscover
- HTTPS - autodiscover.domain.com/autodiscover
- DNS - SRV record
The first error you have in bold above is not really an error, just the initial attempt to connect to autodiscover using your SMTP domain. This typically fails as I have not seen many organizations setup their DNS to have their root DNS namespace point to the same address used for Exchange services. The second attempt is what you are attempting, using the DNS name for autodiscover.domain.com to find your connection point for Autodiscover. As you can see in the next log entries, ExRCA is successful connecting to https://autodiscover.domain.com/autodiscover/autodiscover.xml and continues to process the SSL certificate. This at least shows that the public DNS is correct and a connection attempt is being made to the ISA server as it retrieves the SSL certificate information.
What are you publishing rules? You typically would have a rule for OWA, ActiveSync, and Outlook Anywhere that could all use the same web listener if you are using Basic Authentication delegation back to your CAS.
Make sure your authentication settings with the publishing rules and the web listener(s) correlate to the authentication methods configured on the Exchange virtual directories on the CAS.
In your original post, ExRCA indicated the URL was denied by ISA. If you have multiple rules for Exchange, which you probably do for at least OWA, ActiveSync, and Outlook Anywhere, check the order the rules are processed. If your OWA rule is processed first and is configured to accept the public name autodiscover.domain.com, chances are it does not have the /Autodiscover/* virtual directory published and would result in ISA denying the URL to that path. MS has a good white paper on using TMG to publish Exchange 2010, but the rule configurations are very close if not identical to how ISA 2006 should be configured (http://www.microsoft.com/download/en/details.aspx?id=8946).
With your most recent post resulting in HTTP 401 responses, enable logging on the ISA server so you can see what rule is blocking ExRCA from authenticating. The logging on the ISA server should also provide a little more insight as to why it is not authenticating.
-
2012년 4월 4일 수요일 오전 3:41
By default, Autodiscover is going to try the following connection attempts:
- HTTPS - domain.com/autodiscover
- HTTPS - autodiscover.domain.com/autodiscover
- DNS - SRV record
The first error you have in bold above is not really an error, just the initial attempt to connect to autodiscover using your SMTP domain. This typically fails as I have not seen many organizations setup their DNS to have their root DNS namespace point to the same address used for Exchange services. The second attempt is what you are attempting, using the DNS name for autodiscover.domain.com to find your connection point for Autodiscover. As you can see in the next log entries, ExRCA is successful connecting to https://autodiscover.domain.com/autodiscover/autodiscover.xml and continues to process the SSL certificate. This at least shows that the public DNS is correct and a connection attempt is being made to the ISA server as it retrieves the SSL certificate information.
What are you publishing rules? You typically would have a rule for OWA, ActiveSync, and Outlook Anywhere that could all use the same web listener if you are using Basic Authentication delegation back to your CAS.
Make sure your authentication settings with the publishing rules and the web listener(s) correlate to the authentication methods configured on the Exchange virtual directories on the CAS.
In your original post, ExRCA indicated the URL was denied by ISA. If you have multiple rules for Exchange, which you probably do for at least OWA, ActiveSync, and Outlook Anywhere, check the order the rules are processed. If your OWA rule is processed first and is configured to accept the public name autodiscover.domain.com, chances are it does not have the /Autodiscover/* virtual directory published and would result in ISA denying the URL to that path. MS has a good white paper on using TMG to publish Exchange 2010, but the rule configurations are very close if not identical to how ISA 2006 should be configured (http://www.microsoft.com/download/en/details.aspx?id=8946).
With your most recent post resulting in HTTP 401 responses, enable logging on the ISA server so you can see what rule is blocking ExRCA from authenticating. The logging on the ISA server should also provide a little more insight as to why it is not authenticating.
Thanks for the input;
Turns out i had everything correct... except i had All Authenticated Users chosen instead of All Users...it's been a long week :)
Cheers.
.png)
