locked
Autodiscover and Outlook internal Clients being prompted for credentials - Exchange 2007 SP3 RRS feed

  • Question

  • After the holidays, all users on our domain are suddenly being prompted for Credentials when opening Outlook when on the LAN. Even users sitting right next to the Exchange server. As the Exchange/network admin, I know nothing has changed for the last few months with the exception of a new wildcard certificate last year, buit issue not seen at that time or weeks following.

    I've tried the credetnial vault etc. as fixes but they don't work.

    When creating a new OUtlook Profile, the autodiscover process now also requires credentials.

    We use the same URL for internal and external services adn run a split DNS - pinging the external name retunrs the correct inner server.

    Diagnostics so far:

    PS] C:\Windows\system32>test-outlookwebservices | fl


    d      : 1003
    ype    : Information
    essage : About to test AutoDiscover with the e-mail address Administrator@externaldomain.com

    d      : 1007
    ype    : Information
    essage : Testing server CHCWNEX02.internaldomain.lan with the published name https://smtp
             .externaldomain.com/ews/exchange.asmx & https://smtp
             .externaldomain.com/EWS/Exchange.asmx.

    d      : 1019
    ype    : Information
    essage : Found a valid AutoDiscover service connection point. The AutoDiscover
              URL on this object is https://smtp.externaldomain.com/autodiscover/a
             utodiscover.xml.

    d      : 1013
    ype    : Error
    essage : When contacting https://smtp.externaldomain.com/autodiscover/autodisc
             over.xml received the error The remote server returned an error: (401
             ) Unauthorized.

    d      : 1006
    ype    : Error
    essage : The Autodiscover service could not be contacted.


    On Autodiscover Directory

    Basic and Windows authenctication enabled


    [PS] C:\Windows\system32>get-exchangecertificate

    Thumbprint                                Services   Subject
    ----------                                --------   -------
    0989531C9DDCE7FBE3E0FC0131928D23D7FF7C42  ...WS      CN=*.externaldomain.com...
    C5D845890C5AE0C60F332C8DD6D026EAC675428F  ....S      CN=CHCWNEX02
    8BF95FAB4367A433D23813BD6458EFD60C89F823  IP..S      CN=smtp.externaldomain.com
    61FC3DA11116E1DA177F41218A35E0CE8730DE41  ....S      CN=CHCWNEX02
    BF585FA5E31B9C99336770D79C37EC22560C6607  .....      CN=WMSvc-CHCWNEX02
    7627B521A454F8A1491ADFA421DB84422352187B  IP...      CN=smtp.externaldomain.com

     

    [PS] C:\Windows\system32>get-exchangecertificate | fl


    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {*.externaldomain.com, externaldomain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
    NotAfter           : 13/12/2014 5:29:47 p.m.
    NotBefore          : 10/11/2012 9:29:37 p.m.
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 09212A
    Services           : IIS, SMTP
    Status             : Valid
    Subject            : CN=*.externaldomain.com, OU=Domain Control Validated - Rap
                         idSSL(R), OU=See www.rapidssl.com/resources/cps (c)12, OU=
                         GT39233722, SERIALNUMBER=eDaCXv/R-RHc-wih14qwnl3OzJ4BSTem
    Thumbprint         : 0989531C9DDCE7FBE3E0FC0131928D23D7FF7C42

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {CHCWNEX02, CHCWNEX02.internaldomain.lan}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=CHCWNEX02
    NotAfter           : 28/01/2016 4:05:01 p.m.
    NotBefore          : 28/01/2011 4:05:01 p.m.
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 743AB77DBBD32780499405DC4F817789
    Services           : SMTP
    Status             : Valid
    Subject            : CN=CHCWNEX02
    Thumbprint         : C5D845890C5AE0C60F332C8DD6D026EAC675428F

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {smtp.externaldomain.com, chcwnex02, autodiscover.externaldomain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=GeoTrust DV SSL CA, OU=Domain Validated SSL, O=GeoTrust
                          Inc., C=US
    NotAfter           : 12/11/2012 11:43:41 p.m.
    NotBefore          : 11/10/2010 11:52:04 p.m.
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 008110
    Services           : IMAP, POP, SMTP
    Status             : DateInvalid
    Subject            : CN=smtp.externaldomain.com, OU=Domain Control Validated -
                         QuickSSL(R) Premium, OU=See www.geotrust.com/resources/cps
                          (c)10, OU=GT51440444, O=smtp.externaldomain.com, C=AU, SE
                         RIALNUMBER=fLZvOsSP1z1pGyhaPtAltPPhlJx9gFIH
    Thumbprint         : 8BF95FAB4367A433D23813BD6458EFD60C89F823

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                         ssControl.CryptoKeyAccessRule}
    CertificateDomains : {CHCWNEX02, CHCWNEX02.internaldomain.lan}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=CHCWNEX02
    NotAfter           : 5/02/2011 4:09:02 p.m.
    NotBefore          : 5/02/2010 4:09:02 p.m.
    PublicKeySize      : 2048
    RootCAType         : Unknown
    SerialNumber       : 45ACBB11B59F6B9940D7D3AF58290EF7
    Services           : SMTP
    Status             : Invalid
    Subject            : CN=CHCWNEX02
    Thumbprint         : 61FC3DA11116E1DA177F41218A35E0CE8730DE41

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {WMSvc-CHCWNEX02}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=WMSvc-CHCWNEX02
    NotAfter           : 3/02/2020 3:56:55 p.m.
    NotBefore          : 5/02/2010 3:56:55 p.m.
    PublicKeySize      : 2048
    RootCAType         : Registry
    SerialNumber       : 0840516639633FA642DF0A276C7379C0
    Services           : None
    Status             : Valid
    Subject            : CN=WMSvc-CHCWNEX02
    Thumbprint         : BF585FA5E31B9C99336770D79C37EC22560C6607

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                         .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                         ty.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {smtp.externaldomain.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : OU=Equifax Secure Certificate Authority, O=Equifax, C=US
    NotAfter           : 14/10/2010 8:46:22 p.m.
    NotBefore          : 13/07/2009 6:58:45 p.m.
    PublicKeySize      : 1024
    RootCAType         : ThirdParty
    SerialNumber       : 0BF00A
    Services           : IMAP, POP
    Status             : DateInvalid
    Subject            : CN=smtp.externaldomain.com, OU=Domain Control Validated -
                         QuickSSL Premium(R), OU=See www.geotrust.com/resources/cps
                          (c)09, OU=GT51440444, O=smtp.externaldomain.com, C=AU
    Thumbprint         : 7627B521A454F8A1491ADFA421DB84422352187B

     

    PS] C:\Windows\system32>get-webservicesvirtualdirectory |fl

    nternalNLBBypassUrl            : https://chcwnex02/ews/exchange.asmx
    ame                            : EWS (Default Web Site)
    nternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
    xternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
    asicAuthentication             : True
    igestAuthentication            : False
    indowsAuthentication           : True
    etabasePath                    : IIS://CHCWNEX02.internaldomain.lan/W3SVC/1/ROOT/EWS
    ath                            : C:\Program Files\Microsoft\Exchange Server\Cl
                                     ientAccess\exchweb\EWS
    xtendedProtectionTokenChecking : None
    xtendedProtectionFlags         : {}
    xtendedProtectionSPNList       : {}
    erver                          : CHCWNEX02
    nternalUrl                     : https://smtp.externaldomain.com/ews/exchange.
                                     asmx
    xternalUrl                     : https://smtp.externaldomain.com/EWS/Exchange.
                                     asmx
    dminDisplayName                :
    xchangeVersion                 : 0.1 (8.0.535.0)
    istinguishedName               : CN=EWS (Default Web Site),CN=HTTP,CN=Protocol
                                     s,CN=CHCWNEX02,CN=Servers,CN=Exchange Adminis
                                     trative Group (FYDIBOHF23SPDLT),CN=Administra
                                     tive Groups,CN=Internaldomain,CN=Microsoft Exchange,CN=S
                                     ervices,CN=Configuration,DC=Intetrnaldomain,DC=LAN
    dentity                        : CHCWNEX02\EWS (Default Web Site)
    uid                            : 5defeb60-acc2-4163-86b4-5588dd1d6a6f
    bjectCategory                  : internaldomain.lan/Configuration/Schema/ms-Exch-Web-Serv
                                     ices-Virtual-Directory
    bjectClass                     : {top, msExchVirtualDirectory, msExchWebServic
                                     esVirtualDirectory}
    henChanged                     : 23/06/2012 5:41:24 p.m.
    henCreated                     : 5/02/2010 4:11:30 p.m.
    riginatingServer               : CHCWNDC02.internaldomain.lan
    sValid                         : True

    Using the Outlook Test Email Autoconfiguration, the following result is returned:

    <?xml version="1.0" encoding="utf-8"?>
    <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
      <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
        <User>
          <DisplayName>My Username</DisplayName>
          <LegacyDN>/o=CHC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Username</LegacyDN>
          <DeploymentId>d0ea3325-213d-473a-8b33-2ee9bc7f38ad</DeploymentId>
        </User>
        <Account>
          <AccountType>email</AccountType>
          <Action>settings</Action>
          <Protocol>
            <Type>EXCH</Type>
            <Server>CHCWNEX02.INTERNALDOMAIN.LAN</Server>
            <ServerDN>/o=CHC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=CHCWNEX02</ServerDN>
            <ServerVersion>72038053</ServerVersion>
            <MdbDN>/o=CHC/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=CHCWNEX02/cn=Microsoft Private MDB</MdbDN>
            <PublicFolderServer>CHCWNEX02.INTERNALDOMAIN.LAN</PublicFolderServer>
            <AD>CHCWNDC02.INTERNALDOMAIN.LAN</AD>
            <ASUrl>https://smtp.externaldomain.com/ews/exchange.asmx</ASUrl>
            <EwsUrl>https://smtp.externaldomain.com/ews/exchange.asmx</EwsUrl>
            <OOFUrl>https://smtp.externaldomain.com/ews/exchange.asmx</OOFUrl>
            <UMUrl>https://smtp.externaldomain.com/unifiedmessaging/service.asmx</UMUrl>
            <OABUrl>https://smtp.externaldomain.com/oab/a7fa7ca7-8b9d-4dab-a3fb-f2009a51cf77/</OABUrl>
          </Protocol>
          <Protocol>
            <Type>EXPR</Type>
            <Server>smtp.externaldomain.com</Server>
            <SSL>On</SSL>
            <AuthPackage>Basic</AuthPackage>
            <ASUrl>https://smtp.externaldomain.com/EWS/Exchange.asmx</ASUrl>
            <EwsUrl>https://smtp.externaldomain.com/EWS/Exchange.asmx</EwsUrl>
            <OOFUrl>https://smtp.externaldomain.com/EWS/Exchange.asmx</OOFUrl>
            <OABUrl>https://smtp.externaldomain.com/oab/a7fa7ca7-8b9d-4dab-a3fb-f2009a51cf77/</OABUrl>
          </Protocol>
          <Protocol>
            <Type>WEB</Type>
            <External>
              <OWAUrl AuthenticationMethod="Fba">https://smtp.externaldomain.com/owa</OWAUrl>
              <Protocol>
                <Type>EXPR</Type>
                <ASUrl>https://smtp.externaldomain.com/EWS/Exchange.asmx</ASUrl>
              </Protocol>
            </External>
            <Internal>
              <OWAUrl AuthenticationMethod="Basic, Fba">https://chcwnex02.internaldomain.lan/owa</OWAUrl>
              <Protocol>
                <Type>EXCH</Type>
                <ASUrl>https://smtp.externaldomain.com/ews/exchange.asmx</ASUrl>
              </Protocol>
            </Internal>
          </Protocol>
        </Account>
      </Response>
    </Autodiscover>

    External tests for Autodiscovery work fine.

    Once credentials are added, Outlook works fine for that session (or longer if the user has saved credentials)

    Disabling connect to Exchange via HTTP in Outlook also removes the issue, until policy refreshes again.

    Friday, February 1, 2013 1:59 AM

Answers

All replies

  • Your getting 401which means authentication. Check the autoDis virtual directory and other vdir for http servcies and see if correct authentication methoda are set, i.e Intergrated Windows Authentication. Or it could be your proxy denying this. See if adding a bypass for the internal exch server fqdn helps in IE.

    Sukh


    j
    • Edited by Sukh828 Sunday, February 3, 2013 1:51 PM
    Sunday, February 3, 2013 1:50 PM
  • Thanks, Tried that (enabled Windows Authentication) on default WS, was already enabled on AutoDicsover but get teh same result when running test services.

    Sunday, February 3, 2013 8:02 PM
  • You have basic selected for OA. And you mention that you use OLK connect via HTTPS? If yes, this can cause it too.

    Sukh

    Sunday, February 3, 2013 8:19 PM
  • Hi,

    Please check the configuration according to the article below:

    http://technet.microsoft.com/en-us/library/gg263433(v=exchg.80).aspx

    Note that "Require client certificate" shoul NOT be selected.

    If there is any change, run IISreset /noforce to apply it.

    Hope it is helpful.


    Fiona Liao
    TechNet Community Support

    • Marked as answer by Fiona_Liao Wednesday, February 6, 2013 8:44 AM
    Wednesday, February 6, 2013 8:36 AM