none
Exchange 2013- Outlook anywhere and Autodiscover

    Question

  • I have an f5 load balanced 4 node exchange 2013 installation that has all facilities working- except outlook anywhere.

    The exchange testconnectivity test fails for both Outlook connectivity and Autodiscover connectivity.

    I have verified that the urls are published correctly and exist on the certificate. Using the connectivity test I am getting a 401 error: (yes the credentials work internally)

    An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
    HTTP Response Headers:
    request-id: 36c2a29b-4f18-49ee-a8dc-747e3fcbfde8
    Set-Cookie: ClientId=UCXAVARP0ELHULUFLNQ; expires=Wed, 15-Feb-2017 23:16:31 GMT; path=/; HttpOnly,LastMRH_Session=2a64f5f1;path=/;secure,MRHSession=16a55c5fdb2054d1761b8a722a64f5f1;path=/;secure
    Server: Microsoft-IIS/8.5
    WWW-Authenticate: Negotiate YHgGCSqGSIb3EgECAgMAfmkwZ6ADAgEFoQMCAR6kERgPMjAxNjAyMTYyMzE2MzFapQQCAlEbpgMCATypEBsOUkZTLk5TVy5HT1YuQVWqGDAWoAMCAQGhDzANGwtzdmItZXhjaDAyJKwRBA8wDaEDAgEBogYEBGoAAMA=,NTLM,Basic realm="autodiscover.company.com"
    X-Powered-By: ASP.NET
    X-FEServer: (one of our exchange servers)
    Date: Tue, 16 Feb 2016 23:16:30 GMT
    Content-Length: 0
    Expires: Thu, 01 Dec 1994 16:00:00 GMT

    The F5's I think are configured correctly as they are showing the kerberos ticket passed through to AD. IIS

    Outlook Anywhere Authentication types are set to 

    ExternalClientAuthenticationMethod : Ntlm
    InternalClientAuthenticationMethod : Ntlm
    IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}


    I have tried logging on to our external autodiscover site- autodiscover.company.com/autodiscover/autodiscover.xml. It prompts for credentials but will not accept any credentials at all. Is this correct?

    I cannot make this work. any guidance appreciated.








    • Edited by tonyholdgate Tuesday, February 16, 2016 11:33 PM
    Tuesday, February 16, 2016 11:22 PM

Answers

  • Sorted.

    It was an F5 issue- sort of. F5 requires an "Alternate Service Account" - and the credential needs to be set;

    Exchange 2013: Configuring Alternate Service Account

    Set-ClientAccessServer <CAS_MBX> -AlternateServiceAccountCredential (Get-Credential)
    verify ASA
    Get-ClientAccessServer -IncludeAlternateServiceAccountCredentialStatus | Format-List Name,Alt*

    

    • Marked as answer by tonyholdgate Wednesday, February 17, 2016 4:55 AM
    Wednesday, February 17, 2016 4:55 AM

All replies

  • Add the IP address of a CAS role server to the local hosts that resolves to the F5 VIP to bypass the F5 and test that.

    Blog:    Twitter:   

    Tuesday, February 16, 2016 11:53 PM
  • The problem I'm having is external acces so I can't bypass f5 that way
    Wednesday, February 17, 2016 12:01 AM
  • The problem I'm having is external acces so I can't bypass f5 that way

    Well, you mentioned Kerberos. Kerberos implies domain-joined clients.

    that error suggests the UPN does not match the Primary SMTP address or you have some sort hybrid setup with Office 365 and using ADFS...


    Blog:    Twitter:   

    Wednesday, February 17, 2016 12:12 AM
  • My bad- sorry. Yes the problem is external Outlook Anywhere only. I've tried UPN, domain\user and FQDN all with the same result. I think the problem I'm seeing with the autodiscover site is the same issue- authentication is just not working. F5 uses NTLM at the front and kerberos at the back to connect to AD as I understand it.

    Should I be able to logon to autodiscover externally? 

    Wednesday, February 17, 2016 12:17 AM
  • My bad- sorry. Yes the problem is external Outlook Anywhere only. I've tried UPN, domain\user and FQDN all with the same result. I think the problem I'm seeing with the autodiscover site is the same issue- authentication is just not working. F5 uses NTLM at the front and kerberos at the back to connect to AD as I understand it.

    Should I be able to logon to autodiscover externally? 

    Yes, that should work and you should see the xml response.


    Blog:    Twitter:   

    Wednesday, February 17, 2016 12:50 AM
  • OK- and thats my issue. I can't log on. And it ties in to what I'm seeing in the connectivity test- with a 401 for autodiscover. Autodiscover works internally so my thinking is this is still an F5 problem.. 
    Wednesday, February 17, 2016 2:05 AM
  • Sorted.

    It was an F5 issue- sort of. F5 requires an "Alternate Service Account" - and the credential needs to be set;

    Exchange 2013: Configuring Alternate Service Account

    Set-ClientAccessServer <CAS_MBX> -AlternateServiceAccountCredential (Get-Credential)
    verify ASA
    Get-ClientAccessServer -IncludeAlternateServiceAccountCredentialStatus | Format-List Name,Alt*

    

    • Marked as answer by tonyholdgate Wednesday, February 17, 2016 4:55 AM
    Wednesday, February 17, 2016 4:55 AM