locked
Exchange 2016 AutoDiscover external issue RRS feed

  • Question

  • Hello,

    Im writing this question after days of searching on the web for the answer, but i cannot seem to find the issue or any solution.

    We have recently started to use Exchange 2016 and all is functioning like it should with the exception of the External AutoDiscover. Our employees want to be able to use outlook without vpn, so I told them; no problem! But unfortunately is starting to get a problem now.

    The autodiscover is available and seems to be certified by our wildcard cert. I also receive the well known pop-up asking for credentials, but this pop up is popping up after every credential insert, so looping with the error 401 not authorized. The internal situation works like a charm and has no errors what so ever.

    The connectivity analyzer gives me the follow error:


    I have checked:

    -IIS on exchange server, folder authentication is correct and checked with get-outlookanywhere etc

    -DNS external set correct with A record to our external IP

    -Internal DNS is set as wel for autodiscover to direct to local ip for internal use.

    -certificate providers are set to *.domain.com

    -folder rights in ClientAcces set.

    -ran exchange best practice analyzer, gave no significant errors.

    -IIS webserver ARR settings and url rewrite redirecting correct to exchange.

    Im totally out of options. Is there anybody with experience in this specific situation.

    AD/DNS/IIS webserver win2012R2

    EXCH2016/IIS win2012R2

    I'm desperate for a solution, so if anybody wants to help me out, thanks in advance!!

    • Edited by Mike-_e Wednesday, October 12, 2016 5:57 AM
    Tuesday, October 11, 2016 5:29 PM

All replies

  • Hi

    Are you pointing your Exchange 2016 external autodiscover record to a public ip natted to your exchange server or to your load balancer external IP?

    How are you urls setup? do you point to mail.domain.com for everything as an example and is your autodiscover url pointing to the local server or autodiscover.domain.com?

    Wednesday, October 12, 2016 5:28 AM
  • Hi edward. 

    Im not sure what to answer. 

    I route my external DNS provider to my webserver, through our Sonicwall firewall. port 443 and 80.

    So i have records:

    autodiscover
    A 217.100.xxx.xxx

    mail
    A 217.100.xxx.xxx

    @

    MX mail.domain.com.

    The IIS on webserver(also DC and DNS server) is setup as following;

    ARR is setup to point to my exchange farm with rewrite rules.

    

    I have pointed all the virual folders to mail.domain.com except the autodiscover. That one I have set to autodiscover.domain.com within the exchange management shell.

    Ping local to autodiscover shows local ip and external shows external ip.

    extra info:

    [PS] C:\Windows\system32>Get-OutlookAnywhere


    RunspaceId                         : c372b600-7a7b-46de-a2d9-a716dac50478
    ServerName                         : company-MAIL
    SSLOffloading                      : False
    ExternalHostname                   : mail.company.com
    InternalHostname                   : mail.company.com
    ExternalClientAuthenticationMethod : Ntlm
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Ntlm}
    XropUrl                            :
    ExternalClientsRequireSsl          : True
    InternalClientsRequireSsl          : True
    MetabasePath                       : IIS://company-Mail.bhg.local/W3SVC/1/ROOT/Rpc
    Path                               : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
    ExtendedProtectionTokenChecking    : None
    ExtendedProtectionFlags            : {}
    ExtendedProtectionSPNList          : {}
    AdminDisplayVersion                : Version 15.1 (Build 396.30)
    Server                             : company-MAIL
    AdminDisplayName                   :
    ExchangeVersion                    : 0.20 (15.0.0.0)
    Name                               : Rpc (Default Web Site)
    DistinguishedName                  : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=company-MAIL,CN=Servers,CN=Excha
                                         nge Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=company,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=bhg,DC=local
    Identity                           : company-MAIL\Rpc (Default Web Site)
    Guid                               : a490d4c2-b5de-4f12-8cb0-db7c7b3ce8d2
    ObjectCategory                     : bhg.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
    ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
    WhenChanged                        : 12-10-2016 13:25:11
    WhenCreated                        : 19-5-2016 11:04:02
    WhenChangedUTC                     : 12-10-2016 11:25:11
    WhenCreatedUTC                     : 19-5-2016 09:04:02
    OrganizationId                     :
    Id                                 : company-MAIL\Rpc (Default Web Site)
    OriginatingServer                  : company-DC.bhg.local
    IsValid                            : True
    ObjectState                        : Changed



    • Edited by Mike-_e Wednesday, October 12, 2016 11:26 AM
    Wednesday, October 12, 2016 6:12 AM
  • Hi,

    I noticed you received the error 401 not authorized. Try to disable loopback perform the following action on the client access servers:

    1.Click Start, click Run, type regedit, and then click OK.
    2.In Registry Editor, locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    3.Right-click Lsa, point to New, and then click DWORD Value.
    4.Type DisableLoopbackCheck, and then press ENTER.
    5.Right-click DisableLoopbackCheck, and then click Modify.
    6.In the Value data box, type 1, and then click OK.
    7.Quit Registry Editor, and then restart your computer.

    http://clintboessen.blogspot.sg/2009/06/autodiscover-issue-401-unauthorized.html

    Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards,


    David Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 14, 2016 1:57 AM
    Moderator
  • Hi David,

    I already did that some time ago on the exchange server itself, i asume this is the CAS server?

    Do i need to set it to the domain controller / webserver as well?

    Friday, October 14, 2016 8:58 AM
  • Hi David,

    I already did that some time ago on the exchange server itself, i asume this is the CAS server?

    Do i need to set it to the domain controller / webserver as well?

    Also added reg item to domain / webserver and still get 401 error.. more ideas? :)
    Friday, October 14, 2016 9:37 AM
  • Hi,

    I have managed to get the error 600 xml screen from autodiscover, however it is still not possible to configure email outside the organisation. The outlook client still has the log in loop. Any idea?

    PS, i set the auth mode on IIS webserver for default website to Basic Authentication only and from that moment I was able to logon to the autodiscover website successfully. 

    unfortunately this setting screwed the complete setup. i now have no internal mail / autodiscovering anymore.

    trying to fix it.

    Monday, October 17, 2016 11:01 AM
  • No more suggestions anyone?
    Wednesday, October 19, 2016 5:08 AM
  • Hi,

    Sorry for the delay reply just back from vacation.

    Please try to change your outlook anywhere authentication methods are as following:
    ExternalClientAuthenticationMethod : Basic
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods   : {Basic, Ntlm, Negotiate}

    Regards,


    David Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 24, 2016 7:19 AM
    Moderator
  • Hi David,

    Already tried your suggestion with auth methods. Same behavior as before changes.

    Monday, October 31, 2016 12:30 PM