Discussion About article on Publishing Autodiscover Service

Discussion About article on Publishing Autodiscover Service (Full Version)

All Forums >> [ISA 2006 General] >> General

Message

tshinder -> Discussion About article on Publishing Autodiscover Service (23.Oct.2007 8:56:16 AM)
This thread is for discussing the article about publishing the autodiscover service at http://www.isaserver.org/tutorials/Publishing-Exchange-2007-Outlook-Autodiscover-2006-ISA-Firewalls.html HTH, Tom

bullerj -> RE: Discussion About article on Publishing Autodiscover Service (2.Jan.2008 3:38:21 PM)
After following the tutorial I can now have my two sites on one listener, but I am getting a login prompt for the autodiscover service. Even my internal users are getting the login prompt. Does anyone know what the trick is to get this to work seamlessly? FYI-I do have my internal users going to the ISA box as well. Thanks

Levwinski -> RE: Discussion About article on Publishing Autodiscover Service (14.Jul.2008 6:13:40 AM)
Having read through the article, I have what is perhaps a silly question. We need two IP addresses so we can bind two certificates (owa.domain.com and autodiscover.domain.com) - why not use one IP address bound to *.domain.com?

Jason Jones -> RE: Discussion About article on Publishing Autodiscover Service (14.Jul.2008 7:02:15 AM)
You can - however be aware that I have had some problems with using wildcards and publishing Exchange 2007, especially relating to Outlook Anywhere and autodiscovery. The main issue I have found is that a wildcard certs breaks the Outlook autodiscovery wizard, not the end of the world, but quite annoying. I am still not 100% sure, but I think it is a bug in Outlook in terms of how if copes with a wildcard due to the MSSTD parameter needing to be different. If you ignore the wizards and define all of the outlook HTTP proxy settings manually, it works fine, but the wizard just doesnt seem to be able to cope with auto defining 'msstd:*.domain.com'. Based upon this limitation, I have moved back to individual certs on the deployments I have done until there is a better fix. Cheers JJ

tshinder -> RE: Discussion About article on Publishing Autodiscover Service (14.Jul.2008 8:56:00 AM)
Hi Jason, Great info! Thanks! Tom

Jason Jones -> RE: Discussion About article on Publishing Autodiscover Service (14.Jul.2008 9:15:09 AM)
quote: ORIGINAL: tshinder Hi Jason, Great info! Thanks! Tom Great, but very painful finding it out! [:@] [8D]

tshinder -> RE: Discussion About article on Publishing Autodiscover Service (15.Jul.2008 7:58:25 AM)
Hi Jason, We appreciate you going through the pain for us! :) Tom

Levwinski -> RE: Discussion About article on Publishing Autodiscover Service (17.Jul.2008 5:09:00 AM)
A wildcard cetificate on both the Exchange and ISA SSL Listener is working for me. However, the caveat is that it would not work without a split DNS; my internal and external domain names are the same, so an Outlook client looking for netbios.domain.com will work fine. With regards to breaking the wizard, the workaround for this (so far seems ok, fingers crossed) is to set EXPR settings in the command shell: Set-OutlookProvider -identity EXPR -CertPrincipalName msstd:*.domain.com (This would not work for me until I reset IIS) This made my autodiscover mail setup wizard work and enabled all the proper settings without any manual intervention. Not sure if it matters, but I am on SP1 on Exchange, Outlook, and ISA.

Jason Jones -> RE: Discussion About article on Publishing Autodiscover Service (17.Jul.2008 9:43:41 AM)
quote: ORIGINAL: Levwinski A wildcard cetificate on both the Exchange and ISA SSL Listener is working for me. However, the caveat is that it would not work without a split DNS; my internal and external domain names are the same, so an Outlook client looking for netbios.domain.com will work fine. With regards to breaking the wizard, the workaround for this (so far seems ok, fingers crossed) is to set EXPR settings in the command shell: Set-OutlookProvider -identity EXPR -CertPrincipalName msstd:*.domain.com (This would not work for me until I reset IIS) This made my autodiscover mail setup wizard work and enabled all the proper settings without any manual intervention. Not sure if it matters, but I am on SP1 on Exchange, Outlook, and ISA. Hi Lev, I was pretty sure I made the outlookprovider changes too, but maybe it was the IIS reset that got me [:(] Are you using NTLM authentication (pre-authenticated at ISA) for Outlook Anywhere? As this may be difference in our setup...my symptons included being repeatedly prompted for authentication when the wizard was running. With the manual changes (e.g. not using the wizard) I get no prompts and cached credentials failed to keep Exchange happy... Will have to try this again to see...but thanks for the info! [;)] Cheers JJ

Levwinski -> RE: Discussion About article on Publishing Autodiscover Service (17.Jul.2008 11:01:49 AM)
Both Basic & NTLM (though more about NTLM at the end).. Here is the setup I used (much of it from Elan Shudnow): Paths for EWS, OAB, UM set in PowerShell to internal: cas.domain.com external: mail.domain.com Make the settings in IIS for Basic, and force 128bit for OAB. Enable Outlook Anywhere, mail.domain.com - Basic Set-OutlookProvider -identity EXPR -CertPrincipalName msstd:.domain.com Make Outlook Anywhere rule as per Tom's 7 part Exchange 2007 series. Make another rule, a copy of the first, leave only autodiscover in paths and have it accept requests for autodiscover.domain.com. Delete autodsicover path from first rule. An IIS reset and this worked for me, bringing to Outlook the msstd:.domain.com and setting authentication to basic, straight off the wizard. Before the IIS reset, I was getting repeated login prompts and the principle name would stay as mail.domain.com. To make NTLM work, I had to change the Outlook Anywhere enable screen setting to NTLM, and change both rules on ISA so Any User instead of Any Authenticated User, and I also had to set authentication to No delegation but may authenticate directly. The Outlook client picked up the change when I reran the wizard. Presently my situation is that I either carry on with NTLM in this manner for Anywhere and SharePoint lists and lose all ISA control of who comes in and who does not (lots of internal users are not meant to have outside access but now do) or use Basic and cause people umpteen logins. Anyone with a solution to this might just save my standing...

Jason Jones -> RE: Discussion About article on Publishing Autodiscover Service (17.Jul.2008 7:47:14 PM)
Ah right, that is the difference, you are not pre-authenticating at ISA at all, where as I am...the issue with the wildcards and the wizard only manifests itself when you are using NTLM and pre-authenticating Outlook Anywhere connection with ISA. I should have a blog post soon which shows how to do NTLM pre-auth at ISA and then use KCD to delegate these credentials onto Exchange for a completely transparent OA authentication process for machines that are domain members with cached credentials...the soltuion should work for SharePoint too... Cheers JJ

Levwinski -> RE: Discussion About article on Publishing Autodiscover Service (18.Jul.2008 6:05:03 AM)
Hi Jason Is there any chance I can have a quick & dirty version of that write-up? Even if its incomplete and I have to trial and error to fill the blanks, it would be a huge help. I guess that would involve giving up FBA though, unless I get a second IP address for a new listener.

tshinder -> RE: Discussion About article on Publishing Autodiscover Service (18.Jul.2008 10:05:51 AM)
Hey guys, Fantastic discussion! I'm looking forward to the pieces falling together. Thanks! Tom

Jason Jones -> RE: Discussion About article on Publishing Autodiscover Service (18.Jul.2008 6:49:02 PM)
quote: ORIGINAL: Levwinski Hi Jason Is there any chance I can have a quick & dirty version of that write-up? Even if its incomplete and I have to trial and error to fill the blanks, it would be a huge help. I guess that would involve giving up FBA though, unless I get a second IP address for a new listener. Yep, you will need two IP addresses as it is not possilbe to do everything on a single listener unfortunately... Drop me a PM with your email address and I will send over some screenshots. However, I hope to have something a bit more 'together' on my blog next week... Cheers JJ

Levwinski -> RE: Discussion About article on Publishing Autodiscover Service (21.Jul.2008 4:42:35 AM)
Thanks a lot Jason, much appreciated. If it's going to be as soon as that, I'll just wait for the full version. Thanks again.

henning -> RE: Discussion About article on Publishing Autodiscover Service (24.Jul.2008 9:36:02 AM)
First off, I just want to say thanks to all you folks out there for writing all those wonderful life saving articles. A special thanks to Tom for his insight and hard work. Most of the time I have just been lurking around soaking up a lot of knowledge here. This time I'd like to share some frustration regarding Exchange 2007. These days, when when wildcards certs are getting so cheap, around $500 for a 3 -year GoDaddy cert (seems that I cannot bind to UM service), I cannot understand that Exchange 2007 documents do not more clearly sepecify all prereqs needed to make this work. They even state in an article that your almost "home free" if using one. Of course I ended up struggling with the Autodiscover service not working with Outlook's wizard. If it wasn't for Lewinski's : Set-OutlookProvider -identity EXPR -CertPrincipalName msstd:*.mydomain.com. I would probably still be banging my head against the wall. :) I do still have some problems: 1 TS running WS 2003 x86 with outlook 2007 SP1 installed works flawlessly, even when user hitting the repair profile (A refresh to autodiscover service is made reading the latest info) A GPO is set telling outlook not to invoke the new profile wizard but to read user's email form AD, all perfect. 1 TS running WS 2008 x64 with the exact same setup, join to the same domain, Outlook 2007 SP1. On this server the wizard aborts on the last stage claiming it cannot connect to exchange, presenting the dialog to enter Exchange server name and an appropiate user name, Exchange FQDN server name is there together with the =SMTP:username@domain.com. Hitting check name gives the same error. If entering the DC/GC name in server field I do get names underlined when hitting check name, but after that still no connect. Checking the autodiscover diagnostic log, everything looks fine: Configuration was generated for user@domain.com. I would appreciate it, if anyone can shed some light on this Regarding the KCD auth. I think I've got it working. In addition to Jason Jones comprehensive list the clue is: Make sure the ISA server's computer object in AD has been delegated -> Trust this computer for delegation to specified services only -> use any authentication protocol > service:http computer:yourCAS.fqdn.com I forgot to mention that I have an equal namespace internally/externally with a split DNS. Regards Henning S�ilen Senior Consultant Norway

henning -> RE: Discussion About article on Publishing Autodiscover Service (24.Jul.2008 11:52:57 AM)
Phew!! Just found a solution to my problem, and IT WORKS. http://technet.microsoft.com/en-us/library/cc671176(EXCHG.80).aspx Regards Henning

Jason Jones -> RE: Discussion About article on Publishing Autodiscover Service (30.Jul.2008 8:57:22 AM)
Hi All, Blog entry published at last! [sm=cool.gif] http://blog.msfirewall.org.uk/2008/07/publishing-exchange-2007-services-with.html Hope it helps... Feel free to provide feedback for areas that need additional explanation or clarification. Enjoy [:)] Cheers JJ

Jason Jones -> RE: Discussion About article on Publishing Autodiscover Service (4.Aug.2008 7:03:32 PM)
Another article added for Exchange 2007 - this time OWA and the document access feature: http://blog.msfirewall.org.uk/2008/08/publishing-exchange-2007-services-with.html Enjoy! Cheers JJ

tshinder -> RE: Discussion About article on Publishing Autodiscover Service (5.Aug.2008 8:59:57 AM)
Hi Jason, Thanks! Tom

Page: [1]