I think this is the last part of the issue to just get this working. If I create a new profile it nags none stop for a username and password. If I cancel and check it is setup to the cas array address as the server name and teh exchange proxy settings match the above. 'mail.company.com' and msstd: cas01.domain.local  with basic authentication.

If I take an existing user getting the old security warning and go into account settings - I can click on repair mailbox. This seems to fix the issue and when they launch Outlook they do not get the nagging credentials you get when creating a new profile.

Odd since they both have the same exchange proxy settings.

Well I do have those settings in mine. When I create a new profile it prompts for credentials and if you get to this screen it shows it all filled out.

TheExchangeGeek - I do not see options like these for an advanced setting. I am in Server 2008 R2 with Exchange 2010 and this doesn't seem to be available in IIS.

Also, although I am passing the autoconfigure tests.  I do get a new security popup prompting for credentials when I create a new profile. If I remove outlook anywhere as a selection then it seems to work fine.

I would configure my outlook Anywhere like this to avoid the credential pop up.

ExchangeGeek

(MCITP,Enterprise Messaging Administrator)

**My posts are provided “AS IS” without warranty of any kind**

TheExchangeGeek - I do not see options like these for an advanced setting. I am in Server 2008 R2 with Exchange 2010 and this doesn't seem to be available in IIS.

Also, although I am passing the autoconfigure tests.  I do get a new security popup prompting for credentials when I create a new profile. If I remove outlook anywhere as a selection then it seems to work fine.

Centixo, I was going through some articles and found something interesting on the "autodiscover" error code 0x80040113, 0x800C8203, 0x8004010F and 0x80072EE7.

============================================

1. Open IIS Manager, click SBS Web Application, click SSL Settings. Select Accept under Client Certificate.

2. Open Authentication
3. Enable windows authentication
4. Click Advanced settings
5. Uncheck "Enable kernel-mode Authentication"

Note: Please also check this setting for: EWS, Autodiscover, and OAB virtual directories:

6. Perform iisreset

============================================

---

ExchangeGeek (MCITP,Enterprise Messaging Administrator)

***Don't forget to mark helpful or answer***

**Note:(My posts are provided “AS IS” without warranty of any kind)

ExchangeGeek (MCITP,Enterprise Messaging Administrator)

**My posts are provided “AS IS” without warranty of any kind**

Check this for the Client Certification error.

---

ExchangeGeek (MCITP,Enterprise Messaging Administrator)

NOTE: If there ever are any reason to change the Authentication methods for any of the VDirs in Exchange, it should only be done in EMS or EMC. Never do it it IIS!!

One of your servers has the wrong authentication methods configured for Autodiscover:

Name                          : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
LiveIdSpNegoAuthentication    : False
WSSecurityAuthentication      : False
LiveIdBasicAuthentication     : False
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True

WSSecurityAuthenticationMethod should be set to True and you should set that.
Example: Set-Autodiscovervirtualdirectory -id "SERVERNAME \Autodiscover (Default Web Site)" -WSSecurityAuthentication $True

Martina Miskovic

Check this for the Client Certification error.

---

ExchangeGeek (MCITP,Enterprise Messaging Administrator)

***Don't forget to mark helpful or answer***

**Note:(My posts are provided “AS IS” without warranty of any kind)

Check this for the Client Certification error.

ExchangeGeek (MCITP,Enterprise Messaging Administrator)

***Don't forget to mark helpful or answer***

Rhoderick - I went through your previous article and related articles on MS site. One thing I found so far was that if I ran a get-clientaccessserver and selected the autodsicoverserviceinternaluri, it gave me the local server fqdns. I changed this to the CAS Array URL instead. Now it displays:

AutoDiscoverServiceInternalUri                           AutoDiscoverSiteScope
------------------------------                           ---------------------
https://outlook.company.com/autodiscover/autodiscover.xml {Default-First-Site-Name}
https://outlook.company.com/autodiscover/autodiscover.xml {Default-First-Site-Name}

That's OK, the answer for is that correct or not is "it depends".    The *REALLY* important thing here is do the names match what you planned out and therefore are on the certificates.  This is even more important when we have multiple Exchange sites involved. 

Does outlook.company.com resove to a single CAS or is your load balancing up and working? 

---

Cheers,

Rhoderick

Microsoft Premier Field Engineer, Exchange

Blog: http://blogs.technet.com/rmilne  Twitter:     LinkedIn:

Note: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

outlook.company.com resolves but how do I know if load balancing is working properly? Load balancing shows it is up and running and working correctly but I wasn't sure if I could test it out easily.

Also, I ran Microsoft Exchange active sync tests and they went a little bit further this time,I noted two errors:

Rhoderick - I went through your previous article and related articles on MS site. One thing I found so far was that if I ran a get-clientaccessserver and selected the autodsicoverserviceinternaluri, it gave me the local server fqdns. I changed this to the CAS Array URL instead. Now it displays:

AutoDiscoverServiceInternalUri                           AutoDiscoverSiteScope
------------------------------                           ---------------------
https://outlook.company.com/autodiscover/autodiscover.xml {Default-First-Site-Name}
https://outlook.company.com/autodiscover/autodiscover.xml {Default-First-Site-Name}

That's OK, the answer for is that correct or not is "it depends".    The *REALLY* important thing here is do the names match what you planned out and therefore are on the certificates.  This is even more important when we have multiple Exchange sites involved. 

Does outlook.company.com resove to a single CAS or is your load balancing up and working? 

Cheers,

Rhoderick

Microsoft Premier Field Engineer, Exchange

Note: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

I'll check the link out. After running that script for virtualdirectory, I now get an OWA error:

So users are unable to send and normally get that error.

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/ca5e5e1b-643c-47eb-8c05-1e90c91b08a3/

Hope this clarifies the things.

---

ExchangeGeek (MCITP,Enterprise Messaging Administrator)

***Don't forget to mark helpful or answer***

**Note:(My posts are provided “AS IS” without warranty of any kind)

Centixo, I was going through some articles and found something interesting on the "autodiscover" error code 0x80040113, 0x800C8203, 0x8004010F and 0x80072EE7.

============================================

1. Open IIS Manager, click SBS Web Application, click SSL Settings. Select Accept under Client Certificate.

2. Open Authentication
3. Enable windows authentication
4. Click Advanced settings
5. Uncheck "Enable kernel-mode Authentication"

Note: Please also check this setting for: EWS, Autodiscover, and OAB virtual directories:

6. Perform iisreset

============================================

ExchangeGeek (MCITP,Enterprise Messaging Administrator)

***Don't forget to mark helpful or answer***

Please stop adding and changing things in your environment.  There was no need to configure a CAS Array or NLB.

You really want to understand what is going on, fix it -> and only then start to add other complexity. 

By any chance are you doing any form of redirect so users do not have to add /OWA or use https:// for the URL?

---

Cheers,

Rhoderick

Microsoft Premier Field Engineer, Exchange

Blog: http://blogs.technet.com/rmilne  Twitter:     LinkedIn:

Note: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

That's right. Adding CAS array will give you HA but it can't resolve existing problem. This change should be done after the current issue is cleared.

Cheers,

Rhoderick

Microsoft Premier Field Engineer, Exchange

Note: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Please stop adding and changing things in your environment.  There was no need to configure a CAS Array or NLB.

You really want to understand what is going on, fix it -> and only then start to add other complexity. 

By any chance are you doing any form of redirect so users do not have to add /OWA or use https:// for the URL?

---

Cheers,

Rhoderick

Microsoft Premier Field Engineer, Exchange

Blog: http://blogs.technet.com/rmilne  Twitter:     LinkedIn:

Note: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Rhoderick _ I am sure you are right there. However CAS Array should have been setup which never was done before hand (since there are two CAS devices).

You are spot on with the redirect. I think this might be causing an issue and I thought I addressed it properly but maybe not. I have users go to "mail.company.com" and then it redirects them to -> "https://mail.company.com/owa". What I do is change it here:

What I have noticed is that it changes subsite paths. So I go into EWS/ecp/Autodiscover and I untick the 'Redirect requests to this destination'. But I am not sure if there is anything else that modified those screens.

Yup - I do see this from time to time. 

http://blogs.technet.com/b/rmilne/archive/2012/08/10/solving-additional-issues-with-exchange-oab-download.aspx

With the regular doc here http://technet.microsoft.com/en-us/library/aa998359.aspx

Can you make sure that is all set?

Cheers,

Rhoderick

Microsoft Premier Field Engineer, Exchange

Note: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

1PointeAdmin - I actually had a new SSL cert rekeyed that includes the new cas server. I loaded it onto the first and then exported and imported it into the second. They are both using it for their services. It seems to work well when accessing owa but autodsicover fails. The old CAS is sort of gone - I brought a new server online and gave it the same hostname as the old cas.

PSComputerName                       : cas01.domain.local
RunspaceId                           : 1c820f5e-0018-467c-8a43-7c7ef45f8186
Name                                 : CAS01
Fqdn                                 : CAS01.domain.local
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : HYCAS01
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://outlook.company.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {Default-First-Site-Name}
AlternateServiceAccountConfiguration :
IrmLogEnabled                        : True
IrmLogMaxAge                         : 30.00:00:00
IrmLogMaxDirectorySize               : 250 MB (262,144,000 bytes)
IrmLogMaxFileSize                    : 10 MB (10,485,760 bytes)
IrmLogPath                           : C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs
MigrationLogLoggingLevel             : Information
MigrationLogFilePath                 :
MigrationLogMaxAge                   : 180.00:00:00
MigrationLogMaxDirectorySize         : 10 GB (10,737,418,240 bytes)
MigrationLogMaxFileSize              : 100 MB (104,857,600 bytes)
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=HYCAS01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admi
                                       nistrative Groups,CN=Hytorc Organization,CN=Microsoft Exchange,CN=Services,CN=Co
                                       nfiguration,DC=domain,DC=local
Identity                             : HYCAS01
Guid                                 : 9be8e5c4-ef7d-4e45-be27-751f41c7395a
ObjectCategory                       : domain.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 10/15/2012 11:55:59 AM
WhenCreated                          : 10/9/2012 11:20:30 AM
WhenChangedUTC                       : 10/15/2012 3:55:59 PM
WhenCreatedUTC                       : 10/9/2012 3:20:30 PM
OrganizationId                       :
OriginatingServer                    : JETDC01.domain.local

PSComputerName                       : hycas01.domain.local
RunspaceId                           : 1c820f5e-0018-467c-8a43-7c7ef45f8186
Name                                 : HYMAIL01
Fqdn                                 : HYMAIL01.domain.local
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : HYMAIL01
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://outlook.company.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {Default-First-Site-Name}
AlternateServiceAccountConfiguration :
IrmLogEnabled                        : True
IrmLogMaxAge                         : 30.00:00:00
IrmLogMaxDirectorySize               : 250 MB (262,144,000 bytes)
IrmLogMaxFileSize                    : 10 MB (10,485,760 bytes)
IrmLogPath                           : C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs
MigrationLogLoggingLevel             : Information
MigrationLogFilePath                 :
MigrationLogMaxAge                   : 180.00:00:00
MigrationLogMaxDirectorySize         : 10 GB (10,737,418,240 bytes)
MigrationLogMaxFileSize              : 100 MB (104,857,600 bytes)
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=HYMAIL01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Adm
                                       inistrative Groups,CN=Hytorc Organization,CN=Microsoft Exchange,CN=Services,CN=C
                                       onfiguration,DC=domain,DC=local
Identity                             : HYMAIL01
Guid                                 : 5821fbee-4628-4fde-b5b2-4e48fc3535c3
ObjectCategory                       : domain.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 10/15/2012 11:57:20 AM
WhenCreated                          : 10/14/2012 5:36:39 PM
WhenChangedUTC                       : 10/15/2012 3:57:20 PM
WhenCreatedUTC                       : 10/14/2012 9:36:39 PM
OrganizationId                       :
OriginatingServer                    : JETDC01.domain.local`

Please stop adding and changing things in your environment.  There was no need to configure a CAS Array or NLB.

You really want to understand what is going on, fix it -> and only then start to add other complexity. 

By any chance are you doing any form of redirect so users do not have to add /OWA or use https:// for the URL?

---

Cheers,

Rhoderick

Microsoft Premier Field Engineer, Exchange

Blog: http://blogs.technet.com/rmilne  Twitter:     LinkedIn:

Note: My posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Rhoderick - I went through your previous article and related articles on MS site. One thing I found so far was that if I ran a get-clientaccessserver and selected the autodsicoverserviceinternaluri, it gave me the local server fqdns. I changed this to the CAS Array URL instead. Now it displays:

AutoDiscoverServiceInternalUri                           AutoDiscoverSiteScope
------------------------------                           ---------------------
https://outlook.company.com/autodiscover/autodiscover.xml {Default-First-Site-Name}
https://outlook.company.com/autodiscover/autodiscover.xml {Default-First-Site-Name}

I'll check the link out. After running that script for virtualdirectory, I now get an OWA error:

So users are unable to send and normally get that error.

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/ca5e5e1b-643c-47eb-8c05-1e90c91b08a3/

Hope this clarifies the things.

ExchangeGeek (MCITP,Enterprise Messaging Administrator)

***Don't forget to mark helpful or answer***

It looks like one of the CAS servers does not have the cert req installed in iis, which is why https: fails as the server is trying to use http?

Another thing is it looks like your old CAS is still in the config somewhere?

do you have all servers using ssl on the cert?

your authentication process popup usually means you have to create a new mail profile in outlook for users but there seems to be more issues than a auth change in the client profile.

get-clientaccessserver | fl*

post results please again. I would not have created NLB until I had the auth issue fixed?

MSP Provider (Network,Hardware,Software,WAN/LAN,Exchange,WiFi,Cisco Controllers/Routers/Switches/AP Autonomous/LWAPP)