We are getting some autodiscover errors on our Exhcange server 2007 box. We have SBS 2008 Premium and have 1 box running 'SBS' which is the domain controller and Exchange server and second box that runs Server 2008 and SQL. Outlook, ActiveSync, OWA are all working fine, we are having trouble with our spam software though. It is VIPRE Email security, formally called Ninja. I worked with their support and we determined it is a Autodiscover issue. When we run test-outlookwebservices we get this error: The remote server returned an error: (401) Unauthorized. I have read a bunch on the topic and found a few things and it seems most everyone is getting around it by disabling the loopback check but that does not appear to be the best, the most secure or the reccomended solution. What is the best way to fix this?? Do I need another cert?? I have one GoDaddy Cert already for our external domain name so we don't get cert errors when using OWA. Thanks for any help.

It's hard to say whether you need another certificate since you didn't tell us anything about your certificate. You can test Autodiscover yourself at http://exrca.com. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

So the issue you are encountering is that you received error 401 when you run Test-Outlookwebservices, right? Generally we don't use this cmdlet to test web-services. Instead, we run Test email AutoConfiguration in Outlook 2007 client. Please take a try and let me know the results and logs. You may also verify the default permission configuration: http://blogs.technet.com/b/exchange/archive/2008/02/01/3404755.aspx Hope it is helpful.Fiona Liao TechNet Community Support

Could be permissions issues on the directory or the IIS vdir. On your CAS verify C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess ClientAccess folder has authenticated users listed with permissions read and execute, list and read In IIS check the Autodiscover Vdir Autodiscover Basic authenticationWindows authentication SSL requiredRequire 128-bit encrypion James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

And no HTTP Redirect.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Thanks for the replies. I did check the security on the ClientAccess folder and authenticated users was not listed so I added them with the appropriate permissions. The Vdir permissions looked correct. I ran the tests at http://exrca.com and they all failed. What else can I look into?

If you go to https://webmail.company.com/autodiscover/autodiscover.xml what happens? Do you get an authentication prompt or does it take you to the page right away? You should get a response like below. I would also test each cas as well https://cas01.domain.com/autodiscover/autodiscover.xml <?xml version="1.0" encoding="utf-8" ?> - <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> - <Response> - <Error Time="10:33:14.0231365" Id="2645275802"> <ErrorCode>600</ErrorCode> <Message>Invalid Request</Message> <DebugData /> </Error> </Response> </Autodiscover> James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Thanks for the replies. I did check the security on the ClientAccess folder and authenticated users was not listed so I added them with the appropriate permissions. The Vdir permissions looked correct. I ran the tests at http://exrca.com and they all failed. What else can I look into? Please copy and paste the exact response message, thanks.Fiona Liao TechNet Community Support

I do get an authentication prompt. When I enter a username then the next pages pops up with an error code 600. Where do I got now? Thanks

Here are the results: Attempting the Autodiscover and Exchange ActiveSync test (if requested). Testing of Autodiscover for Exchange ActiveSync failed. Test Steps Attempting each method of contacting the Autodiscover service. The Autodiscover service couldn't be contacted successfully by any method. Test Steps Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml Testing of this potential Autodiscover URL failed. Test Steps Attempting to resolve the host name domain.com in DNS. The host name resolved successfully. Additional Details Testing TCP port 443 on host domain.com to ensure it's listening and open. The port was opened successfully. Testing the SSL certificate to make sure it's valid. The SSL certificate failed one or more certificate validation checks. Test Steps Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml Testing of this potential Autodiscover URL failed. Test Steps Attempting to resolve the host name autodiscover.domain.com in DNS. The host name couldn't be resolved. <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl01_ctl00_tmmArrow">Tell me more about this issue and how to resolve it</label> Additional Details Attempting to contact the Autodiscover service using the HTTP redirect method. The attempt to contact Autodiscover using the HTTP Redirect method failed. Test Steps Attempting to resolve the host name autodiscover.domain.com in DNS. The host name couldn't be resolved. <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl02_ctl00_tmmArrow">Tell me more about this issue and how to resolve it</label> Additional Details Attempting to contact the Autodiscover service using the DNS SRV redirect method. ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method. Test Steps Attempting to locate SRV record _autodiscover._tcp.domain.com in DNS. The Autodiscover SRV record wasn't found in DNS.

You don't have any method to reach your autodiscover service, you need to either set one up by creating an external DNS A record for autodiscover.domain.com pointing to the CAS or using the SRV redirect method. Does your cert have autodiscover.domain.com?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

I guess I'm not sure what you mean because I can reach it by entering the URL you gave me above: https://remote.company.com/autodiscover/autodiscover.xml I get a login screen when I go to that address. No the cert does not include autodiscover. Do I really need the cert for that?? The Autodiscover problems we are having are all internal, we are just trying to get our anti-spam software to work correctly.

Yes because thats the direct URL however outlook is hard coded to look for the URL autodiscover.domain.com or domain.com Since you don't have autodiscover.domain.com included in your cert you can either get a new one re-issued that includes both remote.company.com and autodiscover.company.com. If you don't want to get a new cert than you can use the SRV method. A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service http://support.microsoft.com/kb/940881 Now the http 401 error is a separate issue. I would go ahead and run Exchange Best Practice Analyzer to see if it detects any configuration issues with your autodiscover directory\files. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

It won't even see the certificate if you don't have an A record for autodiscover.domain.com. It's right there in the ExRCA output: Attempting to resolve the host name autodiscover.domain.com in DNS. The host name couldn't be resolved. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

I guess I still don't understand why I need an external A record for the autodiscover... I am just trying to get or spam software to work internally. I have installed this same anti-spam software on other 2007 and 2010 servers with no trouble and I have never setup an A record for autodiscover. I did just setup an SRV record on our internal DNS. I also ran the Exchange Best Practices and the only errors/alerts I got were for the incoming message size was too large.

What is the specific issue with the spam software? It may not be relayed to autodiscover at all. Setting up SRV record for internal domain joined clients will use scp lookup and not DNS lookup. You will need to create it in external DNS. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

You're the one who asked about Autodiscover! It's right in the forum thread title!Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Yes I did ask about Autodiscover, here what was in my initial post: It is VIPRE Email security, formally called Ninja. I worked with their support and we determined it is a Autodiscover issue. When we run test-outlookwebservices we get this error: The remote server returned an error: (401) Unauthorized. Our spam software is VIPRE Email Security and it is not creating the 'spam' folders and moving the spam to them in Outlook. Like I have said I worked with their support and they are telling me Autodiscover is not working correctly as is shown when we run test-outlookwebservices. They are telling me it uses Autodiscover to initially create the folders when the first spam message is found and then move the spam emails to that folder everytime after that. I can see that it is catching spam and giving it a 'score' but then it just delivers it to the inbox because it cannot create the folder or move the message to that folder.

Hi scs-04, The test rusult is returned by Online test for ActiveSync and EXTERNAL Autodiscover, which is different from the internal test-outlookwebservices, your initial question in this thread. Please provide the result of test-outlookwebservices , thanks. Fiona Liao TechNet Community Support

Here are the results: [PS] C:\Windows\system32>test-outlookwebservices | fl Id : 1003 Type : Information Message : About to test AutoDiscover with the e-mail address SuperLogin@domain.com Id : 1007 Type : Information Message : Testing server server.domain.local with the published name https: //remote.domain.com/EWS/Exchange.asmx & https://remote.domain.com/EWS/Exchange.asmx. Id : 1019 Type : Information Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://remote.domain.com/Autodiscover/Au todiscover.xml. Id : 1013 Type : Error Message : When contacting https://remote.domain.com/Autodiscover/Autodisco ver.xml received the error The remote server returned an error: (401) Unauthorized. Id : 1006 Type : Error Message : The Autodiscover service could not be contacted.

Check the ntfs permissions on the autodiscover.xml file make sure auth users are listed with read and list and it's inherting perms. You checked the parent folder earlier but check the file as well. Also confirm the IIS setting as well. In IIS check the Autodiscover Vdir Autodiscover Basic authenticationWindows authentication SSL requiredRequire 128-bit encrypion James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Yes the .xml file has Read & Execute and also Read for Auth. Users and it is inheriting. I checked the IIS before and everything is still correct.

Under 'Advanced' the Auth. Users has Traverse folder, list folder, read attributes, and read extended...

Please try to access the url https://remote.domain.com/Autodiscover/Autodiscover.xml from the computer you run this cmdlets. The expected result should be a error code 600. If there is any error , try https://localhost/autodiscover/autodiscover.xml on your CAS server console. and then search IIS log for the exact error code. Reminder Ping this URL to make sure it is pointting to the correct CAS server. Hope it is helpful.Fiona Liao TechNet Community Support

Thanks for all the help so far. When I go to https://remote.domain.com/Autodiscover/Autodiscover.xml I get a login prompt but I cannot login. I have tried my user account and the Administrator user account but I can never login. After 3 attempts I get the following error: <fieldset> HTTP Error 401.1 - Unauthorized You do not have permission to view this directory or page using the credentials that you supplied. </fieldset> <fieldset><legend>Detailed Error Information</legend> Module WindowsAuthenticationModule Notification AuthenticateRequest Handler AboMapperCustom-1175415 Error Code 0x8009030c Requested URL https://remote.domain.com:443/Autodiscover/Autodiscover.xml Physical Path C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodiscover\Autodiscover.xml Logon Method Not yet determined Logon User Not yet determined </fieldset> <fieldset><legend>Most likely causes:</legend> The username supplied to IIS is invalid. The password supplied to IIS was not typed correctly. Incorrect credentials were cached by the browser. IIS could not verify the identity of the username and password provided. The resource is configured for Anonymous authentication, but the configured anonymous account either has an invalid password or was disabled. The server is configured to deny login privileges to the authenticating user or the group in which the user is a member. Invalid Kerberos configuration may be the cause if all of the following are true: Integrated authentication was used. the application pool identity is a custom account. the server is a member of a domain. </fieldset> When I go to https://localhost/autodiscover/autodiscover.xml on the Exchange server I get the error code 600: <?xml version="1.0" encoding="utf-8" ?> - <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> - <Response> - <Error Time="07:12:59.2120640" Id="1541759194"> <ErrorCode>600</ErrorCode> <Message>Invalid Request</Message> <DebugData /> </Error> </Response> </Autodiscover>

It is the correct IP when I ping remote.domain.com

Go ahead and try to recreate the autodiscover virtual directory, remove just the autodiscover virtual directory than create a new one. http://my.opera.com/RavenOverride/blog/2009/06/17/how-to-recreate-all-virtual-directories-for-exchange-2007James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Thanks. You got 401 on the client computer and got 600 in the CAS server console, so the Autodiscover service virtual directory is working fine, and the permission is setup correctly. The problem is caused by the credentials provided on the client computer. As the message describes, the error 401 could be caused by various factors. My suggestion is: 1. Verify your firewall configuration if there is any; 2. The user account your used to run the cmdlet and test the URL does not have sufficient permission, try to logon as another admin account when you are prompted; 3. Check the IIS log for more detailed error code. Refer to: http://support.microsoft.com/kb/318380 Hope it is helpful. Fiona Liao TechNet Community Support

I have turned off the firewall on the server completely, but still nothing. I have tried logging in with my user account and also the Admin account, where are the permissions set? When I run the 'test-outlookwebservices' on the Exchange server console I get this in the log file: 2012-09-13 11:39:45 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 2 5 1 2012-09-13 11:39:45 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 1 2148074254 0 2012-09-13 11:39:45 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 1 2148074252 1 2012-09-13 11:40:44 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 2 5 1 2012-09-13 11:40:44 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 1 2148074254 1 2012-09-13 11:40:44 192.168.1.2 POST /Autodiscover/Autodiscover.xml - 443 - 192.168.1.2 - 401 1 2148074252 1

It is 401.1, logon failed. Did you notice any differnce when you logon from client computer and from CAS server?Fiona Liao TechNet Community Support

The permission is setup in /Autodiscover virtual directory in IIS manager. You may also verify the default permission configuration: http://blogs.technet.com/b/exchange/archive/2008/02/01/3404755.aspxFiona Liao TechNet Community Support

When trying to go to https://remote.domain.com/Autodiscover/Autodiscover.xml from a client computer I do get a login screen and when I login with the administrator user and password I get this page: <?xml version="1.0" encoding="utf-8" ?> - <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> - <Response> - <Error Time="07:50:06.3970640" Id="1541759194"> <ErrorCode>600</ErrorCode> <Message>Invalid Request</Message> <DebugData /> </Error> </Response> </Autodiscover> When the doing it from the CAS/Exchange server I get the HTTP Error 401.1 listed a couple posts above.