Sign in
 
HomeOnline20132010Other VersionsLibraryForumsGalleryEHLO Blog

none
Autodiscover error 401

 > 

    Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    We are getting some autodiscover errors on our Exhcange server 2007 box.  We have SBS 2008 Premium and have 1 box running 'SBS' which is the domain controller and Exchange server and second box that runs Server 2008 and SQL.  Outlook, ActiveSync, OWA are all working fine, we are having trouble with our spam software though.  It is VIPRE Email security, formally called Ninja.  I worked with their support and we determined it is a Autodiscover issue.  When we run test-outlookwebservices we get this error: The remote server returned an error: (401)   Unauthorized.  

    I have read a bunch on the topic and found a few things and it seems most everyone is getting around it by disabling the loopback check but that does not appear to be the best, the most secure or the reccomended solution.  What is the best way to fix this??  Do I need another cert??  I have one GoDaddy Cert already for our external domain name so we don't get cert errors when using OWA.

    Thanks for any help.

    Tuesday, September 04, 2012 7:36 PM
    |

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    It's hard to say whether you need another certificate since you didn't tell us anything about your certificate.

    You can test Autodiscover yourself at http://exrca.com.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, September 04, 2012 8:12 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    So the issue you are encountering is that you received error 401 when you run Test-Outlookwebservices, right?

    Generally we don't use this cmdlet to test web-services. Instead, we run Test email AutoConfiguration in Outlook 2007 client. Please take a try and let me know the results and logs.

    You may also verify the default permission configuration: http://blogs.technet.com/b/exchange/archive/2008/02/01/3404755.aspx

    Hope it is helpful.

    Fiona Liao

    TechNet Community Support

    Wednesday, September 05, 2012 9:55 AM
    |
    Moderator
  • Question
    Sign in to vote
    1
    Sign in to vote

    Could be permissions issues on the directory or the IIS vdir.

    On your CAS verify

    C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess

    ClientAccess folder has authenticated users listed with permissions read and execute, list and read

    In IIS check the Autodiscover Vdir

    Autodiscover
    • Basic authentication
    • Windows authentication
    • SSL required
    • Require 128-bit encrypion

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Wednesday, September 05, 2012 7:48 PM
    |
  • Question
    Sign in to vote
    1
    Sign in to vote
    And no HTTP Redirect.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Thursday, September 06, 2012 1:10 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks for the replies.

    I did check the security on the ClientAccess folder and authenticated users was not listed so I added them with the appropriate permissions.  The Vdir permissions looked correct.  I ran the tests at http://exrca.com and they all failed.  What else can I look into?

    Friday, September 07, 2012 1:20 AM
    |
  • Question
    Sign in to vote
    1
    Sign in to vote

    If you go to

    https://webmail.company.com/autodiscover/autodiscover.xml what happens? Do you get an authentication prompt or does it take you to the page right away? You should get a response like below.

    I would also test each cas as well

    https://cas01.domain.com/autodiscover/autodiscover.xml

    <?xml version="1.0" encoding="utf-8" ?>

    - <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
    - <Response>
    - <Error Time="10:33:14.0231365" Id="2645275802">
      <ErrorCode>600</ErrorCode>
      <Message>Invalid Request</Message>
      <DebugData />
      </Error>
      </Response>
      </Autodiscover>

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Friday, September 07, 2012 2:34 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks for the replies.

    I did check the security on the ClientAccess folder and authenticated users was not listed so I added them with the appropriate permissions.  The Vdir permissions looked correct.  I ran the tests at http://exrca.com and they all failed.  What else can I look into?


    Please copy and paste the exact response message, thanks.

    Fiona Liao

    TechNet Community Support

    Monday, September 10, 2012 1:35 AM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    I do get an authentication prompt.  When I enter a username then the next pages pops up with an error code 600.  Where do I got now?

    Thanks

    Monday, September 10, 2012 11:42 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Here are the results:


    Attempting the Autodiscover and Exchange ActiveSync test (if requested).
      Testing of Autodiscover for Exchange ActiveSync failed.
     
    Test Steps
     
    Attempting each method of contacting the Autodiscover service.
      The Autodiscover service couldn't be contacted successfully by any method.
     
    Test Steps
     
    Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
      Testing of this potential Autodiscover URL failed.
     
    Test Steps
     
    Attempting to resolve the host name domain.com in DNS.
      The host name resolved successfully.
     
    Additional Details
    Testing TCP port 443 on host domain.com to ensure it's listening and open.
      The port was opened successfully.
    Testing the SSL certificate to make sure it's valid.
      The SSL certificate failed one or more certificate validation checks.
     
    Test Steps
    Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
      Testing of this potential Autodiscover URL failed.
     
    Test Steps
     
    Attempting to resolve the host name autodiscover.domain.com in DNS.
      The host name couldn't be resolved.
       <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl01_ctl00_tmmArrow">Tell me more about this issue and how to resolve it</label>
     
    Additional Details
    Attempting to contact the Autodiscover service using the HTTP redirect method.
      The attempt to contact Autodiscover using the HTTP Redirect method failed.
     
    Test Steps
     
    Attempting to resolve the host name autodiscover.domain.com in DNS.
      The host name couldn't be resolved.
       <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl02_ctl00_tmmArrow">Tell me more about this issue and how to resolve it</label>
     
    Additional Details
    Attempting to contact the Autodiscover service using the DNS SRV redirect method.
      ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
     
    Test Steps
     
    Attempting to locate SRV record _autodiscover._tcp.domain.com in DNS.
      The Autodiscover SRV record wasn't found in DNS.

    Monday, September 10, 2012 11:48 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    You don't have any method to reach your autodiscover service, you need to either set one up by creating an external DNS A record for autodiscover.domain.com pointing to the CAS or using the SRV redirect method.

    Does your cert have autodiscover.domain.com?

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Monday, September 10, 2012 1:54 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    I guess I'm not sure what you mean because I can reach it by entering the URL you gave me above:

    https://remote.company.com/autodiscover/autodiscover.xml 

    I get a login screen when I go to that address.

    No the cert does not include autodiscover.

    Do I really need the cert for that??  The Autodiscover problems we are having are all internal, we are just trying to get our anti-spam software to work correctly.

    Monday, September 10, 2012 6:25 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes because thats the direct URL however outlook is hard coded to look for the URL

    autodiscover.domain.com or domain.com

    Since you don't have autodiscover.domain.com included in your cert you can either get a new one re-issued that includes both remote.company.com and autodiscover.company.com. If you don't want to get a new cert than you can use the SRV method.

    A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service

    http://support.microsoft.com/kb/940881

    Now the http 401 error is a separate issue. I would go ahead and run Exchange Best Practice Analyzer to see if it detects any configuration issues with your autodiscover directory\files.

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com


    Monday, September 10, 2012 7:03 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    It won't even see the certificate if you don't have an A record for autodiscover.domain.com.

    It's right there in the ExRCA output:

    Attempting to resolve the host name autodiscover.domain.com in DNS.
    The host name couldn't be resolved.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Monday, September 10, 2012 7:51 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    I guess I still don't understand why I need an external A record for the autodiscover...  I am just trying to get or spam software to work internally.  I have installed this same anti-spam software on other 2007 and 2010 servers with no trouble and I have never setup an A record for autodiscover.  

    I did just setup an SRV record on our internal DNS.

    I also ran the Exchange Best Practices and the only errors/alerts I got were for the incoming message size was too large.

    Monday, September 10, 2012 7:56 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    What is the specific issue with the spam software? It may not be relayed to autodiscover at all. Setting up SRV record for internal domain joined clients will use scp lookup and not DNS lookup. You will need to create it in external DNS.  

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com


    • Edited by Jamestechman Monday, September 10, 2012 10:45 PM
    Monday, September 10, 2012 10:44 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    You're the one who asked about Autodiscover!  It's right in the forum thread title!

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, September 11, 2012 12:56 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes I did ask about Autodiscover, here what was in my initial post:

     It is VIPRE Email security, formally called Ninja.  I worked with their support and we determined it is a Autodiscover issue.  When we run test-outlookwebservices we get this error: The remote server returned an error: (401)   Unauthorized.

    Our spam software is VIPRE Email Security and it is not creating the 'spam' folders and moving the spam to them in Outlook.  Like I have said I worked with their support and they are telling me Autodiscover is not working correctly as is shown when we run test-outlookwebservices.  They are telling me it uses Autodiscover to initially create the folders when the first spam message is found and then move the spam emails to that folder everytime after that.  I can see that it is catching spam and giving it a 'score' but then it just delivers it to the inbox because it cannot create the folder or move the message to that folder.

    Tuesday, September 11, 2012 1:48 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi scs-04,

    The test rusult is returned by Online test for ActiveSync and EXTERNAL Autodiscover, which is different from the internal test-outlookwebservices, your initial question in this thread.

    Please provide the result of test-outlookwebservices , thanks.

    Fiona Liao

    TechNet Community Support

    Tuesday, September 11, 2012 2:09 AM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Here are the results:

    [PS] C:\Windows\system32>test-outlookwebservices | fl


    Id      : 1003
    Type    : Information
    Message : About to test AutoDiscover with the e-mail address SuperLogin@domain.com
              

    Id      : 1007
    Type    : Information
    Message : Testing server server.domain.local with the published name https:
              //remote.domain.com/EWS/Exchange.asmx & https://remote.domain.com/EWS/Exchange.asmx.

    Id      : 1019
    Type    : Information
    Message : Found a valid AutoDiscover service connection point. The AutoDiscover
               URL on this object is https://remote.domain.com/Autodiscover/Au
              todiscover.xml.

    Id      : 1013
    Type    : Error
    Message : When contacting https://remote.domain.com/Autodiscover/Autodisco
              ver.xml received the error The remote server returned an error: (401)
               Unauthorized.

    Id      : 1006
    Type    : Error
    Message : The Autodiscover service could not be contacted.

    Tuesday, September 11, 2012 12:12 PM
    |
  • Question
    Sign in to vote
    1
    Sign in to vote

    Check the ntfs permissions on the autodiscover.xml file make sure auth users are listed with read and list and it's inherting perms. You checked the parent folder earlier but check the file as well. Also confirm the IIS setting as well.

    In IIS check the Autodiscover Vdir

    Autodiscover
    • Basic authentication
    • Windows authentication
    • SSL required
    • Require 128-bit encrypion

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Tuesday, September 11, 2012 2:29 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes the .xml file has Read & Execute and also Read for Auth. Users and it is inheriting.

    I checked the IIS before and everything is still correct.

    Tuesday, September 11, 2012 8:01 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    Under 'Advanced' the Auth. Users has Traverse folder, list folder, read attributes, and read extended...
    Tuesday, September 11, 2012 8:03 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Please try to access the url https://remote.domain.com/Autodiscover/Autodiscover.xml from the computer you run this cmdlets. The expected result should be a error code 600.

    If there is any error , try https://localhost/autodiscover/autodiscover.xml on your CAS server console. and then search IIS log for the exact error code.

    Reminder Ping this URL to make sure it is pointting to the correct CAS server.

    Hope it is helpful.

    Fiona Liao

    TechNet Community Support

    Wednesday, September 12, 2012 2:01 AM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks for all the help so far.

    When I go to https://remote.domain.com/Autodiscover/Autodiscover.xml I get a login prompt but I cannot login.  I have tried my user account and the Administrator user account but I can never login.  After 3 attempts I  get the following error:

    <fieldset>

    HTTP Error 401.1 - Unauthorized

    You do not have permission to view this directory or page using the credentials that you supplied.

    </fieldset>
    <fieldset><legend>Detailed Error Information</legend>
    Module WindowsAuthenticationModule
    Notification AuthenticateRequest
    Handler AboMapperCustom-1175415
    Error Code 0x8009030c
    Requested URL https://remote.domain.com:443/Autodiscover/Autodiscover.xml
    Physical Path C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodiscover\Autodiscover.xml
    Logon Method Not yet determined
    Logon User Not yet determined
    </fieldset>
    <fieldset><legend>Most likely causes:</legend>
    • The username supplied to IIS is invalid.
    • The password supplied to IIS was not typed correctly.
    • Incorrect credentials were cached by the browser.
    • IIS could not verify the identity of the username and password provided.
    • The resource is configured for Anonymous authentication, but the configured anonymous account either has an invalid password or was disabled.
    • The server is configured to deny login privileges to the authenticating user or the group in which the user is a member.
    • Invalid Kerberos configuration may be the cause if all of the following are true:
      • Integrated authentication was used.
      • the application pool identity is a custom account.
      • the server is a member of a domain. 
    </fieldset>

    When I go to https://localhost/autodiscover/autodiscover.xml on the Exchange server I get the error code 600:

    <?xml version="1.0" encoding="utf-8" ?>
    - <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
    - <Response>
    - <Error Time="07:12:59.2120640" Id="1541759194">
      <ErrorCode>600</ErrorCode>
      <Message>Invalid Request</Message>
      <DebugData />
      </Error>
      </Response>
      </Autodiscover>

    Wednesday, September 12, 2012 11:20 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote
    It is the correct IP when I ping remote.domain.com
    Wednesday, September 12, 2012 11:21 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Go ahead and try to recreate the autodiscover virtual directory, remove just the autodiscover virtual directory than create a new one.

    http://my.opera.com/RavenOverride/blog/2009/06/17/how-to-recreate-all-virtual-directories-for-exchange-2007

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Wednesday, September 12, 2012 3:58 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks.

    You got 401 on the client computer and got 600 in the CAS server console, so the Autodiscover service virtual directory is working fine, and the permission is setup correctly.

    The problem is caused by the credentials provided on the client computer. As the message describes, the error 401 could be caused by various factors. My suggestion is:

    1. Verify your firewall configuration if there is any;

    2. The user account your used to run the cmdlet and test the URL does not have sufficient permission, try to logon as another admin account when you are prompted;

    3. Check the IIS log for more detailed error code. Refer to: http://support.microsoft.com/kb/318380

    Hope it is helpful.

    Fiona Liao

    TechNet Community Support

    Thursday, September 13, 2012 1:22 AM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    I have turned off the firewall on the server completely, but still nothing.

    I have tried logging in with my user account and also the Admin account, where are the permissions set?

    When I run the 'test-outlookwebservices' on the Exchange server console I get this in the log file:

    2012-09-13 11:39:45 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 2 5 1

    2012-09-13 11:39:45 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 1 2148074254 0
    2012-09-13 11:39:45 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 1 2148074252 1
    2012-09-13 11:40:44 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 2 5 1
    2012-09-13 11:40:44 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 1 2148074254 1
    2012-09-13 11:40:44 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 1 2148074252 1

    Thursday, September 13, 2012 11:45 AM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    It is 401.1, logon failed.

    Did you notice any differnce when you logon from client computer and from CAS server?

    Fiona Liao

    TechNet Community Support

    Thursday, September 13, 2012 1:31 PM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    The permission is setup in /Autodiscover virtual directory in IIS manager.

    You may also verify the default permission configuration: http://blogs.technet.com/b/exchange/archive/2008/02/01/3404755.aspx

    Fiona Liao

    TechNet Community Support

    Thursday, September 13, 2012 1:49 PM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    When trying to go to https://remote.domain.com/Autodiscover/Autodiscover.xml from a client computer I do get a login screen and when I login with the administrator user and password I get this page:

      <?xml version="1.0" encoding="utf-8" ?>
    - <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
    - <Response>
    - <Error Time="07:50:06.3970640" Id="1541759194">
      <ErrorCode>600</ErrorCode>
      <Message>Invalid Request</Message>
      <DebugData />
      </Error>
      </Response>

     </Autodiscover>

    When the doing it from the CAS/Exchange server I get the HTTP Error 401.1 listed a couple posts above.


    Wednesday, September 19, 2012 11:58 AM
    |