AutoDiscover Troubleshooting- Default authentication for Exchange VDir’s aka Virtual directories on CAS and Mailbox role
With AutoDiscover is highlight in E2K7 and E2010, we know how important is to understand and troubleshoot this feature.
Test E-mail AutoConfiguration is an inbuilt tool in Outlook which lets you know whether AutoDiscover is working as expected from a client machine.
Internal Clients – Outlook looks for SCP (Service connection point) in AD which contains the URL for the Autodiscover residing on the CAS server’s IIS and outlook ultimately establishes a connection with the CAS Server.
Internal AutoDiscover URL looks like – https://mydomain/autodiscover/autodiscover.xml
External Clients – In this case, outlook is not in the domain and would be utilizing RPC-HTTP and Outlook so uses DNS to resolve the external AutoDiscover URL specified for your organization.
External AutoDiscover URL looks like – https://autodiscover.mydomain/autodiscover/autodiscover.xml
If you are looking at this article before setting up Autodiscover URL’s, it is recommended to have it setup this way.
To get details on Autodiscover VDir, type this cmdlet:
Get-AutodiscoverVirtualDirectory |FL
Now, to run Test E-mail AutoConfiguration, the pre-requisite is that your mailbox should be on an E2K7/E2010 server for which you think AutoDiscover has encountered an issue. E2K3 users do not use this service.
Now press the CTRL button on the key-board and right-click the Outlook icon in the System tray.
You will now see a pop-up screen with your email address. Only check the box which says “Use Autodiscover” and click Test.
Once the test completes, you should not see any errors.
Now, if you have clients complaining AutoDiscover works internally and not externally, the best way to start troubleshooting is to go to www.testexchangeconnectivity.com and perform an AutoDiscover test there.
Now, if it is not working internally or externally the first action should be to mandatorily check the Authentication’s for Exchange virtual directories on your CAS servers. Now, if you ask me as to what changes it – it could be a patch which was recently installed/human error/something which I dont know. Please be sure to check these on all your CAS servers individually if it is a set of clients complaining of having this issue.
I have made a checklist of the authentication types for Exchange VDir’s on the CAS and Mailbox roles for Exchange 2007 and 2010 servers.
We begin with the default settings on a CAS, followed by the settings on a Mailbox server for both E2K7 and E2010 and the setting bear no changes with Service pack upgrades.
| Exchange 2007 CAS Role | |||
| VDir | Authentication | SSL | Management done through |
| Default Web Site | Anonymous | Yes | IIS and HTTP Keep Alive should be on |
| /Owa | Basic | Yes | EMC/Powershell |
| /Exchange | Basic | Yes | EMC/Powershell |
| /Public | Basic | Yes | EMC/Powershell |
| /Exchweb | Basic | Yes | EMC/Powershell |
| /Oab | Integrated | No | EMC/Powershell |
| /Autodiscover | Basic and Integrated | Yes | Powershell |
| /Ews | Integrated | Yes | Powershell |
| /UnifiedMessaging | Integrated | Yes | Powershell |
| /Microsoft-Server-Activesync | Basic | Yes | EMC/Powershell |
| /Rpc | Basic and Integrated | Yes | |
| Exchange 2007 Mailbox Role | |||
| VDir | Authentication | SSL | Management done through |
| Default Web Site | Anonymous | No | IIS |
| /Exadmin | Basic and Integrated | No | IIS |
| /Exchange | Basic and Integrated | No | EMC |
| /Public | Basic and Integrated | No | EMC |
| Exchange 2010 CAS Role | |||
| VDir | Authentication | SSL | Management performed through |
| Default Web Site | Anonymous | Yes | IIS |
| aspnet_client | Anonymous | Yes | IIS |
| Autodiscover | Anonymous / Basic / Windows Authentication | Yes | Powershell |
| ECP | Anonymous / Basic | Yes | EMC or Powershell |
| EWS | Anonymous / Windows Authentication | Yes | Powershell |
| Microsoft-Server-ActiveSync | Basic | Yes | EMC or Powershell |
| OWA | Basic | Yes | EMC or Powershell |
| Powershell | Anonymous | No | EMC or Powershell |
| RPC | Basic / Windows Authentication | Yes | Powershell |
| RpcWithCert | Everything Disabled | Yes (128 encryption not enabled) | N/A |
| OAB | Windows Authentication | No | EMC or Powershell |
| Exchange 2010 Mailbox Role | |||
| VDir | Authentication | SSL | Management done through |
| Default Web Site | Anonymous | Yes | IIS |
| PowerShell | Anonymous | No | Powershell |
These are the Powershell CMDlet’s to edit settings for the ones only with Shell:
Set-AutoDiscoverVirtualDirectory
Set-WebServicesVirtualDirectory
Set-PowershellVirtualDirectory
Set-OutlookAnywhere (RPC VDir)
Once you confirm these entire Authentications are displayed properly, next step is to do:
Test-OutlookWebServices and ensure you get an error free output.
To re-create your Autodiscover VDir, follow this:
1. Take a backup of IIS
##As simple as a right click backup in IIS 6
##To backup IIS 7, you need to follow this:
To add a backup, run this command:
%windir%\system32\inetsrv\appcmd.exe add backup ” IISbkp_Date ”
To restore a backup, run this command:
%windir%\system32\inetsrv\appcmd.exe restore backup ” IISbkp_Date ”
To delete a backup, run this command:
%windir%\system32\inetsrv\appcmd.exe delete backup ” IISbkp_Date ”
To list all backup’s, run this command:
%windir%\system32\inetsrv\appcmd.exe list backup
2. Remove-AutodiscoverVirtualDirectory –Identity “CAS-servername\Autodiscover (Default Web Site)”
3. New-AutodiscoverVirtualDirectory -WebsiteName “Default Web Site” -WindowsAuthentication $true -BasicAuthentication $true
4. Perform an IISReset
These are the basic troubleshooting for if AutoDiscover stops functioning. Understanding the concepts are extremely important as they drive resolution further.
—
Ratish Nair
Team @ MSExchangeGuru
October 21st, 2010 at 9:46 pm
Thanks for the article. Helped me understand what Autodiscover is. Could you write another one continuing the troubleshooting?
October 22nd, 2010 at 4:45 pm
I am Markus from Germany. Just wanted to thank you for this post. Please include more details on what attribute to look for troubleshooting Autodiscover in adsiedit tool.
November 10th, 2010 at 11:37 am
hi – i have my isp host my website and email – i am running sbs 2008 and exchange 2007 in my 3 seat office – i am using a custom dns at my web host to separate http://www.estateattorney.info (which points to my host) versus remote.estateattorney.info (which points to my server)
today i have added autodiscover.estateattorney.info to my webhost, and again, have that point at my server.
i’m getting frustated. i can get owa to work. i do get repatead outlook 2007 credential requests inside the office. remote.estateattorney.info works fine (i can install my self generated certificate)
however, autodiscover has never worked properly for me. i have been able to enter my credentials manually. i have now bought a mac, and office 2011 (outlook 2011) did work eventually, and perfectly (manual entries) – then it simply stopped working about 6 hours later, and now i can not get it to work. i believe getting autodiscover to work properly may solve my issues. i know i may require a commercial certificate.
is there someone at the site, or someone recommended who can help me solve this issue at a reasonable price? many many thanks.
November 10th, 2010 at 5:56 pm
FWIW, i was going to ask microsoft pss for help (thanks for the suggestions and reply ratish) – turns out the issue resolved itself once i upgraded my “stock” exchange 2007 to sp3 with rollup 1 (didn’t realize WSUS would not take care of that)
Hopefully will work properly on the mac – and i believe as a bonus i can say good bye to those horribly annoying (and repeating) outlook 2007 credential requests!
March 14th, 2011 at 1:33 am
A Great Article, and waiting for more :). Thanks
March 29th, 2011 at 12:35 am
Really fantastic article… could you please put your blogs more on Troubleshooting part…waiting for that to cume up in this website.
Thanksyou Ratish.
August 9th, 2011 at 4:22 pm
Note that external Autodiscover does not work if the email address is not the same as the account in AD. For instance, autodiscover never worked with an email address of first name but when I used email address of full name, external autodicover worked.
August 10th, 2011 at 9:28 am
Excellent post Ratish!
Also, please don’t forget to check (or update) the following:
Get-ClientAccessServer | Select Name, AutoDiscoverServiceInternalUri
Set-ClientAccessServer MMEC001 -AutoDiscoverServiceInternalUri https://mail.domain.com/autodiscover/autodiscover.xml
This command will check/update the SCPs that Ratish mentioned in his post.
November 8th, 2011 at 1:37 am
Hi,
I have an issue where users from other network are not able to download OAB, this is one of the trusted domain. When users are trying to download the OAB they are not able to and getting 0x8004010f erro in outlook client. But other users from internet or with in network are able to download without any issue. When i run Test email Autoconfiguration from problematic network it is getting failed. we have ISA 2006 sitting in fron of CAS servers.
November 8th, 2011 at 6:32 am
Hi Ratish
We have two ex2010 servers the first one EX1 was a test server and will be removed eventually, however if I look in sites and services only one SCP record is showing and it’s EX1
Question how do I update the record to use EX2 I thought this was created automatically on install.
Colin
December 7th, 2011 at 4:21 am
Thank you for this post. I have been struggling with a customers Exchange 2010 system since it was migrated 6 weeks ago. For some reason we were unable to use the Out of the Office in Outlook Client or Web Access. Following your guide we now have access to seto Out of the Office in web access. Still doesnt work in full outlook but this has really helped me out. Thanks. Karl.
February 17th, 2012 at 8:55 am
[…] AutoDiscover Troubleshooting- Default authentication for Exchange VDir’s aka Virtual directories on CAS and Mailbox role: https://msexchangeguru.com/2010/10/05/autodiscover/ […]
March 12th, 2012 at 1:13 pm
Hi,
“Note that external Autodiscover does not work if the email address is not the same as the account in AD.”
– So you can confirm for me that I’ll never get my autodiscovery to work when my AD-DNS Domain is contoso.local, while my external email domain is contoso.com?
My colleagues’ loginnames are user.name@contoso.local, trying to autodiscover withe their user.name@contoso.com mail address. To make it more specific: they have mail addresses named user.name@contoso.local as well, for sure.
Thanks in advance,
Kay
April 22nd, 2012 at 12:31 pm
this article is not complete. Please complete this article the guru way..
I would like to see this article also explains ” How to Configure the Autodiscover Service for Multiple Forests”.
Thanks for the little Auto discover information…
April 22nd, 2012 at 12:36 pm
this article is not complete. Please complete this article the guru way..
I would like to see this article also explains ” How to Configure the Autodiscover Service for Multiple Forests”. Also would like to see how to configure Auto discover using client Access Array for multiple forests.
Thanks for the little Auto discover information…
October 24th, 2012 at 5:26 pm
I love your blog and follow for all Exchange related things
January 11th, 2013 at 8:21 am
I loved the article. Thanks for sharing.
June 3rd, 2013 at 8:03 am
how to configure autodiscover in intrasite inviorment???????
July 5th, 2013 at 2:11 pm
Thank you! I have been pulling my hair out since upgrading Exchange 2010 to SP3 and all the IIS settings were reset. Now that I followed your authentication settings, all is working well.
Thank you for the post.
February 21st, 2015 at 12:58 pm
Hurrah, tɦаt’s what I ѡaѕ seeking fօr, what a information!
existing here at this weblog, thanks admin οff this web site.
May 12th, 2015 at 5:53 am
Hello All,
I am facing very strange issue in OWA, OWA URL is opening but when I click on inbox or any subfolders nothing happens. Also I have noticed when I click on Inbox, same time hash symbol appeared .etc https://xxxxx.com/owa/#.
Also I have checked the IIS logs but no error found.
Can someone suggested me where is the issue?
April 28th, 2016 at 7:04 am
[…] going back to my notes: AutoDiscover Troubleshooting- Default authentication for Exchange VDir?s aka Virtual directories on … helped a […]