Great article. I had to both the first part and create a cname record but I couldn't have done it without this. Do you know if there is a way to update the clients proxy server automatically? Currently it will update the mail server, but since we use http over rpc clients have to manually change their proxy address. This could be cumbersome and I'm sure MS thought about that already. Thanks!
Super great article. I would not have been able to make it work without this article. Once question though. What is the registry entry to make it look the the local .xml file first?
Sorry, but A. just shows were to set up the zone name. It does not show how to make it look at the local file first. There is a **note that stated there is an additional reg key.
Quite an article - thanks. I realize large organizations need Autodiscover, but Autodiscover for small organizations (maybe 20 or less people) is a pain in the arse - Microsoft should have allowed to a policy or something to make it 100x easier than what I think is an over designed scheme.
I think the problem is its not made aware how intergated autodiscover is to Outlook 2007, its a great feature but there are some concerns that I have discussed with MS and are hopefully addressed. Once you understand how it works its not too bad :)
This was a great help. I have everything working internally. When I try the test on a computer that is external it gets to the part where it asks you for your password (step 5). When I type it in it just prompts me again. I have gone through every setting and can not seem to figure it out. The autodiscover test works and gives all the correct addresses. Is there any other logging I can turn on? Any help would be appreciated.
typically the external user prompts are related to certificates. Are you using a 3rd party CA like Verisign or are you using an internal windows CA or the self generated certs on Exchange?
I have exactly the same problem as Aaron, when connecting externally I just keep getting the password prompt, if at this point I connect via VPN then the process completes and I can use RPC/HTTP without the VPN fine, I have a wildcard cert from Digicert and everything looks correct from Test-Outlookwebservices or from Outlook with test Autodiscovery, my internal and external domain names are the same, I've even put mail on its own external IP (was using port forwarding in Cisco IOS with serveral sites on one IP). This has been driving me nuts for months and I'm about to lose my job because I've not been able to figure it out!
To add to my previous statement, we're using SBS and Exchange on a seperate server, does our domain controller need to be accessible externally, I thought it would be via the mail server or am I missing something?
The VPN does allow access to the domain controller so is that why it works when I connect the VPN, perhaps once its 'done' with the DC it can just talk to the mail server?
No, you DC does not need to be accessible from the outside as the rpc proxy running on the exchanges server will proxy the Rpc requests to the mailbox server which makes calls to the DC on your behalf.
can you post somthing with contact info I wont publish it and we can chat offline....
also try the rpc ping that I have outlined in my outlook anywhere post
Very useful article. One thing I'd like to know. Everything works well with Autodiscover but the SSL cert. All my roles on the same server, same IIS. One certificate server.domain.com signed. But when I start outlook without being connected to the domain, I have a popup that my autodiscover.domain.com name mismatch. Can you help?
hi Brian, came back to an old problem. internally autodiscover works fine (out of office, availability, etc) from outside, after reading more carefully your blog and setting A record to autodiscover.primaysmtp., i am able to have autodiscover working through our vpn but not without. i think rpc over http should query the internal dns via exchange proxy (cas) but this seems not to be the case as testing from outlook shows that https://autodiscover.primarysmtp/autodiscover/autodiscover.xml cannot be resolved. i am also able to run rpcping successfully from outside. can you tell me if there something i am missing? thank you for your help and time.
No, I used SELFSSL to generate my certificate. The problem is that if I put a *.domain.com certificate with SELFSSL, the iPhone do not support WILDCARD certificate... And multiple names certificates costs a lot yearly. Do you have a solution?
I get an error when testing Autodiscover..or, more specifically, Test-OutlookWebServices: [PS] H:\>Test-OutlookWebServices -Identity Firstname.Lastname | fl
Id : 1003 Type : Information Message : About to test AutoDiscover with the e-mail address firstname.lastname@myorg.com
Id : 1013 Type : Error Message : When contacting https://certsubjname.myorg.com/autodiscover/autodiscover. xml received the error The remote server returned an error: (401) Una uthorized.
Id : 1006 Type : Error Message : The Autodiscover service could not be contacted.
Also, I need help creating the DNS record. I created an A record called 'Autodiscover' pointing to the IP of the server; do I need to create a couple CNAME records instead?...that part wasn't fully explained, which is what I need. :)
Genie, thank you for all the info. I am having a really hard time here. Can you help. I have done all the steps but when I try this one "Here I am piping the get command to the set command which will set all my Web services virtual directories at once instead of one by one: Get-WebServicesVirtualDirectory set-WebservicesVirtualDirectory -intrnalurl https://mail.vm.local/EWS/Exchange.asmx -externalurl https://mail.vm.local/EWS/Exchange.asmx **Note if you are not using an NLB then you can leave the internal settings to the default."
I get the following error: Get-WebServicesVirtualDirectory : A parameter cannot be found that matches para meter name 'intrnalurl'. At line:1 char:76 + Get-WebServicesVirtualDirectory set-WebservicesVirtualDirectory -intrnalurl <<<< https://mail.mydomain.net/EWS/Exchange.asmx -externalurl https://mail.mydomain.net/EWS/Exchange.asmx
What am I doing wrong. Could you please help me out?
looks like you spelled internal wrong -intrnalurl...... just do -i and hit tab and I am sure this is the blog taking out the pipe but you need et-WebServicesVirtualDirectory pipe here set-WebservicesVirtualDirectory
You Rock, that was it and it worked. I was able to process everything on your post and everything works. Thank you soooo much. I do have one other problem though. I now externally try to connect with Outlook 2007 and it can't autodiscover it. Do I need to do something else?
We have a Entrust certificate that allows us to put in SAN's, however as you know, you're not allowed to put in .local domains into this kind of certificate. That being said, our certificate contains:
That being said, instead of using server.local in all of the configuration detailed above, I have had to change everything (internalurl and externalurl) to https://mail.domain.com/*/*.
Mind you, with this being done, everything works absolutely fine. I get no certificate errors, Outlook Anywhere works fine, etc.
However, the problem is that for some reason with this configuration, Exchange decides to automatically force people to connect to exchange through HTTP. That means that users inside the domain have to enter their password every time they start their Outlook (Outlook 2007). I can go to account settings and uncheck this option, however, after a while, it gets checked back again after some time.
So it should not be forcing you to http... all the configuration is done so that either or will work. If you use autodiscover it does not check use http first on fast networks so mapi is tried first and if it fails will fall back to http
Thanks for this great article. I've two problems where I need some help:
I always get Error 1013 - When contacting https://mail.domain.com/Autodiscover/Autodiscover.xml received the error The remote server returned an error: (401) Unauthorized. Solution …
and Error 1006 - The Autodiscover service could not be contacted.
I use a single name cert and all names are configured for this domain, mail.domain.com. I also created the SRV entry on the external DNS, but it does still no work. Do you have an input for me?
Am recieving the following error within Exchange 2007:-
Id : 1013 Type : Error Message : When contacting https://FQDN/Rpc received the error The server committed a protocol violation. Section=ResponseStatusLine
Id : 1017 Type : Error Message : [EXPR]-Error when contacting the RPC/HTTP service at https://FQDN/Rpc. The elapsed time was 15 milliseconds.
And when trying to access exchange through Office 2007 it is prompting me for a password. How can i resolve this.
indeed great article. thanks for taking the time and effort to help us out here... i also have a quick question: do i need to specify the external-url parameter on the CAS when i publish outlook-anywhere through an isa 2006 server?
The internal / external urls are used by exchange during proxying and redirection. so lets say you have 2 external urls Europe and America... A user hits the Europe external url but the mbx is in America Exchange will redirect the user to the correct exteranl url if you did not populate the external the Europe server would proxy the user. So depending on your configuration and how you do the rules you dont have too
Hi Brian Great source of information! My server was working fine without any problems until I recently restarted it, I think it was with the latest Exchange security rollup. Now Outlook will NOT find the OoO Assistant nor the Group Schedule.
I do NOT get an error when using Webmail/OWA and all is fine there. When using the Outlook Test Email AutoConfig it says it has successfully got Autodiscovery resolved by SCP.
Using Get-clientAccessServer from EMS resolves fine, but when I run Test-OutlookWebServices I get an error message:
--- [PS] C:\>Test-OutlookWebServices -identity admfelixb Id Type Message ---- ---- ------- 1003 Information About to test AutoDiscover with the e-mail address admfelixb@nedgp.org.au. 1006 Information The Autodiscover service was contacted at https://aardvark.nedgp.local/Autodiscover/Autodiscover.xml. WARNING: An unexpected error has occurred and debug information is being generated: Object reference not set to an instance of an object. Test-OutlookWebServices : Object reference not set to an instance of an object. At line:1 char:24 + Test-OutlookWebServices <<<< -identity admfelixb ---
We have a SAN Cert that has 5 names (3 Ext, 2 Int). As I said, all worked fine before until recently. Can you give me some clue where to start looking - I am lost...
I am facing a porblem that some users are able to access Outlook over HTTP and others not (internal and external of the network). The users that are not able to access of HTTP get as far as Password pop up box, they enter their details and it fails but just asking for the password again. OWA is working for all users both internally and externally fine.
Our enviroment is Windows 2003/ Exchange 2007 with Outlook 2003 and 2007.
Are you using a private or public certificate? Moste of the time I see the password prompt is related to not trusting the cert or oab download permission but that would only be OL 2007
My Echos on the great article comments. Autodiscovery works well (with a caveat) for us, and I found that a colleague at the University of Chicago is facing our same dilemma.
We have been running Exchange/Outlook for a number of years, in a shared address space scenario with a university for which I work. The end users' mail addresses are all stamped with the @university.edu alias (the real address is our subdomain). The university recently decided to migrate to Exchange, and won't support departmental (separate) Exchange forest trusts.
As soon as their CAS came online, we began getting the autodiscovery prompts for addresses not recognized as our active directory aliases. Before migrating to Exchange 2007, the PreferlocalXML workaround suppressed the prompts, and all other functionality worked. After migrating to Exchange 2007, the workaround breaks all things autodiscovery-related (OAB, OOF, Availability Services, etc.). Pulling the registry entry out and the XML file off brings all Autodiscovery services back to life.
I should note that you now have to set the primary SMTP to the local/subdomain address rather than the shared alias for it all to work as well (which will involve setting up a hub transport or other address rewrite mechanism for outbound mail).
Anyways, what I'm desperately wondering is if there is some other way to restrict Autodiscovery from going beyond our simple, local CAS (I've tried site affinity and still get the campus CAS prompt), or to get the local XML/PreferLocalXML file to work with other Autodiscovery services.
Posts
45 comments:
Great article. I had to both the first part and create a cname record but I couldn't have done it without this. Do you know if there is a way to update the clients proxy server automatically? Currently it will update the mail server, but since we use http over rpc clients have to manually change their proxy address. This could be cumbersome and I'm sure MS thought about that already. Thanks!
Super great article. I would not have been able to make it work without this article. Once question though. What is the registry entry to make it look the the local .xml file first?
The key is shown in the article but its A. Hkey_current_user --> Software --> Microsoft --> Office --> 12.0 --> Outlook -> autodiscover
Sorry, but A. just shows were to set up the zone name. It does not show how to make it look at the local file first. There is a **note that stated there is an additional reg key.
What is the additional reg key in the note that is supposed to make it search the local file first? The article does not say.
Sorry, here you go
HKCU\Software\Microsoft\Office\12.0\Outlook\Autodiscover
DWORD: PreferLocalXML = 1
Great article but I can't get it to work like this.
I have a test environment and only need to use the internal url.
My ouput of test-outlookwebservices is positive. Succes for 1014-1015-1016-1006-1007.
But when I test it with outlook it doesn't work.
Can you help me with this?
could you provide more info.... if you post your email address I will not publish it and can ping you
Quite an article - thanks. I realize large organizations need Autodiscover, but Autodiscover for small organizations (maybe 20 or less people) is a pain in the arse - Microsoft should have allowed to a policy or something to make it 100x easier than what I think is an over designed scheme.
I think the problem is its not made aware how intergated autodiscover is to Outlook 2007, its a great feature but there are some concerns that I have discussed with MS and are hopefully addressed.
Once you understand how it works its not too bad :)
This was a great help. I have everything working internally. When I try the test on a computer that is external it gets to the part where it asks you for your password (step 5). When I type it in it just prompts me again. I have gone through every setting and can not seem to figure it out. The autodiscover test works and gives all the correct addresses. Is there any other logging I can turn on? Any help would be appreciated.
typically the external user prompts are related to certificates. Are you using a 3rd party CA like Verisign or are you using an internal windows CA or the self generated certs on Exchange?
I have exactly the same problem as Aaron, when connecting externally I just keep getting the password prompt, if at this point I connect via VPN then the process completes and I can use RPC/HTTP without the VPN fine, I have a wildcard cert from Digicert and everything looks correct from Test-Outlookwebservices or from Outlook with test Autodiscovery, my internal and external domain names are the same, I've even put mail on its own external IP (was using port forwarding in Cisco IOS with serveral sites on one IP). This has been driving me nuts for months and I'm about to lose my job because I've not been able to figure it out!
To add to my previous statement, we're using SBS and Exchange on a seperate server, does our domain controller need to be accessible externally, I thought it would be via the mail server or am I missing something?
The VPN does allow access to the domain controller so is that why it works when I connect the VPN, perhaps once its 'done' with the DC it can just talk to the mail server?
No, you DC does not need to be accessible from the outside as the rpc proxy running on the exchanges server will proxy the Rpc requests to the mailbox server which makes calls to the DC on your behalf.
can you post somthing with contact info I wont publish it and we can chat offline....
also try the rpc ping that I have outlined in my outlook anywhere post
http://exchange-genie.blogspot.com/2008/02/configuring-outlook-anywhere-for.html
This is the best Exchange blog site I have found. Period. Thanks so much for your very detailed help.
Hi genie, congrats to your blog.
Please, how to configure Exchange 2007 to Outlook Anywhere for machine in out of the domain?
Thanks.
Please reference this post it will work or domain joined or non domain
http://exchange-genie.blogspot.com/2008/02/configuring-outlook-anywhere-for.html
wow, I just needed someone like you to explain exactly what I needed. Thank you for your help.
When running
C:\>Test-OutlookWebServices -identity administrator
I receive the following errors.
1003 Information About to test AutoDiscover with...
1013
Error When contacting https://mail.ncjhs.local...
1006
Error Failed to contact AutoDiscover...
Any idea why this is happening.
Thanks.
This is a great site. Thank you for your information. I THANK YOU I SALUTE YOU IT,S A AMZING SITE.
PM said...
When running
C:\>Test-OutlookWebServices -identity administrator
I receive the following errors.
1003 Information About to test AutoDiscover with...
1013
Error When contacting https://mail.ncjhs.local...
1006
Error Failed to contact AutoDiscover...
Any idea why this is happening.
Thanks.
Very useful article. One thing I'd like to know. Everything works well with Autodiscover but the SSL cert. All my roles on the same server, same IIS. One certificate server.domain.com signed. But when I start outlook without being connected to the domain, I have a popup that my autodiscover.domain.com name mismatch. Can you help?
Did you use a SAN cert with multi names?
hi Brian,
came back to an old problem.
internally autodiscover works fine (out of office, availability, etc) from outside, after reading more carefully your blog and setting A record to autodiscover.primaysmtp., i am able to have autodiscover working through our vpn but not without.
i think rpc over http should query the internal dns via exchange proxy (cas) but this seems not to be the case as testing from outlook shows that https://autodiscover.primarysmtp/autodiscover/autodiscover.xml cannot be resolved.
i am also able to run rpcping successfully from outside.
can you tell me if there something i am missing?
thank you for your help and time.
No, I used SELFSSL to generate my certificate. The problem is that if I put a *.domain.com certificate with SELFSSL, the iPhone do not support WILDCARD certificate... And multiple names certificates costs a lot yearly. Do you have a solution?
I get an error when testing Autodiscover..or, more specifically, Test-OutlookWebServices:
[PS] H:\>Test-OutlookWebServices -Identity Firstname.Lastname | fl
Id : 1003
Type : Information
Message : About to test AutoDiscover with the e-mail address firstname.lastname@myorg.com
Id : 1013
Type : Error
Message : When contacting https://certsubjname.myorg.com/autodiscover/autodiscover.
xml received the error The remote server returned an error: (401) Una
uthorized.
Id : 1006
Type : Error
Message : The Autodiscover service could not be contacted.
Also, I need help creating the DNS record. I created an A record called 'Autodiscover' pointing to the IP of the server; do I need to create a couple CNAME records instead?...that part wasn't fully explained, which is what I need. :)
Thanks!
Shane
Can anyone post the default contents of autodiscover.xml file, so that we can make use of this great work around, cheers
The one listed above is what you need just change the url.. If you like to see more the xml is located on the CAS server.
Genie, thank you for all the info. I am having a really hard time here. Can you help. I have done all the steps but when I try this one
"Here I am piping the get command to the set command which will set all my Web services virtual directories at once instead of one by one:
Get-WebServicesVirtualDirectory set-WebservicesVirtualDirectory -intrnalurl https://mail.vm.local/EWS/Exchange.asmx -externalurl https://mail.vm.local/EWS/Exchange.asmx
**Note if you are not using an NLB then you can leave the internal settings to the default."
I get the following error:
Get-WebServicesVirtualDirectory : A parameter cannot be found that matches para
meter name 'intrnalurl'.
At line:1 char:76
+ Get-WebServicesVirtualDirectory set-WebservicesVirtualDirectory -intrnalurl
<<<< https://mail.mydomain.net/EWS/Exchange.asmx -externalurl https://mail.mydomain.net/EWS/Exchange.asmx
What am I doing wrong. Could you please help me out?
looks like you spelled internal wrong -intrnalurl...... just do -i and hit tab
and I am sure this is the blog taking out the pipe but you need
et-WebServicesVirtualDirectory pipe here set-WebservicesVirtualDirectory
You Rock, that was it and it worked. I was able to process everything on your post and everything works. Thank you soooo much. I do have one other problem though. I now externally try to connect with Outlook 2007 and it can't autodiscover it. Do I need to do something else?
Hi Brian, a few quick questions and issues.
We have a Entrust certificate that allows us to put in SAN's, however as you know, you're not allowed to put in .local domains into this kind of certificate. That being said, our certificate contains:
mail.domain.com, www.domain.com, autodiscover.domain.com, Server.domain.com.
That being said, instead of using server.local in all of the configuration detailed above, I have had to change everything (internalurl and externalurl) to https://mail.domain.com/*/*.
Mind you, with this being done, everything works absolutely fine. I get no certificate errors, Outlook Anywhere works fine, etc.
However, the problem is that for some reason with this configuration, Exchange decides to automatically force people to connect to exchange through HTTP. That means that users inside the domain have to enter their password every time they start their Outlook (Outlook 2007). I can go to account settings and uncheck this option, however, after a while, it gets checked back again after some time.
Any ideas?
So it should not be forcing you to http... all the configuration is done so that either or will work. If you use autodiscover it does not check use http first on fast networks so mapi is tried first and if it fails will fall back to http
Hello Brian
Thanks for this great article. I've two problems where I need some help:
I always get
Error 1013 - When contacting https://mail.domain.com/Autodiscover/Autodiscover.xml received the error The remote server returned an error: (401) Unauthorized.
Solution …
and Error 1006 - The Autodiscover service could not be contacted.
I use a single name cert and all names are configured for this domain, mail.domain.com. I also created the SRV entry on the external DNS, but it does still no work. Do you have an input for me?
Thanks
John
what are you doing when you get the error, I have another article related to 401 on Windows 2008
Am recieving the following error within Exchange 2007:-
Id : 1013
Type : Error
Message : When contacting https://FQDN/Rpc received the error The
server committed a protocol violation. Section=ResponseStatusLine
Id : 1017
Type : Error
Message : [EXPR]-Error when contacting the RPC/HTTP service at
https://FQDN/Rpc. The elapsed time was 15 milliseconds.
And when trying to access exchange through Office 2007 it is prompting me for a password. How can i resolve this.
hi genie,
indeed great article. thanks for taking the time and effort to help us out here...
i also have a quick question:
do i need to specify the external-url parameter on the CAS when i publish outlook-anywhere through an isa 2006 server?
thanks,
olaf
The internal / external urls are used by exchange during proxying and redirection. so lets say you have 2 external urls Europe and America... A user hits the Europe external url but the mbx is in America Exchange will redirect the user to the correct exteranl url if you did not populate the external the Europe server would proxy the user.
So depending on your configuration and how you do the rules you dont have too
Hi Brian
Great source of information! My server was working fine without any problems until I recently restarted it, I think it was with the latest Exchange security rollup. Now Outlook will NOT find the OoO Assistant nor the Group Schedule.
I do NOT get an error when using Webmail/OWA and all is fine there. When using the Outlook Test Email AutoConfig it says it has successfully got Autodiscovery resolved by SCP.
Using Get-clientAccessServer from EMS resolves fine, but when I run Test-OutlookWebServices I get an error message:
---
[PS] C:\>Test-OutlookWebServices -identity admfelixb
Id Type Message
---- ---- -------
1003 Information About to test AutoDiscover with the e-mail address admfelixb@nedgp.org.au.
1006 Information The Autodiscover service was contacted at https://aardvark.nedgp.local/Autodiscover/Autodiscover.xml.
WARNING: An unexpected error has occurred and debug information is being generated: Object reference not set to an instance of an
object.
Test-OutlookWebServices : Object reference not set to an instance of an object.
At line:1 char:24
+ Test-OutlookWebServices <<<< -identity admfelixb
---
We have a SAN Cert that has 5 names (3 Ext, 2 Int). As I said, all worked fine before until recently. Can you give me some clue where to start looking - I am lost...
I am facing a porblem that some users are able to access Outlook over HTTP and others not (internal and external of the network). The users that are not able to access of HTTP get as far as Password pop up box, they enter their details and it fails but just asking for the password again. OWA is working for all users both internally and externally fine.
Our enviroment is Windows 2003/ Exchange 2007 with Outlook 2003 and 2007.
Can you please help?
Are you using a private or public certificate?
Moste of the time I see the password prompt is related to not trusting the cert or oab download permission but that would only be OL 2007
Thank you for this helpful post. I read through it and then created a DNS (A) record as you suggested -and that resolved my problem!!!
My Echos on the great article comments. Autodiscovery works well (with a caveat) for us, and I found that a colleague at the University of Chicago is facing our same dilemma.
We have been running Exchange/Outlook for a number of years, in a shared address space scenario with a university for which I work. The end users' mail addresses are all stamped with the @university.edu alias (the real address is our subdomain). The university recently decided to migrate to Exchange, and won't support departmental (separate) Exchange forest trusts.
As soon as their CAS came online, we began getting the autodiscovery prompts for addresses not recognized as our active directory aliases. Before migrating to Exchange 2007, the PreferlocalXML workaround suppressed the prompts, and all other functionality worked. After migrating to Exchange 2007, the workaround breaks all things autodiscovery-related (OAB, OOF, Availability Services, etc.). Pulling the registry entry out and the XML file off brings all Autodiscovery services back to life.
I should note that you now have to set the primary SMTP to the local/subdomain address rather than the shared alias for it all to work as well (which will involve setting up a hub transport or other address rewrite mechanism for outbound mail).
Anyways, what I'm desperately wondering is if there is some other way to restrict Autodiscovery from going beyond our simple, local CAS (I've tried site affinity and still get the campus CAS prompt), or to get the local XML/PreferLocalXML file to work with other Autodiscovery services.
Your help is much appreciated, in advance!
Kenny, can you move this to my new site exchange-genie.com, and we can use the forum there to discuss this.....
autodiscover does not play nice at time in shared namespace etc...
I have interesting scenarios as well...
Post a Comment