locked
exchange 2007 autodiscover error 401.1 unauthorized - need to iisreset continually RRS feed

  • Question

  • Hi, I have a sbs 2008 with exchange 2007, new installation. My users (outlook 2010) are having intermittent popup issues. I figured out that I am having error 401.1 unauthorize when browsing to https://autodiscover.mydomain.com/autodiscover/autodiscover.xml. Same for the EWS web site, same when using test-outlookwebservices. All internal and external domains are configured with the same DNS, that resolves correctly internally and externally. What is odd is that if I do a IISRESET, everything is fine for a couple of minutes, after it goes down.

    I have disable loopback. I checked the possibility that the IUSR password is out of sync so to test, I created a new web site with a simple html page, enabled only anonymous access, and the page opens so I guess the password is not out of sync.

    I checked the gpo and I receive "everyone" linked to "access this computer from the network". Since creating a schedule task that does iisreset every 15 minutes is not an option...:), I was wondering if anyone has an idea?

    Extra info; using public certificate, it is configured correctly. Very important to understand that after the iisreset, all tests passes, all autodiscover feature working fine. Checked event viewer, nothing relevant (even security events).

    Thanks

    Friday, September 27, 2013 7:56 PM

Answers

  • Hi, the disable loopback did not work for me. What finally worked is to use kernel mode authentication on the sub folder autodiscover and exchweb in iis. Now everything seems to work fine.

    Regards

    Wednesday, October 2, 2013 4:02 PM

All replies

  • Follow up; did more research and it seems there is some problems with autodiscover in exchange 2007 and ipv6 should be disabled, even with sbs 2008.

    More info here;

    http://blog.aaronmarks.com/?p=65

    Even a technet blog where it says don't disable ipv6 all the way, but at one point the blogger says; Exchange 2007 recommended disabling IPv6 to fix an issue with Outlook Anywhere. The Exchange 2007 limitation was fixed in Exchange 2010. See http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.aspx

    So I think I'm gonna try it this weekend, unless someone comes up with another idea.

    Thanks

    Friday, September 27, 2013 8:26 PM
  • Hi,

    Firstly, I’d recommend you disable the loopback check per the method 2 in the link below:

    http://support.microsoft.com/kb/896861 .

    If it doesn’t work, please try to add the BackConnectionHostNames key in the following location:

    1.In Registry Editor, locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.

    2.Right-click MSV1_0, point to New, and then click Multi-String Value.

    3.Type BackConnectionHostNames, and then press ENTER.

    4.Right-click BackConnectionHostNames, and then click Modify.

    5. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.

    Please run iisreset and test the issue. Please also check the app log and post the associate error messages.

    Regards,

    Rebecca

    Wednesday, October 2, 2013 1:44 AM
  • Hi, the disable loopback did not work for me. What finally worked is to use kernel mode authentication on the sub folder autodiscover and exchweb in iis. Now everything seems to work fine.

    Regards

    Wednesday, October 2, 2013 4:02 PM