Hello all - Beating my head against a wall on this for over a week and making slow progress. Before getting too detailed, I have created a test environment with a single server hosting CAS/HUB roles and the Mailbox Role on a seperate server. The CAS/Hub (NC10LABS050.corp.gklabs.net) is in a single member CAS Array called CorpMail.gklabs.net. I am planning my migration from Exchange 2003, which is also installed in this test lab. Autodiscover (using testexchangeconnectivity.com) passes without any errors or warnings. ExRCA is attempting to test Autodiscover for brett.favre@gklabs.net. Autodiscover was tested successfully. Test Steps OWA and legacy owa work perfectly! Although I am able to connect to 2003 and 2010 mailboxes with OWA, I CAN NOT connect to the mailboxes with a mapi profile on the local domain!?!?! Right now I am trying to troubleshoot the 'Test-OutlookWebServices -Identity Brett.Favre@gklabs.net' test, and I am getting some errors internally. The results are posted below: I am curious as to why I am getting the SSL name mismatch along with the unauthorized errors... Why is it looking for NC10S050 in the Common Name of the SSL cert vs. the OWA.GKLabs.Net common name. I would at least have expected the test to look for the CASArray name instead of the Node name. Any input would be much appreciated. [PS] C:\>Test-OutlookWebServices -identity Brett.Favre@gklabs.net Creating a new session for implicit remoting of "Test-OutlookWebServices" comman d... RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1019 Type : Information Message : A valid Autodiscover service connection point was found. The Autod iscover URL on this object is https://owa.gklabs.net/autodiscover/ autodiscover.xml. RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1013 Type : Error Message : When contacting https://owa.gklabs.net/autodiscover/autodiscover.x ml received the error The remote server returned an error: (401) U nauthorized. RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1023 Type : Error Message : The Autodiscover service couldn't be contacted. RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1104 Type : Error Message : The certificate for the URL https://nc10labs050.corp.gklabs.net/au todiscover/autodiscover.xml is incorrect. For SSL to work, the cer tificate needs to have a subject of nc10labs050.corp.gklabs.net, i nstead the subject found is owa.gklabs.net. Consider correcting se rvice discovery, or installing a correct SSL certificate. RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1113 Type : Error Message : When contacting https://NC10LABS050.corp.GKLABS.NET:443/autodiscov er/autodiscover.xml received the error The remote server returned an error: (401) Unauthorized. RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1123 Type : Error Message : The Autodiscover service couldn't be contacted. RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1024 Type : Success Message : [EXCH] Successfully contacted the AS service at https://owa.gklabs .net/EWS/Exchange.asmx. The elapsed time was 581 milliseconds. RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1026 Type : Success Message : [EXCH] Successfully contacted the UM service at https://owa.gklabs .net/EWS/Exchange.asmx. The elapsed time was 327 milliseconds. RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1024 Type : Success Message : [EXPR] Successfully contacted the AS service at https://owa.gklabs .net/ews/exchange.asmx. The elapsed time was 171 milliseconds. RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1026 Type : Success Message : [EXPR] Successfully contacted the UM service at https://owa.gklabs .net/ews/exchange.asmx. The elapsed time was 234 milliseconds. RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1124 Type : Success Message : [Server] Successfully contacted the AS service at https://nc10labs 050.corp.gklabs.net/ews/exchange.asmx. The elapsed time was 140 mi lliseconds. RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb Id : 1126 Type : Success Message : [Server] Successfully contacted the UM service at https://nc10labs 050.corp.gklabs.net/ews/exchange.asmx. The elapsed time was 202 mi lliseconds. Wall

On Thu, 2 Dec 2010 15:03:33 +0000, Wall09 wrote: > > >Hello all - > >Beating my head against a wall on this for over a week and making slow progress. > >Before getting too detailed, I have created a test environment with a single server hosting CAS/HUB roles and the Mailbox Role on a seperate server. The CAS/Hub (NC10LABS050.corp.gklabs.net) is in a single member CAS Array called CorpMail.gklabs.net. I am planning my migration from Exchange 2003, which is also installed in this test lab. > >Autodiscover (using testexchangeconnectivity.com) passes without any errors or warnings. ExRCA is attempting to test Autodiscover for brett.favre@gklabs.net. > Autodiscover was tested successfully. > Test Steps > > > OWA and legacy owa work perfectly! Although I am able to connect to 2003 and 2010 mailboxes with OWA, I CAN NOT connect to the mailboxes with a mapi profile on the local domain!?!?! > >Right now I am trying to troubleshoot the 'Test-OutlookWebServices -Identity Brett.Favre@gklabs.net' test, and I am getting some errors internally. The results are posted below: > >I am curious as to why I am getting the SSL name mismatch along with the unauthorized errors... Why is it looking for NC10S050 in the Common Name of the SSL cert vs. the OWA.GKLabs.Net common name. I would at least have expected the test to look for the CASArray name instead of the Node name. Any input would be much appreciated. You're getting a 401 error connecting to the https://owa.gklabs.net/autodiscover/autodiscover.xml URL. You might want to check the authentication methods allowed on the autodiscover site and the underlying file system directory. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

The authentication methods allowed for Autodiscover are Anonymous, Basic and Windows. As for the Underlying File System Directory, I have verified in IIS 7 that Authenticated Users have 'Read & Execute', List Folder Contents and Read. Should I be looking any where else for permissions?Wall

Additional FYI - I have recreated the Autodiscover Virtual Directory (as I have read in some other posts) and the Test-OutlookWebServices results are a bit different. here they are: [PS] C:\Windows\system32>Test-OutlookWebServices -identity Brett.Favre@gklabs.net RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1019 Type : Information Message : A valid Autodiscover service connection point was found. The Autodiscover URL on this object is https://ow a.gklabs.net/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1006 Type : Information Message : Contacted the Autodiscover service at https://owa.gklabs.net/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1016 Type : Information Message : [EXCH] The AS is configured for this user in the Autodiscover response received from https://owa.gklabs.ne t/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1015 Type : Information Message : [EXCH] The OAB is configured for this user in the Autodiscover response received from https://owa.gklabs.n et/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1014 Type : Information Message : [EXCH] The UM is configured for this user in the Autodiscover response received from https://owa.gklabs.ne t/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1016 Type : Warning Message : [EXPR] The AS is not configured for this user in the AutoDiscover response received from https://owa.gklab s.net/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1015 Type : Information Message : [EXPR] The OAB is configured for this user in the Autodiscover response received from https://owa.gklabs.n et/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1014 Type : Warning Message : [EXPR] The UM is not configured for this user in the AutoDiscover response received from https://owa.gklab s.net/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1022 Type : Success Message : Autodiscover was tested successfully. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1021 Type : Information Message : The following web services generated errors: As,UM in EXPR. Use the previous output to diagnose and correc t the errors. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1104 Type : Error Message : The certificate for the URL https://nc10labs050.corp.gklabs.net/autodiscover/autodiscover.xml is incorrect . For SSL to work, the certificate needs to have a subject of nc10labs050.corp.gklabs.net, instead the sub ject found is owa.gklabs.net. Consider correcting service discovery, or installing a correct SSL certifica te. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1106 Type : Information Message : Contacted the Autodiscover service at https://NC10LABS050.corp.GKLABS.NET:443/autodiscover/autodiscover.xm l. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1116 Type : Information Message : [EXCH] The AS is configured for this user in the Autodiscover response received from https://NC10LABS050.c orp.GKLABS.NET:443/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1115 Type : Information Message : [EXCH] The OAB is configured for this user in the Autodiscover response received from https://NC10LABS050. corp.GKLABS.NET:443/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1114 Type : Information Message : [EXCH] The UM is configured for this user in the Autodiscover response received from https://NC10LABS050.c orp.GKLABS.NET:443/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1116 Type : Warning Message : [EXPR] The AS is not configured for this user in the AutoDiscover response received from https://NC10LABS0 50.corp.GKLABS.NET:443/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1115 Type : Information Message : [EXPR] The OAB is configured for this user in the Autodiscover response received from https://NC10LABS050. corp.GKLABS.NET:443/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1114 Type : Warning Message : [EXPR] The UM is not configured for this user in the AutoDiscover response received from https://NC10LABS0 50.corp.GKLABS.NET:443/autodiscover/autodiscover.xml. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1122 Type : Success Message : Autodiscover was tested successfully. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1121 Type : Information Message : The following web services generated errors: As,UM in EXPR. Use the previous output to diagnose and correc t the errors. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1024 Type : Success Message : [EXCH] Successfully contacted the AS service at https://owa.gklabs.net/ews/exchange.asmx. The elapsed time was 124 milliseconds. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1026 Type : Success Message : [EXCH] Successfully contacted the UM service at https://owa.gklabs.net/ews/exchange.asmx. The elapsed time was 15 milliseconds. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1124 Type : Success Message : [Server] Successfully contacted the AS service at https://nc10labs050.corp.gklabs.net/EWS/Exchange.asmx. T he elapsed time was 483 milliseconds. RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124 Id : 1126 Type : Success Message : [Server] Successfully contacted the UM service at https://nc10labs050.corp.gklabs.net/EWS/Exchange.asmx. T he elapsed time was 15 milliseconds. Wall

On Fri, 3 Dec 2010 16:54:19 +0000, Wall09 wrote: > > >Additional FYI - > >I have recreated the Autodiscover Virtual Directory (as I have read in some other posts) and the Test-OutlookWebServices results are a bit different. here they are: get-autodiscovervirtualdirectory | fl *url Do you have an internal URL configured? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi Can you run these commands and post the results in here get-OwaVirtualDirectory | fl get-ecpVirtualDirectory | fl get-webservicesVirtualDirectory | fl get-OABVirtualDirectory | fl get-ActiveSyncVirtualDirectory | flJonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

Hi Rich - thanks for the reply, and here are the results. [PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory |fl *url Creating a new session for implicit remoting of "Get-AutodiscoverVirtualDirectory" command... InternalUrl : https://owa.gklabs.net/autodiscover/autodiscover.xml ExternalUrl : https://owa.gklabs.net/autodiscover/autodiscover.xmlWall

On Mon, 6 Dec 2010 21:34:09 +0000, Wall09 wrote: > > >Hi Rich - thanks for the reply, and here are the results. > >[PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory |fl *url Creating a new session for implicit remoting of "Get-AutodiscoverVirtualDirectory" command... > >InternalUrl : https://owa.gklabs.net/autodiscover/autodiscover.xml ExternalUrl : https://owa.gklabs.net/autodiscover/autodiscover.xml Well, the RPC-over-HTTPS works because the EXPR section of the autodiscover data uses the https://NC10LABS050.corp.GKLABS.NET:443/autodiscover/autodiscover.xml URL. The RPC fails becasue the EXCH section of the autodoscover data uses the https://NC10LABS050.corp.GKLABS.NET URL and that name doesn't appear in the certificate you have installed on the server. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

I was under the impression that with a NLB CASarray that the FQDN's of the member nodes do not need to be on the SSL certificate. I have chatted with others running a CAS Array who state that they have not added the Node names (which NC10LABS050 is a member node) and all is working fine. Also - the error is stating that the name NC10LABS050 is not the common name of the UCC cert (which OWA.GKLABS.com is the common name). so overall, i am a bit confused... 1. Why are some people able to run Autodiscover without the CAS Array node names in the cert? 2. If I add the node name to the cert it still will not have the node name as the common name of the UCC cert, so wont it still fail? FYI - I have thought the same as your suggestion and ran the test after re-enabling the default cert with services - then the test fails stating that OWA.GKLABS.Net is not the common name... seems like I am running in circles. Thanks for your input so far and I appreciate your time!Wall

On Tue, 7 Dec 2010 17:59:47 +0000, Wall09 wrote: >I was under the impression that with a NLB CASarray that the FQDN's of the member nodes do not need to be on the SSL certificate. I have chatted with others running a CAS Array who state that they have not added the Node names (which NC10LABS050 is a member node) and all is working fine. Does the EXCH section of their AutoDiscover data use the same names as the EXPR section? Yours don't. >Also - the error is stating that the name NC10LABS050 is not the common name of the UCC cert (which OWA.GKLABS.com is the common name). so overall, i am a bit confused... That shouuldn't be confusing. It's just a statement of what is. NCLABS050 isn't the "Subject" of the certificate. >1. Why are some people able to run Autodiscover without the CAS Array node names in the cert? http://howtoexchange.wordpress.com/2009/12/16/configuring-client-access-array-for-exchange-2010-walkthrough/ http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover-part2.html "Set-ClientAccessArray", "Set-ECPVirtualDirectory", or maybe "Set-MailboxDatabase <dbname> -RPCClientAccessServer . . ." may have been run incorrectly (or not at all). >2. If I add the node name to the cert it still will not have the node name as the common name of the UCC cert, so wont it still fail? Yes, it will. You need to get the EXCH portion of the AutoDiscover data to use the same name as the EXPR portion. >FYI - I have thought the same as your suggestion and ran the test after re-enabling the default cert with services - then the test fails stating that OWA.GKLABS.Net is not the common name... seems like I am running in circles. Yes, but now the circle's a lot smaller. :-) --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thanks for the input... >Yes, it will. You need to get the EXCH portion of the AutoDiscoverdata to use the same name as the EXPR portion. okay - maybe I am just ignorant, but how do I go about getting the EXCH to match the EXPR? I have followed the directions as closely as I can interpret them in the Autodiscover docs, but nothing seems to be clicking on how to do this. * on a side note, while troubleshooting authentication with PSS yesterday, the tech said this was 'normal' when running the Test-OutlookWebServices from a CAS server that is a member of a WNLB CASArray. He stated I would get this on every CAS server that was a member of the Array and can be ignored. I havent seen or read this anywhere else, so I am doubting that info. Thanks for your expert opionion and response. Wall

On Thu, 9 Dec 2010 17:22:01 +0000, Wall09 wrote: > > >Thanks for the input... > >>Yes, it will. You need to get the EXCH portion of the AutoDiscoverdata to use the same name as the EXPR portion. > >okay - maybe I am just ignorant, but how do I go about getting the EXCH to match the EXPR? I have followed the directions as closely as I can interpret them in the Autodiscover docs, but nothing seems to be clicking on how to do this. > >* on a side note, while troubleshooting authentication with PSS yesterday, the tech said this was 'normal' when running the Test-OutlookWebServices from a CAS server that is a member of a WNLB CASArray. He stated I would get this on every CAS server that was a member of the Array and can be ignored. I havent seen or read this anywhere else, so I am doubting that info. > >Thanks for your expert opionion and response. If that's so, then try running the cmdlet from another (non-CAS) machine. Does it fail? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

When running from the Mailbox Role (seperate server) I continue to get the same error with Test-OultookWebServices. RegardsWall