Autodiscover - Still being prompted for credentials
Hello all, I've been reading on this error *endlessly*. Lots of suggestions, but so far no results. I have Ex2007 on Server 2008, with a mixture of Outlook 2007 & 2010 clients. A few of my clients (not all thankfully!) are receiving the annoying credential prompt. I have a single name cert, with owa.savannahstate.edu designated. I created the SRV record on my inbound DNS, pointing autodiscover to the same name (owa.savannahstate.edu). My internal DNS domain is different than my external. Outlook Anywhere is disabled on the server side. Running the Test E-mail AutoConfiguration process in Outlook I receive: "Attempting URL https://owa.savannahstate.edu/autodiscover.autodiscover.xml found through SCP", I also see "starting" and "succeeded". So it appears that the SCP exists and is functional. Typically I can resolve these prompt errors by clearing a user's cached credentials on their workstation, but I have a few clients that get no results from this activity, they still receive the annoying prompt for creds continually. I found two suggestions saying to check the IIS settings on my CAS: 1) under Autodiscover -> Authentication -> Windows Authentication, ensure that "Enable Kernel-mode authentication" is checked -- and 2) under Default Web Site -> Authentication -> Windows Authentication (normally disabled), enable Windows Authentication, UNCHECK the "Enable Kernel-mode authentication", apply then disable Windows Authentication. Somewhat conflicting here. On the CAS, running Get-ClientAccessServer | Select Name, *Internal* | fl yields the following: AutoDiscoverServiceInternalUri : https://owa.savannahstate.edu/autodiscover/autodiscover.xml I've dealt with my share of Microsoft errors over the years, but this one takes the cake. Unfortunately one of the users receiving the error works in the President's office, and this user is making some noise about it. I'm hoping that the community will have some expert suggestions. Thanks in advance for all assistance.
August 26th, 2010 10:46pm

Hi, Is the OAB generation still handled by exchange 2007, please try to use get-exchangecertificate |fl and post the output here. we need to check if the certificate name is the same as the certificate that you have installed. More information to share with you: Exchange 2007 Autodiscover and certificates http://msexchangeteam.com/archive/2007/04/30/438249.aspx White Paper: Exchange 2007 Autodiscover Service http://technet.microsoft.com/en-us/library/bb332063.aspx#UnderstandingExchangeSelfSignedCert Also have a look into this post it might help : http://social.technet.microsoft.com/Forums/en-US/exchangesvrdeploy/thread/c1e72d2a-d360-4ff0-b2f5-1a9ae149df18Ripu Daman Mina | MCSE 2003 & MCSA Messaging
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2010 3:04pm

I checked in the ESM, and the CAS shows OAB(Default Web Site) with an internal URL of https://owa.savannahstate.edu/oab. I then accessed Send/Receive -> Download Address Book, and that process yielded no errors that I could see. I do however receive an error related to virtual directories when I launch the ESM from my workstation, but not when I launch it from one of the Exchange servers. I'll post it in a different reply below to avoid being *too* long winded. Details of the cert: [PS] C:\Windows\system32>get-exchangecertificate |fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {owa.savannahstate.edu} HasPrivateKey : True IsSelfSigned : True Issuer : C=us, O=Savannah State University, CN=owa.savannahstate.edu NotAfter : 4/20/2011 10:11:50 AM NotBefore : 4/20/2010 9:51:50 AM PublicKeySize : 1024 RootCAType : None SerialNumber : 1B5D349B8A3E4EBC40A9A07E06BACADE Services : None Status : Valid Subject : C=us, O=Savannah State University, CN=owa.savannahstate.edu Thumbprint : 4068A2C9E4D18AEE164C5471DD765784211262ED AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {owa.savannahstate.edu} HasPrivateKey : True IsSelfSigned : False Issuer : OU=Equifax Secure Certificate Authority, O=Equifax, C=US NotAfter : 5/21/2011 11:22:57 PM NotBefore : 4/18/2010 11:42:07 AM PublicKeySize : 1024 RootCAType : ThirdParty SerialNumber : 126A7F Services : IMAP, IIS Status : Valid Subject : CN=owa.savannahstate.edu, OU=Domain Control Validated - QuickSSL(R) Premium, OU=See www.geotrust.com/resources/cps (c)10, OU=GT88698303, O=owa.savannahstate.edu, C=US, SERIALNUMBER=xtWa6V7DrZIkdUEU2SLlkh0QpD1wOnmK Thumbprint : 5CF648C74B56D974251DE147CD0F2CCCD8F4DB23 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {csit-svr-ex02.tigerworld.savstate.edu, tigerworld.savstate.edu} HasPrivateKey : True IsSelfSigned : True Issuer : C=us, O=Savannah State University, CN=csit-svr-ex02.tigerworld.savstate.edu NotAfter : 4/21/2010 10:36:31 AM NotBefore : 4/21/2009 10:16:31 AM PublicKeySize : 1024 RootCAType : Unknown SerialNumber : 37F5F9006DBAE8814DC5264C2F4FAF62 Services : None Status : Invalid Subject : C=us, O=Savannah State University, CN=csit-svr-ex02.tigerworld.savstate.edu Thumbprint : A50498B7AA714231D195A2869CDD70BB1D954F46 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {csit-svr-ex02.tigerworld.savstate.edu, tigerworld.savstate.edu} HasPrivateKey : True IsSelfSigned : True Issuer : C=us, O=Savannah State University, CN=csit-svr-ex02.tigerworld.savstate.edu NotAfter : 4/20/2010 4:33:46 PM NotBefore : 4/20/2009 4:13:46 PM PublicKeySize : 1024 RootCAType : Unknown SerialNumber : 5DAFC712E5A8AA94496C6FCFEE4A4F82 Services : None Status : Invalid Subject : C=us, O=Savannah State University, CN=csit-svr-ex02.tigerworld.savstate.edu Thumbprint : 5BA76A438A3DEEF476013F33FFA799BC5C877015 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {owa.savannahstate.edu} HasPrivateKey : True IsSelfSigned : False Issuer : OU=Equifax Secure Certificate Authority, O=Equifax, C=US NotAfter : 4/21/2010 4:05:09 PM NotBefore : 4/20/2009 4:05:09 PM PublicKeySize : 1024 RootCAType : ThirdParty SerialNumber : 0B08BF Services : IMAP Status : DateInvalid Subject : CN=owa.savannahstate.edu, OU=Domain Control Validated - GeoTrust QuickSSL Premium(R), OU=See www.geotrust.com/resour ces/cps (c)05, OU=GT88698303, O=owa.savannahstate.edu, C=US Thumbprint : 8CE927BD1833A1DB28ACFC47DF4201B817EA49CD
August 27th, 2010 3:46pm

Here is the error I receive when I launch ESM from my workstation. It may be a permissions error, as of course I'm logged on as myself. As I said, I don't receive this error when I launch ESM from one of the Exchange servers. -------------------------------------------------------- Microsoft Exchange Error -------------------------------------------------------- The following error(s) were reported while loading topology information: Get-ActiveSyncVirtualDirectory Failed Error: Unable to create Internet Information Services (IIS) directory entry. Error message is: Access is denied. . HResult = -2147024891. Access is denied. . Directory Path: IIS://csit-svr-ex02.tigerworld.savstate.edu/W3SVC/1/ROOT/Microsoft-Server-ActiveSync Detail: server name: csit-svr-ex02.tigerworld.savstate.edu local machine name: 117HMM-111PC09 local machine fqdn: 117HMM-111PC09.tigerworld.savstate.edu Access is denied. Get-OabVirtualDirectory Failed Error: Unable to create Internet Information Services (IIS) directory entry. Error message is: Access is denied. . HResult = -2147024891. Access is denied. . Directory Path: IIS://csit-svr-ex02.tigerworld.savstate.edu/W3SVC/1/ROOT/OAB Detail: server name: csit-svr-ex02.tigerworld.savstate.edu local machine name: 117HMM-111PC09 local machine fqdn: 117HMM-111PC09.tigerworld.savstate.edu Access is denied. Get-OWAVirtualDirectory Failed Error: Unable to create Internet Information Services (IIS) directory entry. Error message is: Access is denied. . HResult = -2147024891. Access is denied. . Directory Path: IIS://csit-svr-ex02.tigerworld.savstate.edu/W3SVC/1/ROOT/Exchange Detail: server name: csit-svr-ex02.tigerworld.savstate.edu local machine name: 117HMM-111PC09 local machine fqdn: 117HMM-111PC09.tigerworld.savstate.edu Access is denied.
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2010 3:53pm

Hi Can you test your autodiscover function at https://www.testexchangeconnectivity.com/ and post the result in the threadJonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog
August 27th, 2010 4:03pm

Attempting to test Autodiscover for scottss@savannahstate.edu Autodiscover was tested successfully. Test Steps ExRCA is attempting each method of contacting the Autodiscover service. The Autodiscover service was tested successfully. Test Steps Attempting to test potential AutoDiscover URL https://savannahstate.edu/AutoDiscover/AutoDiscover.xml Testing of this potential Autodiscover URL failed. Test Steps Attempting to resolve the host name savannahstate.edu in DNS. Host successfully resolved Additional Details IP(s) returned: 168.20.193.23 Testing TCP Port 443 on host savannahstate.edu to ensure it is listening and open. The specified port is either blocked, not listening, or not producing the expected response. Tell me more about this issue and how to resolve it Additional Details A network error occurred while communicating with remote host Exception details: Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 168.20.193.23:443 Type: System.Net.Sockets.SocketException Stack trace: at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port) at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally() Attempting to test potential AutoDiscover URL https://autodiscover.savannahstate.edu/AutoDiscover/AutoDiscover.xml Testing of this potential Autodiscover URL failed. Test Steps Attempting to resolve the host name autodiscover.savannahstate.edu in DNS. The Host could not be resolved. Tell me more about this issue and how to resolve it Additional Details Host autodiscover.savannahstate.edu could not be resolved in DNS Exception details: Message: The requested name is valid, but no data of the requested type was found Type: System.Net.Sockets.SocketException Stack trace: at System.Net.Dns.GetAddrInfo(String name) at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6) at System.Net.Dns.GetHostAddresses(String hostNameOrAddress) at Microsoft.Exchange.Tools.ExRca.Tests.ResolveHostTest.PerformTestReally() ExRCA is attempting to contact the Autodiscover service using the HTTP redirect method. The attempt to contact Autodiscover using the HTTP Redirect method failed. Test Steps Attempting to resolve the host name autodiscover.savannahstate.edu in DNS. The Host could not be resolved. Tell me more about this issue and how to resolve it Additional Details Host autodiscover.savannahstate.edu could not be resolved in DNS Exception details: Message: The requested name is valid, but no data of the requested type was found Type: System.Net.Sockets.SocketException Stack trace: at System.Net.Dns.GetAddrInfo(String name) at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6) at System.Net.Dns.GetHostAddresses(String hostNameOrAddress) at Microsoft.Exchange.Tools.ExRca.Tests.ResolveHostTest.PerformTestReally() ExRCA is attempting to contact the Autodiscover service using the DNS SRV redirect method. Successfully contacted AutoDiscover using the DNS SRV redirect method. Test Steps Attempting to locate SRV record _autodiscover._tcp.savannahstate.edu in DNS. The Autodiscover SRV record was successfully retrieved from DNS. Additional Details Srv Record returned host: owa.savannahstate.edu Attempting to test potential AutoDiscover URL https://owa.savannahstate.edu/Autodiscover/Autodiscover.xml Testing of the Autodiscover URL was successful. Test Steps Attempting to resolve the host name owa.savannahstate.edu in DNS. Host successfully resolved Additional Details IP(s) returned: 168.20.193.26 Testing TCP Port 443 on host owa.savannahstate.edu to ensure it is listening and open. The port was opened successfully. ExRCA is testing the SSL certificate to make sure it's valid. The certificate passed all validation requirements. Test Steps The certificate name is being validated. Successfully validated the certificate name Additional Details Found hostname owa.savannahstate.edu in Certificate Subject Common name Certificate trust is being validated. The certificate is trusted and all certificates are present in the chain. Additional Details The Certificate chain has be validated up to a trusted root. Root = OU=Equifax Secure Certificate Authority, O=Equifax, C=US The certificate date is being confirmed to ensure the certificate is valid. Date validation passed. The certificate hasn't expired. Additional Details Certificate is valid: NotBefore = 4/18/2010 3:42:07 PM, NotAfter = 5/22/2011 3:22:57 AM" The IIS configuration is being checked for client certificate authentication. Client certificate authentication wasn't detected. Additional Details Accept/Require Client Certificates not configured. ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs. Successfully Retrieved AutoDiscover Settings by sending AutoDiscover POST. Test Steps Attempting to Retrieve XML AutoDiscover Response from url https://owa.savannahstate.edu/Autodiscover/Autodiscover.xml for user scottss@savannahstate.edu The Autodiscover XML response was successfully retrieved. Additional Details AutoDiscover Account Settings XML Response: <?xml version="1.0"?> <Autodiscover xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <User> <DisplayName>Scott, Sheri Saleem</DisplayName> <LegacyDN>/o=Savannah State/ou=First Administrative Group/cn=Recipients/cn=saleems</LegacyDN> <DeploymentId>fded0c6e-7a73-47b8-8687-c0c35ab75312</DeploymentId> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <Protocol> <Type>EXCH</Type> <Server>csit-svr-ex01.tigerworld.savstate.edu</Server> <ServerDN>/o=Savannah State/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=CSIT-SVR-EX01</ServerDN> <ServerVersion>720180F0</ServerVersion> <MdbDN>/o=Savannah State/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=CSIT-SVR-EX01/cn=Microsoft Private MDB</MdbDN> <ASUrl>https://owa.savannahstate.edu/ews/exchange.asmx</ASUrl> <OOFUrl>https://owa.savannahstate.edu/ews/exchange.asmx</OOFUrl> <OABUrl>https://owa.savannahstate.edu/oab/0c46cbf4-b8c8-42b3-9866-da36b2830fe5/</OABUrl> <UMUrl>https://csit-svr-ex02.tigerworld.savstate.edu/UnifiedMessaging/Service.asmx</UMUrl> <Port>0</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort> <PublicFolderServer>csit-svr-ex01.tigerworld.savstate.edu</PublicFolderServer> <AD>tiger7.tigerworld.savstate.edu</AD> <EwsUrl>https://owa.savannahstate.edu/ews/exchange.asmx</EwsUrl> </Protocol> <Protocol> <Type>WEB</Type> <Port>0</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort> <Internal> <OWAUrl AuthenticationMethod="Basic, Fba">https://owa.savannahstate.edu/owa</OWAUrl> <Protocol> <Type>EXCH</Type> <ASUrl>https://owa.savannahstate.edu/ews/exchange.asmx</ASUrl> </Protocol> </Internal> </Protocol> </Account> </Response> </Autodiscover>
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2010 4:15pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics