Exchange Server Forums

autodiscover on windows 2008

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Microsoft Exchange 2007] >> Outlook Web Access >> autodiscover on windows 2008

Page: [1]

Message

<< Older Topic Newer Topic >>

autodiscover on windows 2008 - 1.Aug.2008 12:36:43 PM

wilde

Posts: 46
Joined: 9.Oct.2007
Status: offline

Hi all,

I've recently published OWA/active sync/rpc . . . and all has worked fine thanks to the brilliant info on this site.

I tried following the guide "Publishing Exchange 2007 Outlook Autodiscover with 2006 ISA� and seem to have run into authentication troubles.

Windows 2008 uses IIS7 so I needed to purchase an SSL (https:// Autodiscover.domain.com) as you do not get the option to "Store certificate in local computer certificate store� when requesting a web server certificate. That and the fact I'm using LDAP authentication on the web listener is the only difference on my system to the manual.

Basically when attempting to use the auto account setup in outlook 2007 it promtps me to "allow this website to configure email@domain.com server settings?� https://autodiscover.domin.com/autodiscover.xml, I click allow and then after time it fails.

In the ISA2006 logging the status does says Status: 12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.

BUT the strange thing is, if I manually type in all the outlook anywhere details in outlook2007 it connects fine??? Ie msstd:autodiscover.domain.com connects via https perfectly.

Please check here for screen shots of interest.
http://img179.imageshack.us/my.php?image=captureca2.jpg

I think the issue could be related to the virtual directory "AutoDiscover" not using the autodiscover.domain.com certificate, it is using the exchange.domain.com certificate.

Could this be the issue, if so how do I choose what certificate the virtual directory uses (remember i'm using IIS7 on windows 2008)???

Any help is appreciated.

Thanks

Wilde

< Message edited by wilde -- 4.Aug.2008 9:52:42 AM >

Post #: 1

Featured Links*

RE: autodiscover on windows 2008 - 1.Aug.2008 7:55:53 PM

John Weber

Posts: 1236
Joined: 20.Apr.2005
From: Portland, Oregon
Status: offline

read this...it may help

http://tsoorad.blogspot.com/2008/01/outlook-2007-certificate-error.html

_____________________________

John Weber [Lync MVP] http://tsoorad.blogspot.com

(in reply to wilde)

Post #: 2

RE: autodiscover on windows 2008 - 4.Aug.2008 9:41:21 AM

wilde

Posts: 46
Joined: 9.Oct.2007
Status: offline

Hi John, thanks for the input.

I now don't believe the issue is certificate related.

Externally
https://autodiscover.domain.com/autodiscover/autodiscover.xml resolves to
https://autodiscover.domain.com/CookieAuth.dll?GetLogon?curl=Z2FautodiscoverZ2Fautodiscover.xml&reason=0&formdir=3
which is an ISA2006 logon page (similar to OWA)

On this page the certificate does show as autodiscover.domain.com.

After logging on I receive the error below
<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="14:36:22.9459365" Id="2884917732">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>

I'm extremley close to giving up now, can anyone help?

Thanks

Wilde

(in reply to John Weber)

Post #: 3

RE: autodiscover on windows 2008 - 11.Aug.2008 12:22:58 PM

wilde

Posts: 46
Joined: 9.Oct.2007
Status: offline

Update:

I think it's definately something wrong with the way the SSL's are set up.

When test-outlookwebservices is run from the exchange 2007 server I recieve these results.

1003 Information About to test AutoDiscover with the e-mail address admin@domain.com.

1007 Information Testing server mailserver.domain.com with the published name https://mailserver.domain.com/EWS/Exchange.asmx & https://autodiscover.domain.com/ews/exchange.asmx.

1019 Information Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://autodiscover.domain.com/autodiscover/autodiscover.xml.

1005 Error When accessing https://autodiscover.domain.com/autodiscover/autodiscover.xml the error "RemoteCertificateNameMismatch:CN=mailserver.domain.com, OU=Comodo InstantSSL, O=Company, STREET x x x x" was reported.

1013 Error When contacting https://autodiscover.domain.com/autodiscover/autodiscover.xml received the error The remote server returned an error: (401) Unauthorized.

1006 Error The Autodiscover service could not be contacted.

[PS] C:\Windows\System32>Test-OutlookWebServices -identity user@domain.com | fl

Id      : 1003

Type    : Information

Message : About to test AutoDiscover with the e-mail address user@domain.com.

Id      : 1005

Type    : Error

Message : When accessing https://autodiscover.domain.com/autodiscover/autodiscover.xml the error "RemoteCertificateNameMismatch:CN=mailserver.domain.com, OU=Comodo InstantSSL, O=Company, STREET x x x x" was reported.

Id      : 1013

Type    : Error

Message : When contacting https://autodiscover.domain.com/autodiscover/autodiscover.xml received the error The remote server returned an error: (401) Unauthorized.

Id      : 1006

Type    : Error

Message : The Autodiscover service could not be contacted.

(in reply to wilde)

Post #: 4

RE: autodiscover on windows 2008 - 11.Aug.2008 7:30:49 PM

John Weber

Posts: 1236
Joined: 20.Apr.2005
From: Portland, Oregon
Status: offline

you need to pay attention to not only the DSN resolution, but what the exchange system thinks things are called.
And then what cert is applied to what service the exchange org thinks things are called.

_____________________________

John Weber [Lync MVP] http://tsoorad.blogspot.com

(in reply to wilde)

Post #: 5

RE: autodiscover on windows 2008 - 12.Aug.2008 5:57:19 AM

wilde

Posts: 46
Joined: 9.Oct.2007
Status: offline

Thanks for the reply John but I do not understand? Please could you elaberate?

I may be way of the mark but one thing i really don't understand is the assigning a certificate to a service such as IIS when i need to use 2 certificate, one for webmail (mailserver.domain.com) and one for autodiscover (autodiscover.domain.com)???

This is officially killing me.

< Message edited by wilde -- 12.Aug.2008 7:26:57 AM >

(in reply to John Weber)

Post #: 6

RE: autodiscover on windows 2008 - 12.Aug.2008 11:32:10 AM

wilde

Posts: 46
Joined: 9.Oct.2007
Status: offline

Right,

I think I'm finally getting it, I am using 2 instant SSL's not a SAN or UC certificate.

Is it not possible to use 2 different certificates with exchange 2007 for the OWA and Autodiscovery services even if you move the autodiscovery virtual directory onto a new website located on the exchange server?

Thanks in advance

(in reply to wilde)

Post #: 7

RE: autodiscover on windows 2008 - 12.Aug.2008 8:10:32 PM

John Weber

Posts: 1236
Joined: 20.Apr.2005
From: Portland, Oregon
Status: offline

I don't know a good answer to that specific question.

I ALWAYS use a public cert for ANYTHING facing public, and I use internal certs for all else.

And if you need a SAN for one of those, then that is what you MUST do.

_____________________________

John Weber [Lync MVP] http://tsoorad.blogspot.com

(in reply to wilde)

Post #: 8