Exchange 2010 free/busy not visible to Exchange 2007 users
Hi, I am very close to finalising migration from Exchange 2007 SP3 to Exchange 2010 SP2, but just have one small problem. My mailbox is on Exchange 2010 SP2, and I can see Free/Busy for all users who are on Exchange 2007. All 3000 users on Exchange 2007 can see each other's free/busy, but for me they see grey diagonal lines. I am able to verify that Autodiscover works (hold CTRL, right click on Outlook icon in tasktray, uncheck GuessSmart and test comes out as all OK). I get an HTTP Availability URL of https://Webmail.CompanyName.com/ews/Exchange.asmx and when I visit the page, I get a WSDL page with XML. In the Exchange RPC Availability URL it is https://CASserverSiteA.CompanyFullName.local/ews/Exchange.asmx (which is a CNAME for the DNS entry of the NLB VIP for the same URL above), and when I visit it I get challenged for authentication and then can never access the site. My mailbox is in "SiteA" and some test mailboxes in "SiteB" are working fine and I can access https://CASserverSiteB.CompanyFullName.local/ews/Exchange.asmx with no problem. I have looked at the permissions and the authentication of the IIS sites for the CAS arrays in SiteA and SiteB, and I cannot find any differences in settings. The access to webmail.companyname.com and CASserverSiteA.CompanyFullName.local is directed to the same IIS site and this has a SAN certificate which contains all the DNS names of all possible ways to access the CAS array. Where can I continue to investigate why one site does not permit integrated authentication when the site is accessed through a different URL? Does anyone have an idea of why the configuration differs between the different sites? How can I fix this? Thanks for help.
January 29th, 2012 11:17pm

Hi Chris, Is it happening to you only or other user also? Run this command on your client machine outlook /cleanfreebusy Note: Make sure that your outlook is on online more when you are running this command. Post the update.Gulab Prasad, MCITP: Exchange Server 2010 | MCITP: Exchange Server 2007 MCITP: Lync Server 2010 | MCITP: Windows Server 2008 My Blog | Z-Hire Employee Provisioning App Skype: Exchange.Ranger
Free Windows Admin Tool Kit Click here and download it now
January 30th, 2012 4:17am

Hi, First we need to solve the issue that you can't access the EWS on the CASServerSiteA. What happens when you try to access it from the server like this: https://localhost/ews/Exchange.asmx Can you connect to EWS succesfully after providing the credentials? Regards, JohanExchange-blog: www.johanveldhuis.nl
January 30th, 2012 5:15am

Thanks Johan, yes I already tried that (sorry, should have mentioned it in the email). The only one site that prompts for login and does not present the XML content is the VIP of the CAS array that is configured as the "Internal Availability Service URL" in Autodiscover for Exchange RPC protocol; https://CASserverSiteA.CompanyFullName.local/ews/Exchange.asmx (this is the VIP in the NLB array, 192.168.1.25) - this prompts for login https://CASserverSiteB.CompanyFullName.local/ews/Exchange.asmx (this is the VIP in the other site's NLB array, 192.168.3.25) - this works https://CASmember1inSiteA.CompanyFullName.local/ews/Exchange.asmx (this is one host in Site A, 192.168.1.20) - this works https://localhost/ews/Exchange.asmx (this is one host in Site A, 192.168.1.20 - performed from that machine's console) - this works, but with a certificate error as expected, as the SAN certificate does not contain "localhost" as a valid name. https://CASmember2inSiteA.CompanyFullName.local/ews/Exchange.asmx (this is one host in Site A, 192.168.1.21) - this works https://Webmail.CompanyName.com/ews/Exchange.asmx (this resolves to the VIP in the NLB array, 192.168.1.25) - this works https://Webmail.CompanyFullName.local/ews/Exchange.asmx (this resolves to the VIP in the NLB array, 192.168.1.25) - this works https://legacy.CompanyName.com/ews/Exchange.asmx (this resolves to the VIP in the NLB array, 192.168.1.25) - this works https://autodiscover.CompanyName.com/ews/Exchange.asmx (this resolves to the VIP in the NLB array, 192.168.1.25) - this works https://autodiscover.CompanyFullName.local/ews/Exchange.asmx (this resolves to the VIP in the other site's NLB array, 192.168.3.25) - this works So, as you can see, I get success in all attempts to access the EWS site, except by the name that is assigned to the VIP of the CAS array in just one site, where it prompts for credentials. All the accesses go to the same IP address, and hence the same IIS site. This is why it is confusing because the configuration and settings are working... And for your second question, no - after attempting to authenticate I get prompted again for my credentials and never get access, and never get an error message - although it does redirect to /ews/Services.wsdl and keeps prompting. Interestingly, I also constantly get prompted for authentication to OCS 2007R2 when it is trying to integrate to Outlook. Thanks for any advice
Free Windows Admin Tool Kit Click here and download it now
January 30th, 2012 5:59pm

Quick update - I temporarily changed the "InternalURL" to one that works, and now Availability (free/busy) is working - but to the "wrong" url. Set-WebServicesVirtualDirectory -Identity "CASmember1inSiteA\EWS (Default Web Site)" -InternalURL "https://autodiscover.CompanyName.com/ews/Exchange.asmx" Set-WebServicesVirtualDirectory -Identity "CASmember2inSiteA\EWS (Default Web Site)" -InternalURL "https://autodiscover.CompanyName.com/ews/Exchange.asmx" iisreset /noforce This then resulted in all Exchange 2007 users being able to see availability of all Exchange 2010 users in SiteA. Testing Autodiscover (hold CTRL, right click on Outlook icon in tray and choose "Test E-Mail Autoconfiguration") shows the new URL and also OCS 2007 R2 is fixed. But - this is not the "right" URL for Free/Busy and Exchange Web Services. So - no longer is this causing problems but I still need to resolve the issue and return config to "https://CASserverSiteA.CompanyFullName.local/ews/Exchange.asmx"
January 30th, 2012 7:30pm

Hi, Which names are listed on the certificate and what functions do work when you change the url to the original one which caused issues? Regards, JohanExchange-blog: www.johanveldhuis.nl
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2012 7:38am

Thanks for helping Johan The certificate lists all the names that I have listed above, plus the hostname of the servers and smtp.CompanyFullName.local - the certificate also has CASserverSiteB.CompanyFullName.local and CASserverSiteB.CompanyName.com so that we can use the CAS servers for failover of a site. Internet Explorer has *.CompanyFullName.Local and *CompanyName.com listed in "Intranet Sites" and I have tried adding them to "trusted sites" and this makes no difference. Security settings state that "Automatic logon only in Intranet zone" for integrated authentication. If a user attempts to visit https://CASserverSiteA.CompanyName.com/OWA then they get instant login to Outlook Web App, but if they go to https://CASserverSiteA.CompanyFullName.local/OWA then they get prompted for login, just like the EWS issue. I still cannot access https://CASserverSiteA.CompanyFullName.local/ews/Exchange.asmx without constantly being prompted for login. If Autodiscover is configured to provide this as the InternalURL for EWS, then Free/Busy stops working, OCS stops being able to connect to Exchange/Outlook and the noise of complaining users gets more annoying than usual. And, as before, if I visit https://CASserverSiteB.CompanyFullName.local/OWA it works ok, just like https://CASserverSiteB.CompanyFullName.local/EWS/Exchange.asmx So, any idea why this one CAS array prompts for login based on one URL?
January 31st, 2012 5:58pm

I am suspecting it is related to windows kernal authntication related issue. Did you check the application event log and the IIS log in the CAS members in SiteA? Also, a network monitor log can be helpful.Fiona Liao TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 1:51am

Additional questions: How did you build up the NLB for your CASArray in siteA? Windows NLB or HNLB? What is the casarray nam and the VIP? Thanks.Fiona Liao TechNet Community Support
February 1st, 2012 3:07am

Thanks for your replies Fiona, Kernel authentication works on the site for other attempts to access the site - and Kernel Mode Authentication is working for all other URLs - how would you recommend that I investigate this issue? The application event log shows no failures or other events that are related to the client being unable to authenticate to the site. I have not checked the IIS logs for the CAS array member, I will check that soon. The CAS Array was built based on standard Microsoft recommendation - create a Windows NLB array with WLBS, then install Exchange 2010 CAS and HT role, then created the array with New-ClientAccessArray (as per http://blogs.technet.com/b/omers/archive/2010/10/11/microsoft-exchange-2010-cas-array-steps-and-recommendations.aspx) I have shown the CAS Array names and IP addresses in my previous post - all URLs are directed to the VIP of the array. We have one CAS array that works with all URLs, and another that works with all URLs except one (see above), and that is unfortunately the one address that I need to get working! Anything else that I can provide? Any other ideas for me to investigate?
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 5:20am

I have investigated the IIS logs, and there are no reports of any error in authentication or access. This makes total sense because I am getting prompted for authentication and not granted access, so it would not be logged that I cannot access the IIS site. Also, the IIS logs do not show the domain name or hostname that was accessed, only the referential path (such as /OAB) and not the FQDN that was accessed. Accessing the site that prompts for login normally takes a long time before it prompts for login - implying to me that it is attempting to get to the site through Integrated Authentication first and then some sort of timeout happens I have done a file search in the C:\Program Files\Microsoft\Exchange\V14 folder (to look in all web.config files etc) and there is no reference at all to CompanyName.com or CompanyFullName.local Our AD domain has the name of CompanyFullName.local - which is why I need to get it to work on the CAS array NLB VIP and DNS name CASserverSiteA.CompanyFullName.local Kernel Mode authentication is not enabled on any Exchange 2010 Client Access Server, either the working ones or the ones where it does not allow access without prompting for login.
February 2nd, 2012 1:07am

Hi, Can you make host entry in clinet machine point it to CAS sever for e.g. cas server IP address CAS array name check if free\busy working, check with different CAS server by changing IP addressJohnbosco
Free Windows Admin Tool Kit Click here and download it now
February 7th, 2012 4:29am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics