Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Outlook Anywhere - IIS7

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Outlook Anywhere - IIS7 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Outlook Anywhere - IIS7 - 31.Jul.2008 1:07:38 PM   
wilde

 

Posts: 50
Joined: 25.Jul.2007
Status: offline 		Hi all,
 
I've recently published OWA/active sync/rpc . . .  and all has worked fine thanks to the brilliant info on this site.
 
I tried following the guide "Publishing Exchange 2007 Outlook Autodiscover with 2006 ISA” and seem to have run into authentication troubles.
 
Windows 2008 uses IIS7 so I needed to purchase an SSL (https:// Autodiscover.domain.com) as you do not get the option to "Store certificate in local computer certificate store” when requesting a web server certificate. That and the fact I'm using LDAP authentication on the web listener is the only difference on my system to the manual.
 
Basically when attempting to use the auto account setup in outlook 2007 it promtps me to "allow this website to configure email@domain.com server settings?” https://autodiscover.domain.com/autodiscover.xml, I click allow and then after time it fails.
 
In the ISA2006 logging the status does says Status: 12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.
 
BUT the strange thing is, if I manually type in all the outlook anywhere details in outlook2007 it connects fine??? Ie msstd:autodiscover.domain.com connects via https perfectly.
 
Please check here for screen shots of interest.
 http://img179.imageshack.us/my.php?image=captureca2.jpg
 
Any help is appreciated.
 
Thanks
 
Wilde

< Message edited by wilde -- 4.Aug.2008 9:54:29 AM >
Post #: 1
RE: Outlook Anywhere - IIS7 - 1.Aug.2008 12:34:53 PM   
wilde

 

Posts: 50
Joined: 25.Jul.2007
Status: offline 		Hi all,

I think the issue could be related to the virtual directory "AutoDiscover"  not using the autodiscover.domain.com certificate, it is using the exchange.domain.com certificate.

Could this be the issue, if so how do I choose what certificate the virtual directory uses (remember i'm using IIS7 on windows 2008)???

(in reply to wilde)
Post #: 2
RE: Outlook Anywhere - IIS7 - 4.Aug.2008 9:55:27 AM   
wilde

 

Posts: 50
Joined: 25.Jul.2007
Status: offline 		Hi John, thanks for the input.

I now don't believe the issue is certificate related.

Externally
https://autodiscover.domain.com/autodiscover/autodiscover.xml resolves to
https://autodiscover.domain.com/CookieAuth.dll?GetLogon?curl=Z2FautodiscoverZ2Fautodiscover.xml&reason=0&formdir=3
which is an ISA2006 logon page (similar to OWA)

On this page the certificate does show as autodiscover.domain.com.

After logging on I receive the error below

  <?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="14:36:22.9459365" Id="2884917732">
  <ErrorCode>600</ErrorCode>
  <Message>Invalid Request</Message>
  <DebugData />
  </Error>
  </Response>
  </Autodiscover>


I'm extremley close to giving up now, ANY HELP is appreciated!!!

Thanks

Wilde

(in reply to wilde)
Post #: 3
RE: Outlook Anywhere - IIS7 - 4.Aug.2008 6:56:04 PM   
Jason Jones

 

Posts: 2152
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		What authentication do you have enabled on the /autodiscover virtual directory in IIS?

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to wilde)
Post #: 4
RE: Outlook Anywhere - IIS7 - 5.Aug.2008 4:27:20 AM   
wilde

 

Posts: 50
Joined: 25.Jul.2007
Status: offline
quote:

ORIGINAL: Jason Jones

What authentication do you have enabled on the /autodiscover virtual directory in IIS?



Basic and Windows, I've tried with Anonymous but that didn't work and application log complained.

(in reply to Jason Jones)
Post #: 5
RE: Outlook Anywhere - IIS7 - 6.Aug.2008 12:08:23 PM   
wilde

 

Posts: 50
Joined: 25.Jul.2007
Status: offline 		does it matter that internally autodiscover does not add the outlook anywhere settings into outlook 2007?

Any help is welcome, i'm really stumped on this one.

(in reply to wilde)
Post #: 6
RE: Outlook Anywhere - IIS7 - 8.Aug.2008 8:02:00 AM   
wilde

 

Posts: 50
Joined: 25.Jul.2007
Status: offline 		Hi all,

Could these errors have anything to do with autodiscover not working?
I'm clutching a straws here, autodiscover works fine internally but not externally.

Event Type: Warning
Event Source: Microsoft ISA Server Web Proxy
Event Category: None
Event ID: 21317
Date:  07/08/2008
Time:  20:17:35
User:  N/A
Computer: KHISA
Description:
ISA Server detected that the Web Publishing rule 2007 ActiveSync specifies HTTPS connections to the published server or server farm,
while the Web listener used in the rule specifies HTTP connections from clients. In this configuration,
HTTPS links will be translated to HTTP links, which may compromise security. You can prevent this behavior by adding global mappings to the link translation settings.
To do this, in the console tree of ISA Server Management click Configuration and click General. Then, in the details pane, click Configure Link Translation,
and on the Global Mappings tab, use the Add button to create additional global mappings.




(in reply to wilde)
Post #: 7
RE: Outlook Anywhere - IIS7 - 8.Aug.2008 8:11:56 AM   
Jason Jones

 

Posts: 2152
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: wilde

Hi all,

Could these errors have anything to do with autodiscover not working?
I'm clutching a straws here, autodiscover works fine internally but not externally.

Event Type: Warning
Event Source: Microsoft ISA Server Web Proxy
Event Category: None
Event ID: 21317
Date:  07/08/2008
Time:  20:17:35
User:  N/A
Computer: KHISA
Description:
ISA Server detected that the Web Publishing rule 2007 ActiveSync specifies HTTPS connections to the published server or server farm,
while the Web listener used in the rule specifies HTTP connections from clients. In this configuration,
HTTPS links will be translated to HTTP links, which may compromise security. You can prevent this behavior by adding global mappings to the link translation settings.
To do this, in the console tree of ISA Server Management click Configuration and click General. Then, in the details pane, click Configure Link Translation,
and on the Global Mappings tab, use the Add button to create additional global mappings.






You would need to use SSL bridging for this to work - the error seems to imply you are not doing this? How is you listener configured?

My article may help define some of the elements you need:

http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html

Cheers

JJ 

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to wilde)
Post #: 8
RE: Outlook Anywhere - IIS7 - 8.Aug.2008 12:37:03 PM   
wilde

 

Posts: 50
Joined: 25.Jul.2007
Status: offline 		Hi Jason, many thanks for the reply.


I have used this guide to configure the ssl - http://www.isaserver.org/tutorials/Publishing-Exchange-2007-Outlook-Autodiscover-2006-ISA-Firewalls.html

i'll post the settings anyway.
Listener:
  • Networks - External = 2 external IP's, one resolves to KHEXG.domain.com and the other autodiscover.domain.com

                - Internal = the internal IP address of the isa server
  • Connections - enable Http and Https, redirect from http to http
  • Certificates - internal khexg.domain.com, external autodiscover.domain.com, external autodiscover.domain.com
  • SSO - enabled
  • Forms - Allow password changes
  • Authentication - html form authentication - LDAP (I have tried windows active directory and get the same result).


Outlook anywhere rule
  • Bridging - SSL 443 to the web server.
  • Authentication - Basic, I have tried with NTLM but keep getting prompted for password even internally.


If I manually put in these settings



Externally I can connect with out any issue, internally I can connect but recieve this error.


Below is a screen shot of ISA2006 SP1 logs when setting up outlook 2007 trying to use auto discover.




Thanks again

Wilde

(in reply to Jason Jones)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> Outlook Anywhere - IIS7 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts