Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Exchange 2010 AutoDiscover issue

When I opened Outlook, it will prompt with username and password to logon to autodiscover.domain.com. I follow the steps from “Deploying F5 with MS Exchange Server 2010”.

If I changed the IP address for autodiscover.domain.com to point to one of the CAS server, outlook will open with no issue. But If I changed the IP address for autodiscover.domain.com to point to F5 VIP, outlook will prompt for username and password. Also, the “Test E-mail AutoConfiguration failed with error “Autoconfiguration was unable to determine your settings!”

I’m out of idea..
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Stab in the dark:

Do you have a OneConnect and NTLM profile on the virtual server? If you're not using SNAT the OneConnect profile should have a /32 source mask.

Else, you might try capturing tcpdumps for connections through LTM and direct to the CAS server to compare what's happening when it fails with successes.

Aaron
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Also, did you follow the F5 Deployment Guide for Exchange? What version are you running on your F5 gear?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
hoolio - Yes, I have both OneConnect and NTLM profile on the VIP. I'm not using SNAT. I did tried OneConnect profile with /32 source mask. No luck!

Michael K. - Yes, i did follow the F5 Deployment Guide. I'm using version 10.2.0.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
What's the output of https://www.testexchangeconnectivity.com/ and the "Outlook Autodiscover" or "Exchange ActiveSync Autodiscover" tests? I've got a sneaking suspicion that you've got a certificate name mismatch somewhere; if so, this test will put some big 'ol bells-n-arrows on it.

This is a Microsoft-operated site; you should use it with a test account (it'll tell you so). When the test is complete, click the "Expand All" dropdown at the top of the screen and look for any red "X" in a circle -- the ones down near the bottom probably describe your issue.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Joel brings up an excellent point - that site often exposes issues that are not easily visible to the naked eye.  Also, have you made sure that the SSL certificates are the same on the CAS server and on the F5 device? 
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
SSL certificates are the same on the CAS server and F5 device. I have no issue with the OWA, only Internal Outlook.

I ran https://www.testexchangeconnectivity.com and I don't think it will help because the test is querying top-level domain based of email address. The headquarter forward all incoming mail to our site.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I think it has to do with permission..

From the IE, I was able to open xml page by typing https:\\IP_address\autodiscover\autodiscover.xml for both of the CAS server with no issue.

When I typed https:\\F5_IP_address\autodiscover\autodiscover.xml, it prompting me with username and password window.


0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
In my environment, whenever I use IP address in place of hostname I get prompted for authentication no matter whether I'm going direct to CAS or via the F5. This makes sense because the bare IP address in the URL wouldn't be considered an IE "Trusted Site" so it wouldn't attempt automatic NTLM authentication with it. It would prompt me to manually enter the authentication.

What happens if you set a host file entry for "autodiscover.site.com" pointed at the F5 IP address, then try the request in IE as "https://autodiscover.site.com/autodiscover/autodiscover.xml"? Make sure to remove the entry later after you test. :>

I've seen four main things go wrong with autodiscovery on Exchange 2010 -- the cert on the autodiscover site does not have the "autodiscover" name set as either a primary or SubjectAlternativeName, the cert for autodiscover is not able to be verified from a trust perspective (self-signed or unknown CA), the Outlook profile the wrong Authentication Type set for Outlook Anywhere connectivity, or the configured Redirect URL on the autodiscover site itself is incorrect. In your case, it sounds like when passing through the F5 VIP the system has some reason to believe that it can no longer do automatic windows integrated authentication -- this could occur as the result of a certificate mismatch or a failure to believe the site can be classified as trusted.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have this same issue.  I am using SNAT.  Try disabling basic authentication on your autodiscover virtual directory.  It should now work.  However, I am having issues with mobile devices once this setting is disabled.  It seems to use basic auth to start and then NTLM afterwords.  I have also found this article:

http://support.f5.com/kb/en-us/solu...=14001102v


I am unsure if this is the right track or not... 

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Autodiscover should be configured to allow Basic Auth because otherwise mobile clients won't be able to authenticate to the Autodiscover service, since they don't support NTLM auth.

I did some more digging in my lab environment and have been able to reproduce the behavior that I believe has been described in this thread, and I believe the previous post was right on the money - the culprit is this:

http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11110.html?sr=14001102v

My default setup is on Windows 2008 R2, and IIS 7.5 is set to use Negotiate headers, which apparently breaks due to the bug described in SOL11110 above.  I went into IIS Management interface, and removed Negotiate as a Provider under Autodiscover directory Windows Authentication section - and the pop-ups disappeared!  I am attaching a screenshot of IIS 7.5 config screen:



0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hate to bring up an old topic.. but I"m having the exact same problem. Accessing autodiscover via the VIP prompts for authentication, accessing it directly on the CAS box does not. I have also removed "Negotiate" as a provider as Michael pointed out. Any other ideas?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Josh, are you doing SSL offload? If so, make sure that the Autodiscover vdir is not requiring SSL. I have had that problem. Sometimes patching causes that setting to get re-enabled.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I was having the same issue,Ever time when  i open Office Outlook it was asking for username and password,and it was prompting again when we kept the machine idle for some time.

I have installed the Certificate locally on the machine for testing and now it is not asking for the username and Password.

Is there any other suggestions for this issue.Can we offload the certificate in F5 to overcome this issue any ideas?

I have used the template to configure the VS in F5.Only RPC vs is configured.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Mathew,

Can you please elaborate on what exactly you did when you say you installed the certificate locally? Do you mean locally on the CAS server or on the client machine? What version of BigIP are you running and which template did you use?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi Michael

Thank you for your question

Not on the CAS Servers,I installed the Certificate on client machines,which is downloaded from CAS servers.

Big ip version i am running is 10.2.0,I used the template which is available in F5 10.2.0 for exchane 2010
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Did you follow all the instructions in the Deployment Guide for 10.2.x from this link? There are some iRules you need to add to deal with Autodiscover issues in 10.2.x.

http://www.f5.com/pdf/deployment-guides/f5-exchange-2010-dg.pdf
0