Test-OutlookWebServices issues...
Hello all -
Beating my head against a wall on this for over a week and making slow progress.
Before getting too detailed, I have created a test environment with a single server hosting CAS/HUB roles and the Mailbox Role on a seperate server. The CAS/Hub (NC10LABS050.corp.gklabs.net) is in a single member CAS Array called CorpMail.gklabs.net.
I am planning my migration from Exchange 2003, which is also installed in this test lab.
Autodiscover (using testexchangeconnectivity.com) passes without any errors or warnings.
ExRCA is attempting to test Autodiscover for brett.favre@gklabs.net.
Autodiscover was tested successfully.
Test Steps
OWA and legacy owa work perfectly! Although I am able to connect to 2003 and 2010 mailboxes with OWA, I CAN NOT connect to the mailboxes with a mapi profile on the local domain!?!?!
Right now I am trying to troubleshoot the 'Test-OutlookWebServices -Identity
Brett.Favre@gklabs.net' test, and I am getting some errors internally. The results are posted below:
I am curious as to why I am getting the SSL name mismatch along with the unauthorized errors... Why is it looking for NC10S050 in the Common Name of the SSL cert vs. the OWA.GKLabs.Net common name. I would at least have expected the test to look
for the CASArray name instead of the Node name. Any input would be much appreciated.
[PS] C:\>Test-OutlookWebServices -identity
Brett.Favre@gklabs.net
Creating a new session for implicit remoting of "Test-OutlookWebServices" comman
d...
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1019
Type : Information
Message : A valid Autodiscover service connection point was found. The Autod
iscover URL on this object is
https://owa.gklabs.net/autodiscover/
autodiscover.xml.
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1013
Type : Error
Message : When contacting
https://owa.gklabs.net/autodiscover/autodiscover.x
ml received the error The remote server returned an error: (401) U
nauthorized.
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1023
Type : Error
Message : The Autodiscover service couldn't be contacted.
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1104
Type : Error
Message : The certificate for the URL
https://nc10labs050.corp.gklabs.net/au
todiscover/autodiscover.xml is incorrect. For SSL to work, the cer
tificate needs to have a subject of nc10labs050.corp.gklabs.net, i
nstead the subject found is owa.gklabs.net. Consider correcting se
rvice discovery, or installing a correct SSL certificate.
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1113
Type : Error
Message : When contacting
https://NC10LABS050.corp.GKLABS.NET:443/autodiscov
er/autodiscover.xml received the error The remote server returned
an error: (401) Unauthorized.
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1123
Type : Error
Message : The Autodiscover service couldn't be contacted.
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1024
Type : Success
Message : [EXCH] Successfully contacted the AS service at
https://owa.gklabs
.net/EWS/Exchange.asmx. The elapsed time was 581 milliseconds.
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1026
Type : Success
Message : [EXCH] Successfully contacted the UM service at
https://owa.gklabs
.net/EWS/Exchange.asmx. The elapsed time was 327 milliseconds.
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1024
Type : Success
Message : [EXPR] Successfully contacted the AS service at
https://owa.gklabs
.net/ews/exchange.asmx. The elapsed time was 171 milliseconds.
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1026
Type : Success
Message : [EXPR] Successfully contacted the UM service at
https://owa.gklabs
.net/ews/exchange.asmx. The elapsed time was 234 milliseconds.
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1124
Type : Success
Message : [Server] Successfully contacted the AS service at
https://nc10labs
050.corp.gklabs.net/ews/exchange.asmx. The elapsed time was 140 mi
lliseconds.
RunspaceId : a09a330c-dc89-4dcc-a01a-073b8d6a70cb
Id : 1126
Type : Success
Message : [Server] Successfully contacted the UM service at
https://nc10labs
050.corp.gklabs.net/ews/exchange.asmx. The elapsed time was 202 mi
lliseconds.
Wall
December 2nd, 2010 10:12am
On Thu, 2 Dec 2010 15:03:33 +0000, Wall09 wrote:
>
>
>Hello all -
>
>Beating my head against a wall on this for over a week and making slow progress.
>
>Before getting too detailed, I have created a test environment with a single server hosting CAS/HUB roles and the Mailbox Role on a seperate server. The CAS/Hub (NC10LABS050.corp.gklabs.net) is in a single member CAS Array called CorpMail.gklabs.net.
I am planning my migration from Exchange 2003, which is also installed in this test lab.
>
>Autodiscover (using testexchangeconnectivity.com) passes without any errors or warnings. ExRCA is attempting to test Autodiscover for brett.favre@gklabs.net.
> Autodiscover was tested successfully.
> Test Steps
>
>
> OWA and legacy owa work perfectly! Although I am able to connect to 2003 and 2010 mailboxes with OWA, I CAN NOT connect to the mailboxes with a mapi profile on the local domain!?!?!
>
>Right now I am trying to troubleshoot the 'Test-OutlookWebServices -Identity Brett.Favre@gklabs.net' test, and I am getting some errors internally. The results are posted below:
>
>I am curious as to why I am getting the SSL name mismatch along with the unauthorized errors... Why is it looking for NC10S050 in the Common Name of the SSL cert vs. the OWA.GKLabs.Net common name. I would at least have expected the test to look for the
CASArray name instead of the Node name. Any input would be much appreciated.
You're getting a 401 error connecting to the
https://owa.gklabs.net/autodiscover/autodiscover.xml URL.
You might want to check the authentication methods allowed on the
autodiscover site and the underlying file system directory.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2010 10:44pm
The authentication methods allowed for Autodiscover are Anonymous, Basic and Windows.
As for the Underlying File System Directory, I have verified in IIS 7 that Authenticated Users have 'Read & Execute', List Folder Contents and Read.
Should I be looking any where else for permissions?Wall
December 3rd, 2010 11:56am
Additional FYI -
I have recreated the Autodiscover Virtual Directory (as I have read in some other posts) and the Test-OutlookWebServices results are a bit different. here they are:
[PS] C:\Windows\system32>Test-OutlookWebServices -identity
Brett.Favre@gklabs.net
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1019
Type : Information
Message : A valid Autodiscover service connection point was found. The Autodiscover URL on this object is
https://ow
a.gklabs.net/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1006
Type : Information
Message : Contacted the Autodiscover service at
https://owa.gklabs.net/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1016
Type : Information
Message : [EXCH] The AS is configured for this user in the Autodiscover response received from
https://owa.gklabs.ne
t/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1015
Type : Information
Message : [EXCH] The OAB is configured for this user in the Autodiscover response received from
https://owa.gklabs.n
et/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1014
Type : Information
Message : [EXCH] The UM is configured for this user in the Autodiscover response received from
https://owa.gklabs.ne
t/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1016
Type : Warning
Message : [EXPR] The AS is not configured for this user in the AutoDiscover response received from
https://owa.gklab
s.net/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1015
Type : Information
Message : [EXPR] The OAB is configured for this user in the Autodiscover response received from
https://owa.gklabs.n
et/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1014
Type : Warning
Message : [EXPR] The UM is not configured for this user in the AutoDiscover response received from
https://owa.gklab
s.net/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1022
Type : Success
Message : Autodiscover was tested successfully.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1021
Type : Information
Message : The following web services generated errors: As,UM in EXPR. Use the previous output to diagnose and correc
t the errors.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1104
Type : Error
Message : The certificate for the URL
https://nc10labs050.corp.gklabs.net/autodiscover/autodiscover.xml is incorrect
. For SSL to work, the certificate needs to have a subject of nc10labs050.corp.gklabs.net, instead the sub
ject found is owa.gklabs.net. Consider correcting service discovery, or installing a correct SSL certifica
te.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1106
Type : Information
Message : Contacted the Autodiscover service at
https://NC10LABS050.corp.GKLABS.NET:443/autodiscover/autodiscover.xm
l.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1116
Type : Information
Message : [EXCH] The AS is configured for this user in the Autodiscover response received from
https://NC10LABS050.c
orp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1115
Type : Information
Message : [EXCH] The OAB is configured for this user in the Autodiscover response received from
https://NC10LABS050.
corp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1114
Type : Information
Message : [EXCH] The UM is configured for this user in the Autodiscover response received from
https://NC10LABS050.c
orp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1116
Type : Warning
Message : [EXPR] The AS is not configured for this user in the AutoDiscover response received from
https://NC10LABS0
50.corp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1115
Type : Information
Message : [EXPR] The OAB is configured for this user in the Autodiscover response received from
https://NC10LABS050.
corp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1114
Type : Warning
Message : [EXPR] The UM is not configured for this user in the AutoDiscover response received from
https://NC10LABS0
50.corp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1122
Type : Success
Message : Autodiscover was tested successfully.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1121
Type : Information
Message : The following web services generated errors: As,UM in EXPR. Use the previous output to diagnose and correc
t the errors.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1024
Type : Success
Message : [EXCH] Successfully contacted the AS service at
https://owa.gklabs.net/ews/exchange.asmx. The elapsed time
was 124 milliseconds.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1026
Type : Success
Message : [EXCH] Successfully contacted the UM service at
https://owa.gklabs.net/ews/exchange.asmx. The elapsed time
was 15 milliseconds.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1124
Type : Success
Message : [Server] Successfully contacted the AS service at
https://nc10labs050.corp.gklabs.net/EWS/Exchange.asmx. T
he elapsed time was 483 milliseconds.
RunspaceId : 680fdc23-3e7b-4c60-811c-c13fa4a1b124
Id : 1126
Type : Success
Message : [Server] Successfully contacted the UM service at
https://nc10labs050.corp.gklabs.net/EWS/Exchange.asmx. T
he elapsed time was 15 milliseconds.
Wall
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2010 12:01pm
On Fri, 3 Dec 2010 16:54:19 +0000, Wall09 wrote:
>
>
>Additional FYI -
>
>I have recreated the Autodiscover Virtual Directory (as I have read in some other posts) and the Test-OutlookWebServices results are a bit different. here they are:
get-autodiscovervirtualdirectory | fl *url
Do you have an internal URL configured?
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
December 4th, 2010 5:52am
Hi
Can you run these commands and post the results in here
get-OwaVirtualDirectory | fl
get-ecpVirtualDirectory | fl
get-webservicesVirtualDirectory | fl
get-OABVirtualDirectory | fl
get-ActiveSyncVirtualDirectory | flJonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog:
http://www.testlabs.se/blog
Free Windows Admin Tool Kit Click here and download it now
December 6th, 2010 3:41pm
Hi Rich - thanks for the reply, and here are the results.
[PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory |fl *url
Creating a new session for implicit remoting of "Get-AutodiscoverVirtualDirectory" command...
InternalUrl : https://owa.gklabs.net/autodiscover/autodiscover.xml
ExternalUrl : https://owa.gklabs.net/autodiscover/autodiscover.xmlWall
December 6th, 2010 4:41pm
On Mon, 6 Dec 2010 21:34:09 +0000, Wall09 wrote:
>
>
>Hi Rich - thanks for the reply, and here are the results.
>
>[PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory |fl *url Creating a new session for implicit remoting of "Get-AutodiscoverVirtualDirectory" command...
>
>InternalUrl : https://owa.gklabs.net/autodiscover/autodiscover.xml ExternalUrl : https://owa.gklabs.net/autodiscover/autodiscover.xml
Well, the RPC-over-HTTPS works because the EXPR section of the
autodiscover data uses the
https://NC10LABS050.corp.GKLABS.NET:443/autodiscover/autodiscover.xml
URL.
The RPC fails becasue the EXCH section of the autodoscover data uses
the https://NC10LABS050.corp.GKLABS.NET URL and that name doesn't
appear in the certificate you have installed on the server.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 6th, 2010 10:22pm
I was under the impression that with a NLB CASarray that the FQDN's of the member nodes do not need to be on the SSL certificate. I have chatted with others running a CAS Array who state that they have not added the Node names (which NC10LABS050
is a member node) and all is working fine.
Also - the error is stating that the name NC10LABS050 is not the common name of the UCC cert (which OWA.GKLABS.com is the common name). so overall, i am a bit confused...
1. Why are some people able to run Autodiscover without the CAS Array node names in the cert?
2. If I add the node name to the cert it still will not have the node name as the common name of the UCC cert, so wont it still fail?
FYI - I have thought the same as your suggestion and ran the test after re-enabling the default cert with services - then the test fails stating that OWA.GKLABS.Net is not the common name... seems like I am running in circles.
Thanks for your input so far and I appreciate your time!Wall
December 7th, 2010 1:08pm
On Tue, 7 Dec 2010 17:59:47 +0000, Wall09 wrote:
>I was under the impression that with a NLB CASarray that the FQDN's of the member nodes do not need to be on the SSL certificate. I have chatted with others running a CAS Array who state that they have not added the Node names (which NC10LABS050 is a
member node) and all is working fine.
Does the EXCH section of their AutoDiscover data use the same names as
the EXPR section? Yours don't.
>Also - the error is stating that the name NC10LABS050 is not the common name of the UCC cert (which OWA.GKLABS.com is the common name). so overall, i am a bit confused...
That shouuldn't be confusing. It's just a statement of what is.
NCLABS050 isn't the "Subject" of the certificate.
>1. Why are some people able to run Autodiscover without the CAS Array node names in the cert?
http://howtoexchange.wordpress.com/2009/12/16/configuring-client-access-array-for-exchange-2010-walkthrough/
http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover-part2.html
"Set-ClientAccessArray", "Set-ECPVirtualDirectory", or maybe
"Set-MailboxDatabase <dbname> -RPCClientAccessServer . . ." may have
been run incorrectly (or not at all).
>2. If I add the node name to the cert it still will not have the node name as the common name of the UCC cert, so wont it still fail?
Yes, it will. You need to get the EXCH portion of the AutoDiscover
data to use the same name as the EXPR portion.
>FYI - I have thought the same as your suggestion and ran the test after re-enabling the default cert with services - then the test fails stating that OWA.GKLABS.Net is not the common name... seems like I am running in circles.
Yes, but now the circle's a lot smaller. :-)
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2010 8:42pm
Thanks for the input...
>Yes, it will. You need to get the EXCH portion of the AutoDiscoverdata to use the same name as the EXPR portion.
okay - maybe I am just ignorant, but how do I go about getting the EXCH to match the EXPR? I have followed the directions as closely as I can interpret them in the Autodiscover docs, but nothing seems to be clicking on how to do this.
* on a side note, while troubleshooting authentication with PSS yesterday, the tech said this was 'normal' when running the Test-OutlookWebServices from a CAS server that is a member of a WNLB CASArray. He stated I would get this on every CAS server
that was a member of the Array and can be ignored. I havent seen or read this anywhere else, so I am doubting that info.
Thanks for your expert opionion and response.
Wall
December 9th, 2010 12:27pm
On Thu, 9 Dec 2010 17:22:01 +0000, Wall09 wrote:
>
>
>Thanks for the input...
>
>>Yes, it will. You need to get the EXCH portion of the AutoDiscoverdata to use the same name as the EXPR portion.
>
>okay - maybe I am just ignorant, but how do I go about getting the EXCH to match the EXPR? I have followed the directions as closely as I can interpret them in the Autodiscover docs, but nothing seems to be clicking on how to do this.
>
>* on a side note, while troubleshooting authentication with PSS yesterday, the tech said this was 'normal' when running the Test-OutlookWebServices from a CAS server that is a member of a WNLB CASArray. He stated I would get this on every CAS server that
was a member of the Array and can be ignored. I havent seen or read this anywhere else, so I am doubting that info.
>
>Thanks for your expert opionion and response.
If that's so, then try running the cmdlet from another (non-CAS)
machine. Does it fail?
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
December 9th, 2010 8:04pm
When running from the Mailbox Role (seperate server) I continue to get the same error with Test-OultookWebServices.
RegardsWall
December 10th, 2010 2:41pm