Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Discussion About article on Publishing Autodiscover Service
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion About article on Publishing Autodiscover... - 2.Jan.2008 3:38:21 PM
|
|
|
bullerj
Posts: 1
Joined: 2.Jan.2008
Status: offline
|
After following the tutorial I can now have my two sites on one listener, but I am getting a login prompt for the autodiscover service. Even my internal users are getting the login prompt. Does anyone know what the trick is to get this to work seamlessly?
FYI-I do have my internal users going to the ISA box as well.
Thanks
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 14.Jul.2008 6:13:40 AM
|
|
|
Levwinski
Posts: 23
Joined: 11.Dec.2007
From: Turkey
Status: offline
|
Having read through the article, I have what is perhaps a silly question. We need two IP addresses so we can bind two certificates (owa.domain.com and autodiscover.domain.com) - why not use one IP address bound to *.domain.com?
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 14.Jul.2008 7:02:15 AM
|
|
|
Jason Jones
Posts: 3918
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
You can - however be aware that I have had some problems with using wildcards and publishing Exchange 2007, especially relating to Outlook Anywhere and autodiscovery.
The main issue I have found is that a wildcard certs breaks the Outlook autodiscovery wizard, not the end of the world, but quite annoying. I am still not 100% sure, but I think it is a bug in Outlook in terms of how if copes with a wildcard due to the MSSTD parameter needing to be different. If you ignore the wizards and define all of the outlook HTTP proxy settings manually, it works fine, but the wizard just doesnt seem to be able to cope with auto defining 'msstd:*.domain.com'.
Based upon this limitation, I have moved back to individual certs on the deployments I have done until there is a better fix.
Cheers
JJ
_____________________________
Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 14.Jul.2008 8:56:00 AM
|
|
|
tshinder
Posts: 49328
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Jason,
Great info!
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 15.Jul.2008 7:58:25 AM
|
|
|
tshinder
Posts: 49328
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Jason,
We appreciate you going through the pain for us!
:)
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 17.Jul.2008 5:09:00 AM
|
|
|
Levwinski
Posts: 23
Joined: 11.Dec.2007
From: Turkey
Status: offline
|
A wildcard cetificate on both the Exchange and ISA SSL Listener is working for me. However, the caveat is that it would not work without a split DNS; my internal and external domain names are the same, so an Outlook client looking for netbios.domain.com will work fine.
With regards to breaking the wizard, the workaround for this (so far seems ok, fingers crossed) is to set EXPR settings in the command shell: Set-OutlookProvider -identity EXPR -CertPrincipalName msstd:*.domain.com
(This would not work for me until I reset IIS)
This made my autodiscover mail setup wizard work and enabled all the proper settings without any manual intervention.
Not sure if it matters, but I am on SP1 on Exchange, Outlook, and ISA.
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 17.Jul.2008 11:01:49 AM
|
|
|
Levwinski
Posts: 23
Joined: 11.Dec.2007
From: Turkey
Status: offline
|
Both Basic & NTLM (though more about NTLM at the end)..
Here is the setup I used (much of it from Elan Shudnow):
Paths for EWS, OAB, UM set in PowerShell to
internal: cas.domain.com
external: mail.domain.com
Make the settings in IIS for Basic, and force 128bit for OAB.
Enable Outlook Anywhere, mail.domain.com - Basic
Set-OutlookProvider -identity EXPR -CertPrincipalName msstd:.*domain.com
Make Outlook Anywhere rule as per Tom's 7 part Exchange 2007 series.
Make another rule, a copy of the first, leave only autodiscover in paths and have it accept requests for autodiscover.domain.com. Delete autodsicover path from first rule.
An IIS reset and this worked for me, bringing to Outlook the msstd:*.domain.com and setting authentication to basic, straight off the wizard. Before the IIS reset, I was getting repeated login prompts and the principle name would stay as mail.domain.com.
To make NTLM work, I had to change the Outlook Anywhere enable screen setting to NTLM, and change both rules on ISA so Any User instead of Any Authenticated User, and I also had to set authentication to No delegation but may authenticate directly. The Outlook client picked up the change when I reran the wizard.
Presently my situation is that I either carry on with NTLM in this manner for Anywhere and SharePoint lists and lose all ISA control of who comes in and who does not (lots of internal users are not meant to have outside access but now do) or use Basic and cause people umpteen logins.
Anyone with a solution to this might just save my standing...
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 17.Jul.2008 7:47:14 PM
|
|
|
Jason Jones
Posts: 3918
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Ah right, that is the difference, you are not pre-authenticating at ISA at all, where as I am...the issue with the wildcards and the wizard only manifests itself when you are using NTLM and pre-authenticating Outlook Anywhere connection with ISA.
I should have a blog post soon which shows how to do NTLM pre-auth at ISA and then use KCD to delegate these credentials onto Exchange for a completely transparent OA authentication process for machines that are domain members with cached credentials...the soltuion should work for SharePoint too...
Cheers
JJ
_____________________________
Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 18.Jul.2008 6:05:03 AM
|
|
|
Levwinski
Posts: 23
Joined: 11.Dec.2007
From: Turkey
Status: offline
|
Hi Jason
Is there any chance I can have a quick & dirty version of that write-up? Even if its incomplete and I have to trial and error to fill the blanks, it would be a huge help.
I guess that would involve giving up FBA though, unless I get a second IP address for a new listener.
< Message edited by Levwinski -- 18.Jul.2008 9:16:08 AM >
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 18.Jul.2008 10:05:51 AM
|
|
|
tshinder
Posts: 49328
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hey guys,
Fantastic discussion! I'm looking forward to the pieces falling together.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 18.Jul.2008 6:49:02 PM
|
|
|
Jason Jones
Posts: 3918
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
quote:
ORIGINAL: Levwinski
Hi Jason
Is there any chance I can have a quick & dirty version of that write-up? Even if its incomplete and I have to trial and error to fill the blanks, it would be a huge help.
I guess that would involve giving up FBA though, unless I get a second IP address for a new listener.
Yep, you will need two IP addresses as it is not possilbe to do everything on a single listener unfortunately...
Drop me a PM with your email address and I will send over some screenshots. However, I hope to have something a bit more 'together' on my blog next week...
Cheers
JJ
_____________________________
Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 21.Jul.2008 4:42:35 AM
|
|
|
Levwinski
Posts: 23
Joined: 11.Dec.2007
From: Turkey
Status: offline
|
Thanks a lot Jason, much appreciated. If it's going to be as soon as that, I'll just wait for the full version. Thanks again.
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 24.Jul.2008 9:36:02 AM
|
|
|
henning
Posts: 3
Joined: 19.Jan.2004
From: Bergen, Norway
Status: offline
|
First off, I just want to say thanks to all you folks out there for writing all those wonderful life saving articles. A special thanks to Tom for his insight and hard work.
Most of the time I have just been lurking around soaking up a lot of knowledge here. This time I'd like to share some frustration regarding Exchange 2007.
These days, when when wildcards certs are getting so cheap, around $500 for a 3 -year GoDaddy cert (seems that I cannot bind to UM service), I cannot understand that Exchange 2007 documents do not more clearly sepecify all prereqs needed to make this work. They even state in an article that your almost "home free" if using one. Of course I ended up struggling with the Autodiscover service not working with Outlook's wizard. If it wasn't for Lewinski's : Set-OutlookProvider -identity EXPR -CertPrincipalName msstd:*.mydomain.com. I would probably still be banging my head against the wall. :)
I do still have some problems:
1 TS running WS 2003 x86 with outlook 2007 SP1 installed works flawlessly, even when user hitting the repair profile (A refresh to autodiscover service is made reading the latest info) A GPO is set telling outlook not to invoke the new profile wizard but to read user's email form AD, all perfect.
1 TS running WS 2008 x64 with the exact same setup, join to the same domain, Outlook 2007 SP1. On this server the wizard aborts on the last stage claiming it cannot connect to exchange, presenting the dialog to enter Exchange server name and an appropiate user name, Exchange FQDN server name is there together with the =SMTP:username@domain.com. Hitting check name gives the same error. If entering the DC/GC name in server field I do get names underlined when hitting check name, but after that still no connect. Checking the autodiscover diagnostic log, everything looks fine: Configuration was generated for user@domain.com.
I would appreciate it, if anyone can shed some light on this
Regarding the KCD auth. I think I've got it working. In addition to Jason Jones comprehensive list the clue is: Make sure the ISA server's computer object in AD has been delegated -> Trust this computer for delegation to specified services only -> use any authentication protocol > service:http computer:yourCAS.fqdn.com
I forgot to mention that I have an equal namespace internally/externally with a split DNS.
Regards
Henning Søilen
Senior Consultant
Norway
< Message edited by henning -- 24.Jul.2008 9:41:05 AM >
|
|
|
|
|
RE: Discussion About article on Publishing Autodiscover... - 5.Aug.2008 8:59:57 AM
|
|
|
tshinder
Posts: 49328
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Jason,
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
