2

Background

Exchange Server Standard 2013 (CU13) running on premises on Windows Server 2012 R2 (fully updated) on a 2012 R2 Active Directory Domain.

  1. External DNS is set correctly: autodiscover.mydomain.com successfully results from an external connection
  2. Wildcard SSL certificate is installed and functional
  3. I can access https://autodiscover.mydomain.com/autodiscover/autodiscover.xml from an external connection. I am prompted for username and password, which are accepted and I am then presented with a page showing Error 600 (expected result).
  4. AutoDiscover works and tests fine on the internal LAN.

Problem

However, I cannot get AutoDiscover to function over the Internet.

  1. I cannot get Outlook to connect via an external connection: not when using Outlook 2013 nor when using Outlook for Android or iOS. Outlook Web Access does work, but that is not relevant.
  2. https://testconnectivity.microsoft.com/ reports the following error:

.

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.  
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.

Additional Details

Test Steps

The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.mydomain.com:443/Autodiscover/Autodiscover.xml for user testuser@mydomain.com.  
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.  

Additional Details

An HTTP 401 Unauthorized response was received from the remote Unknown server.  
This is usually the result of an incorrect username or password.  
If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).  
HTTP Response Headers:  
request-id: 03440b6d-56e0-405c-9f4e-eb663abca5b  
Set-Cookie: ClientId=AFD789F9E0A427AB; expires=Tue, 26-Sep-2017 12:53:11 GMT; path=/; HttpOnly  
Server: Microsoft-IIS/8.5  
WWW-Authenticate: Basic realm="autodiscover.mydomain.com",Negotiate,NTLM  
X-Powered-By: ASP.NET  
X-FEServer: EXCHANGE-SERVER  
Date: Mon, 26 Sep 2016 12:53:11 GMT  
Content-Length: 0  
Elapsed Time: 424 ms.  

Attempted Solutions

  1. Per https://community.spiceworks.com/topic/550046-exchange-autodiscover-not-working-correctly-in-2010-2013-environment I have checked my bindings in IIS and see nothing amiss. Here they are:
    Default Web Site: http Port:80 IP:*, net.pipe Binding:*, net.msmq Binding:localhost, msmq.formatname Binding:localhost, net.tcp Binding:808:*, https Port:443, http Port:80 IP:127.0.0.1, http Port:443 IP:127.0.0.1
    Exchange Back End: http Port:81 IP:*, https Port:444 IP:*, net.pipe Binding:*

  2. Per https://social.technet.microsoft.com/Forums/exchange/en-US/cc9ffe71-b4fe-4217-9343-14956ccf30d9/autodiscover-authentication?forum=exchangesvrgenerallegacy and http://www.itnotes.eu/?p=2455 I have checked authentication methods for the /Autodiscover application in IIS. Anyonymous, Basic, and Windows are enabled for /Autodiscover and Anonymous and Windows are enabled for the /Autodiscover Exchange Back End.

  3. I have checked that Authenticated users have permissions to the /Autodiscover applications in IIS. For Default Web Site, /Autodiscover has Allow Read permissions for Authenticated Users. For Exchange Back End, /Autodiscover has Allow Read & execute, List folder contents and Read for Authenticated Users

I'm really stuck here. I have no idea why this isn't working.

Daniel
  • 1,594
  • 8
  • 26
  • 44
  • Have you tried Clint's fix for loopback: http://clintboessen.blogspot.com/2009/06/autodiscover-issue-401-unauthorized.html -- also, what is the network topology to get there? Is there a load balancer or TMG or something in between? – TheCleaner Sep 26 '16 at 13:42
  • According to https://blogs.technet.microsoft.com/sharepoint_foxhole/2010/06/21/disableloopbackcheck-lets-do-it-the-right-way/ , Loopback "prevents access to a web application using a fully qualified domain name (FQDN) if an attempt to access it takes place from a machine that hosts that application." But I'm not accessing Autodiscover from the Exchange Server itself. Also, I am *NOT* getting a 401 error when I access Autodiscover via a browser (as in your link). I can successfully access the xml file via an external browser. I only get the 401 error when using the MS connectivity test. – Daniel Sep 26 '16 at 13:59
  • There is a router between the Internet and the Exchange Server, but it is only doing 1-to-1 NAT to a Public IP. There is no load balancer or TMG. Effectively, the Exchange Server is exposed directly to the Internet other than its built-in Windows firewall. – Daniel Sep 26 '16 at 14:03
  • 1
    hmm...ok. And no split-dns (same internal/external domain)? – TheCleaner Sep 26 '16 at 14:19
  • What @TheCleaner said. We recently had a split DNS issue with autodiscover. (The company that hosts the external web site helpfully defined autodiscover to an incorrect value for us.) – Katherine Villyard Sep 26 '16 at 19:58
  • I do have a split DNS, on purpose, but I use the same domain both internally and externally and I manage both personally. I don't see how that would matter anyway. I can resolve autodiscover.mydomain.com from an external connetion. And I can directly access the autodiscover.xml file via a browser from an external connection. Even the Microsoft connectivity test gives me passing status for resolution of the address and for firewall status and for the SSL certificate. It just fails at the POST request stage for the Autodiscover.xml file. – Daniel Sep 27 '16 at 17:27

1 Answers1

1

Just got this figured so contributing- I had to create on the local LAN DNS a zone with the EXTERNAL domain, then point the mail.xyz.com to the EXTERNAL IP, and also create a corresponding CNAME for the autodiscover.xyz.com entry, All basically emulating the external DNS in the LOCAL LAN.

IT_Dude
  • 11
  • 1