MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

AutoDiscover Troubleshooting- Default authentication for Exchange VDir’s aka Virtual directories on CAS and Mailbox role

With AutoDiscover is highlight in E2K7 and E2010, we know how important is to understand and troubleshoot this feature.

Test E-mail AutoConfiguration is an inbuilt tool in Outlook which lets you know whether AutoDiscover is working as expected from a client machine.

Internal Clients – Outlook looks for SCP (Service connection point) in AD which contains the URL for the Autodiscover residing on the CAS server’s IIS and outlook ultimately establishes a connection with the CAS Server.

Internal AutoDiscover URL looks like – https://mydomain/autodiscover/autodiscover.xml

External Clients – In this case, outlook is not in the domain and would be utilizing RPC-HTTP and Outlook so uses DNS to resolve the external AutoDiscover URL specified for your organization.

External AutoDiscover URL looks like – https://autodiscover.mydomain/autodiscover/autodiscover.xml

If you are looking at this article before setting up Autodiscover URL’s, it is recommended to have it setup this way.

To get details on Autodiscover VDir, type this cmdlet:

Get-AutodiscoverVirtualDirectory |FL

Now, to run Test E-mail AutoConfiguration, the pre-requisite is that your mailbox should be on an E2K7/E2010 server for which you think AutoDiscover has encountered an issue. E2K3 users do not use this service.

Now press the CTRL button on the key-board and right-click the Outlook icon in the System tray.

You will now see a pop-up screen with your email address. Only check the box which says “Use Autodiscover” and click Test.

Once the test completes, you should not see any errors.

Now, if you have clients complaining AutoDiscover works internally and not externally, the best way to start troubleshooting is to go to www.testexchangeconnectivity.com and perform an AutoDiscover test there.

Now, if it is not working internally or externally the first action should be to mandatorily check the Authentication’s for Exchange virtual directories on your CAS servers. Now, if you ask me as to what changes it – it could be a patch which was recently installed/human error/something which I dont know. Please be sure to check these on all your CAS servers individually if it is a set of clients complaining of having this issue.

I have made a checklist of the authentication types for Exchange VDir’s on the CAS and Mailbox roles for Exchange 2007 and 2010 servers.

We begin with the default settings on a CAS, followed by the settings on a Mailbox server for both E2K7 and E2010 and the setting bear no changes with Service pack upgrades.

Exchange 2007 CAS Role
VDir Authentication SSL Management done through
Default Web Site Anonymous Yes IIS and HTTP Keep Alive should be on
/Owa Basic Yes EMC/Powershell
/Exchange Basic Yes EMC/Powershell
/Public Basic Yes EMC/Powershell
/Exchweb Basic Yes EMC/Powershell
/Oab Integrated No EMC/Powershell
/Autodiscover Basic and Integrated Yes Powershell
/Ews Integrated Yes Powershell
/UnifiedMessaging Integrated Yes Powershell
/Microsoft-Server-Activesync Basic Yes EMC/Powershell
/Rpc Basic and Integrated Yes

 

Exchange 2007 Mailbox Role
VDir Authentication SSL Management done through
Default Web Site Anonymous No  IIS
/Exadmin Basic and Integrated No  IIS
/Exchange Basic and Integrated No EMC
/Public Basic and Integrated No EMC

 

Exchange 2010 CAS Role
VDir Authentication SSL Management performed through
Default Web Site Anonymous Yes IIS
aspnet_client Anonymous Yes IIS
Autodiscover Anonymous / Basic / Windows Authentication Yes Powershell
ECP Anonymous / Basic Yes EMC or Powershell
EWS Anonymous / Windows Authentication Yes Powershell
Microsoft-Server-ActiveSync Basic Yes EMC or Powershell
OWA Basic Yes EMC or Powershell
Powershell Anonymous No EMC or Powershell
RPC Basic / Windows Authentication Yes Powershell
RpcWithCert Everything Disabled Yes (128 encryption not enabled) N/A
OAB Windows Authentication No EMC or Powershell

 

Exchange 2010 Mailbox Role
VDir Authentication SSL Management done through
Default Web Site Anonymous Yes IIS
PowerShell Anonymous No Powershell

These are the Powershell CMDlet’s to edit settings for the ones only with Shell:

Set-AutoDiscoverVirtualDirectory

Set-WebServicesVirtualDirectory

Set-PowershellVirtualDirectory

Set-OutlookAnywhere (RPC VDir)

Once you confirm these entire Authentications are displayed properly, next step is to do:

Test-OutlookWebServices and ensure you get an error free output.

To re-create your Autodiscover VDir, follow this:

1. Take a backup of IIS

##As simple as a right click backup in IIS 6

##To backup IIS 7, you need to follow this:

To add a backup, run this command:

%windir%\system32\inetsrv\appcmd.exe add backup ” IISbkp_Date ”

To restore a backup, run this command:

%windir%\system32\inetsrv\appcmd.exe restore backup ” IISbkp_Date ”

To delete a backup, run this command:

%windir%\system32\inetsrv\appcmd.exe delete backup ” IISbkp_Date ”

To list all backup’s, run this command:

%windir%\system32\inetsrv\appcmd.exe list backup

2. Remove-AutodiscoverVirtualDirectory –Identity “CAS-servername\Autodiscover (Default Web Site)” 

3. New-AutodiscoverVirtualDirectory -WebsiteName “Default Web Site” -WindowsAuthentication $true -BasicAuthentication $true

4. Perform an IISReset

These are the basic troubleshooting for if AutoDiscover stops functioning. Understanding the concepts are extremely important as they drive resolution further.

Ratish Nair

Team @ MSExchangeGuru

19 Responses to “AutoDiscover Troubleshooting- Default authentication for Exchange VDir’s aka Virtual directories on CAS and Mailbox role”

  1. Jamie Says:

    Thanks for the article. Helped me understand what Autodiscover is. Could you write another one continuing the troubleshooting?

  2. Markus Says:

    I am Markus from Germany. Just wanted to thank you for this post. Please include more details on what attribute to look for troubleshooting Autodiscover in adsiedit tool.

  3. Gary Garland Says:

    hi – i have my isp host my website and email – i am running sbs 2008 and exchange 2007 in my 3 seat office – i am using a custom dns at my web host to separate http://www.estateattorney.info (which points to my host) versus remote.estateattorney.info (which points to my server)
    today i have added autodiscover.estateattorney.info to my webhost, and again, have that point at my server.
    i’m getting frustated. i can get owa to work. i do get repatead outlook 2007 credential requests inside the office. remote.estateattorney.info works fine (i can install my self generated certificate)
    however, autodiscover has never worked properly for me. i have been able to enter my credentials manually. i have now bought a mac, and office 2011 (outlook 2011) did work eventually, and perfectly (manual entries) – then it simply stopped working about 6 hours later, and now i can not get it to work. i believe getting autodiscover to work properly may solve my issues. i know i may require a commercial certificate.
    is there someone at the site, or someone recommended who can help me solve this issue at a reasonable price? many many thanks.

  4. Gary Garland Says:

    FWIW, i was going to ask microsoft pss for help (thanks for the suggestions and reply ratish) – turns out the issue resolved itself once i upgraded my “stock” exchange 2007 to sp3 with rollup 1 (didn’t realize WSUS would not take care of that)
    Hopefully will work properly on the mac – and i believe as a bonus i can say good bye to those horribly annoying (and repeating) outlook 2007 credential requests!

  5. Dinesh Silva Says:

    A Great Article, and waiting for more :). Thanks

  6. Shyam Seegu Says:

    Really fantastic article… could you please put your blogs more on Troubleshooting part…waiting for that to cume up in this website.

    Thanksyou Ratish.

  7. Stephen Noe Says:

    Note that external Autodiscover does not work if the email address is not the same as the account in AD. For instance, autodiscover never worked with an email address of first name but when I used email address of full name, external autodicover worked.

  8. Nuno Mota Says:

    Excellent post Ratish!
    Also, please don’t forget to check (or update) the following:

    Get-ClientAccessServer | Select Name, AutoDiscoverServiceInternalUri

    Set-ClientAccessServer MMEC001 -AutoDiscoverServiceInternalUri https://mail.domain.com/autodiscover/autodiscover.xml

    This command will check/update the SCPs that Ratish mentioned in his post.

  9. Kuldeep Nagpal Says:

    Hi,

    I have an issue where users from other network are not able to download OAB, this is one of the trusted domain. When users are trying to download the OAB they are not able to and getting 0x8004010f erro in outlook client. But other users from internet or with in network are able to download without any issue. When i run Test email Autoconfiguration from problematic network it is getting failed. we have ISA 2006 sitting in fron of CAS servers.

  10. Colin Says:

    Hi Ratish

    We have two ex2010 servers the first one EX1 was a test server and will be removed eventually, however if I look in sites and services only one SCP record is showing and it’s EX1

    Question how do I update the record to use EX2 I thought this was created automatically on install.

    Colin

  11. Karl Wood Says:

    Thank you for this post. I have been struggling with a customers Exchange 2010 system since it was migrated 6 weeks ago. For some reason we were unable to use the Out of the Office in Outlook Client or Web Access. Following your guide we now have access to seto Out of the Office in web access. Still doesnt work in full outlook but this has really helped me out. Thanks. Karl.

  12. Troubleshooting Exchange ActiveSync and reading IIS logs « MSExchangeGuru.com Says:

    [...] AutoDiscover Troubleshooting- Default authentication for Exchange VDir’s aka Virtual directories on CAS and Mailbox role: http://msexchangeguru.com/2010/10/05/autodiscover/ [...]

  13. Kay Says:

    Hi,

    “Note that external Autodiscover does not work if the email address is not the same as the account in AD.”

    – So you can confirm for me that I’ll never get my autodiscovery to work when my AD-DNS Domain is contoso.local, while my external email domain is contoso.com?
    My colleagues’ loginnames are user.name@contoso.local, trying to autodiscover withe their user.name@contoso.com mail address. To make it more specific: they have mail addresses named user.name@contoso.local as well, for sure.

    Thanks in advance,
    Kay

  14. Raj Says:

    this article is not complete. Please complete this article the guru way..

    I would like to see this article also explains ” How to Configure the Autodiscover Service for Multiple Forests”.

    Thanks for the little Auto discover information…

  15. Raj Says:

    this article is not complete. Please complete this article the guru way..

    I would like to see this article also explains ” How to Configure the Autodiscover Service for Multiple Forests”. Also would like to see how to configure Auto discover using client Access Array for multiple forests.

    Thanks for the little Auto discover information…

  16. jane Says:

    I love your blog and follow for all Exchange related things

  17. Mohammed Says:

    I loved the article. Thanks for sharing.

  18. kuldeep Dashora Says:

    how to configure autodiscover in intrasite inviorment???????

  19. Jim Says:

    Thank you! I have been pulling my hair out since upgrading Exchange 2010 to SP3 and all the IIS settings were reset. Now that I followed your authentication settings, all is working well.
    Thank you for the post.

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Categories

Archives