Hi all

Im in process of migrating Exchange 2010 to 2013. I've alreay installed a two node multirole cluster of Exchange 2013. using the same cert i'm already using on the Exchange 2010.

My internal windows domain "internaldomain.lan" is different from the public domain "publicdomain.com".

In my exchange2010 environment the autodiscovery is working fine, and when i try to browse https://webmail.internaldomain.lan/autodiscover/autodiscover.xml, it works correctly (returns 600)

But when trying to browse Exchange 2013 autodiscovery through the same url (forcing dns resolution through hosts file), IIS returns 401 error. It never accepts the login credentials.

The Test-OutlookProviders command shows 401

ScenarioDescription : Autodiscover: Outlook Provider
Result              : Failure
Latency             : 61
Error               : System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect

"The target principal name is incorrect" seems to indicate there is a problem with the certificate.

My certificate has a "webmail.publicdomain.com" principal name, and lots of SAN: "autodiscover.<smtpdomains>" and one "webmail.internaldomain.lan"

Forcing hosts to resolve those names to CAS 2013 works for them except for the "webmail.internaldomain.lan"

Tried to force Outlook providers to "msstd:webmail.publicdomain.com" but with no result.

Any idea about what can be the problem or how can i solve this situation?

Thanks!

Hi ,

Please point the autodiscover Host A record "webmail.internaldomain.lan" to exchange 2013 cas servers.So that exchange 2010 users autodiscover request will be proxied from exchange 2013 to exchange 2013 .

Then exchange 2013 users autodiscover request will go directly to exchange 2013 cas servers .

Note :

We need to make sure that the internal autodiscover uri is configured for exchange 2010 and exchange 2013 severs as below.

https://webmail.internaldomain.lan/autodiscover/autodiscover.xml

Then make sure both the exchange 2010 and exchange 2013 cas servers are having the SAN certificate installed and enabled for the required services .In our case it is IIS .

Then for exchange 2010 and exchange 2013 users we need to make sure that autodisocver url is set on the internet explorer proxy exceptions .

Then make sure the internal outlook anywhere name in exchange 2013 is properly configured with anyone of the name available on the SAN certificate.

When we try to resolve that internal outlook anywhere name in internal active directory DNS then it should have to get resolved to exchange 2013 cas servers.

Thanks for your response!

But:

Im pointing my pc through hosts file instead A record on the corporative DNS to avoid all my users get a popup because my autodiscovery 2013 is not working correctly.

The same autodiscover internal uri is configured for Exchange 2010 & 2013 servers (https://webmail.internaldomain.lan/autodiscover/autodiscover.xml)

The same third party certificate i've mentioned on all cas servers and configured to be used by IIS (instead of the default certificates).

Im testing the access to autodiscover service using a browser with no proxy configuration.

The "webmail.internaldomain.lan" name is one of the SAN names of the certificate

Hi Javi,

Are you saying If you browse to the URL: https://localhost/autodiscover/autodiscover.xml it works and https://webmail.internaldomain.lan/autodiscover/autodiscover.xml fails from the same CAS server.

If not what is the result of https://localhost/autodiscover/autodiscover.xml

Hi Satyajit

When i try to access autodiscovery through the url "https://webmail.internaldomain.lan/autodiscover/autodiscover.xml":

- When webmail.internaldomain.lan points to Exchange 2010

- When webmail.internaldomain.lan points to Exchange 2013, cannot authenticate, 401 error

The Test-OutlookProviders command shows 401 when pointing webmail.internaldomain.lan to Ex2010 through hosts file.

RunspaceId          : 381dfddf-915e-4674-99a2-14f02cc817c4
Source              : mailserver01.internaldomain.lan
ServiceEndpoint     : webmail.internaldomain.lan
Scenario            : AutoDiscoverOutlookProvider
ScenarioDescription : Autodiscover: Outlook Provider
Result              : Failure
Latency             : 10
Error               : System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect
                         at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode)

When webmail.internaldomain.lan points to Ex2010:

RunspaceId          : 381dfddf-915e-4674-99a2-14f02cc817c4
Source              : mailserver01.bilbokoudala.lan
ServiceEndpoint     : webmail.internaldomain.lan
Scenario            : AutoDiscoverOutlookProvider
ScenarioDescription : Autodiscover: Outlook Provider
Result              : Success
Latency             : 118
Error               :
Verbose             : [2015-05-05 09:08:49Z] Autodiscover connecting to 'https://webmail.internaldomain.lan/autodiscover/autodiscover.xml'.
                      [2015-05-05 09:08:49Z] Test account: user Password: ******
                      [2015-05-05 09:08:49Z] Autodiscover request:
                      User-Agent: PROBUZ21/Test-OutlookWebServices/useremail@smtpdomain
                      Content-Type: text/xml; charset=utf-8
                      Authorization: Negotiate YIIHqgYGKwYBBQUCoIIHnjCCB5qgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqK
                      CAAAACjggY1YYIGMTCCBi2gAwIBBaESGxBCSUxCT0tPVURBTEEuTEFOoiswKaADAgECoSIwIBsESFRUUBsYd2VibWFpbC5iaWxib2tvdWRhbGEubGFuo4IF4

Hi Javi,

Thanks for the update.

I would like to know what happens, when you login to Exchange 2013 and run the below url in IE.

URL: https://localhost/autodiscover/autodiscover.xml

Hi Javi,

Are you saying If you browse to the URL: https://localhost/autodiscover/autodiscover.xml it works and https://webmail.internaldomain.lan/autodiscover/autodiscover.xml fails from the same CAS server.

If not what is the result of https://localhost/autodiscover/autodiscover.xml

Also make sure your certificate is assigned with IIS services in your Exchange server.

Few related contents for the error:

The remote server returned an error: (401) Unauthorized

Outlook 2013 Test Autodiscover

Exchange 2010 AutoDiscover 401 unauthorized

Hi,

We can point "webmail.publicdomain.com" to Exchange 2013, point "webmail.internaldomain.lan" to Exchange 2010.

Then run the following command to set the autodiscover service in Exchange 2013 server:

Set-ClientAccessServer -Identity CAS2013 -AutodiscoverServiceInternalUri https://webmail.publicdomain.com/autodiscover/autodiscover.xml

Then restart IIS service by running IISReset from a command prompt window to have a try.

Regards,

It does work for https://localhost/autodiscover/autodiscover.xml on the Exchange 2013 server.

Other names work too:

webmail.publicdomain.com

autodiscover.smtppublicdomain1

autodiscover.smtppublicdomain2

...

Thanks Satyajit

Hi Winnie

I've tested that without changing the autodiscoverserviceinternaluri of the CAS2013 using a browser and it works.

But i dont want the internal clients to use the publicdomain url.

Thanks

Solved

The problem was related to Kerberos and SPNs.

https://technet.microsoft.com/en-us/library/ff808312.aspx

http://blogs.technet.com/b/exchange/archive/2015/02/20/exchange-2013-and-exchange-2010-coexistence-with-kerberos-authentication.aspx

• Marked as answer by Javi Somoza 20 hours 4 minutes ago

Hi Javi,

Thanks for the update.

It would be nice, if you can update some more info, how did you identify and resolve it.

Else please mark the answer so that it shows as Resolved.

I'll try to explain what I have understand the best i can.

This event was being registered:

System
Security-Kerberos
Event-ID 4

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server mailserver01$. The target name used was HTTP/webmail.internaldomain.lan. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (internaldomain.lan) is different from the client domain (internaldomain.lan), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

This is not a Exchange 2013 issue. In Exchange 2010, I also configured Kerberos, ASA account and spns and I forgot it. jeje.

So, to solve this problem, an alternate service account and spn registers must be configured:

For exchange 2010 CAS array see:
http://blogs.technet.com/b/kpapadak/archive/2011/03/13/setting-up-kerberos-with-a-client-access-server-array.aspx

For exchange 2013 see:
https://technet.microsoft.com/en-us/library/ff808312.aspx

For a exchange 2010 to 2013 migration (coexistence) see:

http://blogs.technet.com/b/exchange/archive/2015/02/20/exchange-2013-and-exchange-2010-coexistence-with-kerberos-authentication.aspx

If you also configured an ASA account on Exchange 2010, you cannot use the same for Exchange 2013.

Like I said, im in process of migration. Still using CAS2010 servers to access 2010 mailboxes but trying to user CAS2013 servers to access 2010 mailboxes. So I had to:

1. Create a new ASA account for EXCH 2013:
New-ADComputer -Name EXCH2013ASA -AccountPassword (Read-Host 'Enter password' -AsSecureString) -Description 'Alternate Service Account credentials for Exchange 2013' -Enabled:$True -SamAccountName EXCH2013ASA

2. Associate service account to CAS2013 servers

    2.1    For the first one:
    .\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer mailserver01.internaldomain.lan -GenerateNewPasswordFor internaldomain\EXCH2013ASA$

    2.2    Aditionals:
    .\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer mailserver02.internaldomain.lan -CopyFrom mailserver01.internaldomain.lan
    

3. Delete 2010 ASA account SPNs

    3.1 List SPNs
    setspn -L internaldomain\EXCH2010ASA
    
            exchangeMDB/webmail.internaldomain.lan
            exchangeAB/webmail.internaldomain.lan
            exchangeRFR/webmail.internaldomain.lan
            http/webmail.internaldomain.lan
            http/autodiscover.internaldomain.lan
            
    3.2 Delete SPNs

    setspn D http/autodiscover.internaldomain.lan bilbokoudala\EXCH2010ASA$
    setspn D http/webmail.internaldomain.lan bilbokoudala\EXCH2010ASA$
    setspn D exchangeRFR/webmail.internaldomain.lan bilbokoudala\EXCH2010ASA$
    setspn D exchangeAB/webmail.internaldomain.lan bilbokoudala\EXCH2010ASA$
    setspn D exchangeMDB/webmail.internaldomain.lan bilbokoudala\EXCH2010ASA$
    
4. Create 2013 ASA account SPNs

    setspn S http/autodiscover.internaldomain.lan bilbokoudala\EXCH2013ASA$
    setspn S http/webmail.internaldomain.lan bilbokoudala\EXCH2013ASA$
    setspn S exchangeRFR/webmail.internaldomain.lan bilbokoudala\EXCH2013ASA$
    setspn S exchangeAB/webmail.internaldomain.lan bilbokoudala\EXCH2013ASA$
    setspn S exchangeMDB/webmail.internaldomain.lan bilbokoudala\EXCH2013ASA$
    

Warning: Coexistence regarding to spn's doesnt mean that the spn's will work for both environments (2010 and 2013). Now the spn's work with 2013 but do not work with 2010 so, to avoid problems, now the exchange 2010 mailboxes should be accesed through 2013 CAS servers.

• Marked as answer by Javi Somoza 19 hours 38 minutes ago