Autodiscover not working for Exchange Active Sync

Fazer uma Pergunta

quinta-feira, 15 de dezembro de 2011 20:28

0

Im not sure what has happened or changed, but I'm not longer able to complete a Remote Connectivity test via Autodiscover, but will work if manually using the mail.SERVERNAME.com url. The test is able to resolve all of the urls, but gives me an error that the 443 port is blocked, not listening, or produces an unexpected response. I'm not sure how that can be the issue and the local firewall is truned off, and the IIS7 Binding settings show that port correctly configured to the SAN certificate.

Here are those test results

This issue also coincides with our Outlook 2007 users getting a Security Alert for an invalid name on the certificate:

Here is that error box

I have tried to resolve with the information from he, but to no avail...

http://www.microsoftnow.com/2008/04/certficate-name-mismatch-in-outlook.html

Any help that could be provided is greatly appreciated
- Responder
- Citação

Todas as Respostas

quinta-feira, 15 de dezembro de 2011 22:21

0

What name do you have on your cert?

Run Get-ExchangeCertificate | fl

3rd party or not?
Sukh
- Responder
- Citação
segunda-feira, 19 de dezembro de 2011 14:12

0

It is a third party cert, and here are the powershell results (fyi there are two domains listed so the apparent duplicates are different):

[PS] C:\Windows\system32>Run Get-ExchangeCertificate | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.%us%.com, %us%.com, autodiscover.%us%.com, autodiscover.HQ.%us%.com, autodiscover.%us%.com, chexch.hq.%us%.com, mail.%us%.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=USERTrust Legacy Secure Server CA, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
NotAfter           : 10/11/2014 7:59:59 PM
NotBefore          : 10/11/2011 8:00:00 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 0B505F134A8186B0F595024740CAB222
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.%us%.com, OU=Unified Communications, OU=Hosted by City Of %us% OU=IT, O=%us%, STREET=%us%, L=%us%, S=%us%, PostalCode=%us%,
                     C=US
Thumbprint         : 6F0A103240B7246AC9B2CADA867766484793296B

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                     ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                     essRule}
CertificateDomains : {CHEXCH, CHEXCH.HQ.%us%.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=CHEXCH
NotAfter           : 10/10/2016 11:23:47 AM
NotBefore          : 10/10/2011 11:23:47 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 31A94BDFA0DFD2A749C66D1D96F48548
Services           : SMTP
Status             : Valid
Subject            : CN=CHEXCH
Thumbprint         : 8C6E2F446822B5063F8F4A8476D0E724250A8DDA
- Responder
- Citação
segunda-feira, 19 de dezembro de 2011 20:39

0

What name does it say on the outlook prompt?

mail.%us%.com ?

What are your internal URL configured as?
Sukh
- Responder
- Citação
terça-feira, 20 de dezembro de 2011 14:12

0

Correct, the outlook prompt says mail.%us%.com. The internal addresses are all the FQDN, with SSL, so; https://chexch.hq.%us%.com
- Responder
- Citação
terça-feira, 20 de dezembro de 2011 14:23

0

Configure your URL as per KB

http://support.microsoft.com/kb/940726
Sukh
- Responder
- Citação
terça-feira, 20 de dezembro de 2011 16:45

0

Thanks for the suggestion, but I did that before I posted, and referenced it in the link. Here's the command shell for confirmation:

C:\Windows\system32>get-clientaccessserver

Name
----
CHEXCH

[PS] C:\Windows\system32>get-webservicesvirtualdirectory

Name                                    Server                                  InternalUrl
----                                    ------                                  -----------
EWS (Default Web Site)                  CHEXCH                                  https://mail.%us%.com/ew...

[PS] C:\Windows\system32>get-oabvirtualdirectory

Server                        Name                          Internal Url                  External Url
------                        ----                          ------------                  ------------
CHEXCH                        OAB (Default Web Site)        https://mail.%us%... https://mail.%us%...
- Responder
- Citação
terça-feira, 20 de dezembro de 2011 17:00

0

What about the AutodiscoverServiceInternalUri ?

Also, although you shouldnt have to, have you peformed an IIS reset and rebooted the server?
Sukh
- Responder
- Citação
quarta-feira, 21 de dezembro de 2011 19:46

0

sorry missed that one; from the get-clientaccessserver -identity chexch | fl

AutoDiscoverServiceInternalUri : https://mail.%us%com/autodiscover/autodiscover.xml

and yes, the IIS service as well as specific application pools have been restarted. But the last server reboot was 12 days ago. I know reboots fix alot, but I was hoping to minimize down time. I'll try to remember to reboot it after-hours tonight and post back in the morning.
- Responder
- Citação
quinta-feira, 22 de dezembro de 2011 05:26

0

So a reboot allowed the test to go a little further, but still failed. I'm posting the results, but haven't read over them yet or tried to resolve the "new" errors:

Attempting the Autodiscover and Exchange ActiveSync test (if requested).
Testing of Autodiscover for Exchange ActiveSync failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://%us%.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name %us%.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 38.96.163.66

Testing TCP port 443 on host %us%.com to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Tell me more about this issue and how to resolve it
Additional Details
A network error occurred while communicating with the remote host.

Attempting to test potential Autodiscover URL https://autodiscover.%us%.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.%us%.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 72.20.207.35

Testing TCP port 443 on host autodiscover.%us%.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.%us%.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.%us%.com, OU=Unified Communications, OU=%us%, OU=IT, O=%us%, STREET=%us%, L=%us%, S=%us%, PostalCode=%us%, C=US, Issuer: CN=USERTrust Legacy Secure Server CA, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US.

Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.%us%.com was found in the Certificate Subject Alternative Name entry.

Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=mail.%us%.com, OU=Unified Communications, OU=%us%, OU=IT, O=%us%, STREET=%us%, L=%us%, S=%us%, PostalCode=%us%, C=US.
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US.

Analyzing the certificate chains for compatibility problems with versions of Windows.
No Windows compatibility problems were identified.
Additional Details
The certificate chain has been validated up to a trusted root. Root = CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US.

Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 10/12/2011 12:00:00 AM, NotAfter = 10/11/2014 11:59:59 PM

Checking the IIS configuration for client certificate authentication.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
Client certificate authentication couldn't be determined because an unexpected failure occurred. WinHttpSendRequest failed with error 12007.

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.%us%.com/AutoDiscover/AutoDiscover.xml for user cadkins@%us%.com.
The Autodiscover XML response was successfully retrieved.
Additional Details
An HTTPS redirect was received in response to the Autodiscover request. The redirect URL is https://mail/%us%.com/owa/AutoDiscover.xml.

Attempting to test potential Autodiscover URL https://mail/%us%.com/owa/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name mail in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host mail couldn't be resolved in DNS ErrorRetry.

Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.%us%.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 72.20.207.35

Testing TCP port 80 on host autodiscover.%us%.com to ensure it's listening and open.
The port was opened successfully.
ExRCA is checking the host autodiscover.%us%.com for an HTTP redirect to the Autodiscover service.
ExRCA failed to get an HTTP redirect response for Autodiscover.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: You do not have permission to view this directory or page.

Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.%us%.com in DNS.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
- Responder
- Citação
quinta-feira, 22 de dezembro de 2011 20:05

0

Can you ensure that 443 is open on the firewall and forwarding to the correct IP
Sukh
- Responder
- Citação
quinta-feira, 22 de dezembro de 2011 21:08

0
so I'm not sure how this happened, but the two resolutions were:

1. The xml file had mail/%us%.com instead of mail.%us%.com, even though all tests showed the correct syntex. (the bottom of the "rebooted" test.

2. The Autodiscover IIS entry was set to redirect to the owa website. Once that was removed/disabled all tests passed. How that got set will always remain a mystery.

Thank you for help through out though.
- Marcado como Resposta Chris T A quinta-feira, 22 de dezembro de 2011 21:08
- Responder
- Citação

Autodiscover not working for Exchange Active Sync

Todas as Respostas

Produtos

Recursos

Soluções

Atualizações

Avaliações

Sites relacionados

Treinamento

Certificações

Outros recursos

Por produtos

Outros links