Oddities with authenticating to Autodiscover (SBS2008)
in [Microsoft Exchange]
|
From: Mike W. Mike on 15 Dec 2009 13:21 Hello folks, Last week, I applied several security updates and rebooted my server. Since then, I've encountered weird behavior with regard to authenticating to the Autodiscover application. The basic symptom was this: When launching Outlook in an Outlook Anywhere scenario, users would get prompted for authentication multiple times. Here's how it manifested: Launch Outlook and provide a password. Outlook connects to Exchange over OA. After the initial synchronization of the mailbox, another auth box appears. Typing a password here simply produces another auth box, ad infinitum. To get around this, you'd ESC out of the dialogue and you wouldn't see the auth box for 5 or so minutes. Other symptoms: 1. Test E-Mail Autoconfiguration failed. SRV record lookup would work, but no XML could be gotten from the server. 2. Out of Office would no longer work. 3. Attempting to authenticate to the Autodiscover application on the server produced a 401 error. I understand this might be expected behavior because of the "loopback check," but even specifying the localhost* did not produce the XML document as expected. * Detailed here: http://www.exchange-genie.com/2007/07/401-error-when-attempting-test-outlookwebservices/ What I did: I kept focusing on the fact that I couldn't authenticate to Autodiscover. I looked at the recently applied updates and noted that KB973917 did give one a new option for authentication to IIS applications. "Install this update to help strengthen authentication credentials in specific scenarios." I don't mean to imply this update CAUSED my issue, it's just interesting. So, acting a hunch, I tested Email Autoconfiguration repeatedly, toggling the Authentication options for the Autodiscover application within IIS. What I found: I found that if I toggle Windows Authentication from Enabled to Disabled and back again, all my Autodiscover authentications worked. Outlook stopped providing multiple authentication prompts, Out of Office worked, and Email Autoconfiguration worked. What's happened since: When I came into work this morning, I received multiple auth prompts again. I then remoted to the server, toggled Windows Authentication on the Autodiscover application from Enabled to Disabled and back again. Then, boom, it all started to work again. So, while I'm happy I can temporarily fix the issue, I am stumped as to a permanent solution. Did the update cause a problem? I am unsure. Is there a delay between enabling/disabling the authentication? When I initially disabled Windows Authentication and left Basic on to match OWA's settings (which had never stopped working during all this), this did not fix the problem. Today where I am is I've toggled the Windows Authentication again. Outlook is working fine. I did turn on Kernel-Level Authentication in the GUI just to see if that broke anything, but it did not. So, that's currently on. I also should point out that Test-OutlookWebServices always produces a 401 error. I can't say whether it did before the update, but it does now despite Autodiscover working otherwise. Does anyone have any thoughts?
From: Rich Matheisen [MVP] on 15 Dec 2009 17:01 On Tue, 15 Dec 2009 10:21:03 -0800, Mike W. <Mike W.(a)discussions.microsoft.com> wrote: [ snip ] >Today where I am is I've toggled the Windows Authentication again. Outlook >is working fine. I did turn on Kernel-Level Authentication in the GUI just to >see if that broke anything, but it did not. So, that's currently on. > >I also should point out that Test-OutlookWebServices always produces a 401 >error. I can't say whether it did before the update, but it does now despite >Autodiscover working otherwise. > >Does anyone have any thoughts? Where are you doing this "toggling" from? If it's autodiscover that's causing you a problem, try this: Get-AutodiscoverVirtualDirectory|fl *authentication* If it's Web Services: Get-WebServicesVirtualDirectory|fl *authentication* Use "help get-*virtual*" to find the other's. There's a thread that runs in the MSExchangeServiceHost service that sets (or resets) the authentication method for the OA (RPC-Over-HTTPS) every 15 minutes based on what it finds in the AD. --- Rich Matheisen MCSE+I, Exchange MVP
From: Dave W on 15 Dec 2009 19:46 On Dec 15, 2:21 pm, Mike W. <Mike W...(a)discussions.microsoft.com> wrote: > Hello folks, > > Last week, I applied several security updates and rebooted my server. Since > then, I've encountered weird behavior with regard to authenticating to the > Autodiscover application. .... > I also should point out that Test-OutlookWebServices always produces a 401 > error. I can't say whether it did before the update, but it does now despite > Autodiscover working otherwise. > > Does anyone have any thoughts? I just wanted to mention that I've encountered the exact same issue in the same timeframe and wasn't able to find a solution. I didn't try what you mentioned 'worked' for you though so that may have helped. Today I uninstalled all the updates from the 8th and rebooted the server and everything is working again. I haven't done a Test- OutlookWebServices to know if it's still showing 401 errors, but all the functionality that was broken is working again. I hadn't tried restarting the server since the autodiscover issue started, so maybe that was all that was needed but I'm leaning towards an issue with one of the updates and the one you mentioned was the one I was most suspicious about. Not sure I even want to bother installing one update at a time to track down if that's the problem, but I guess eventually I'll have to do that. I'm curious about where you are doing the 'toggling' as well though. Is it in IIS7? I'm finding the IIS7 UI exceptionally confusing so if you can be explicit in your description that would be great. - Dave
From: Mike W. on 15 Dec 2009 21:14 Hey Rich, "Rich Matheisen [MVP]" wrote: > Where are you doing this "toggling" from? IIS Manager. I browse to the Autodiscover application within the "SBS Web Applications" site. I then click the Authentication properties, select "Windows Authentication," choose Disable, then Enable. > If it's autodiscover that's causing you a problem, try this: > > Get-AutodiscoverVirtualDirectory|fl *authentication* > > If it's Web Services: > Get-WebServicesVirtualDirectory|fl *authentication* I will get a baseline for those commands since this is all working now. When it breaks again, I will check for any differences within the output. > There's a thread that runs in the MSExchangeServiceHost service that > sets (or resets) the authentication method for the OA (RPC-Over-HTTPS) > every 15 minutes based on what it finds in the AD. Interesting. Thanks. My experience of all this resetting, for lack of a better word, takes much longer than 15 minutes. Indeed, it took perhaps many hours. I should mention that I was tracking down another issue showing up in our Security Logs. That led me to find out that we hadn't applied a Rollup for Exchange 2007 SP1. I installed that and rebooted the server. I honestly expected the problem is recur at that point, but it has not. I will keep monitoring. Thank you for your reply! m
From: Rich Matheisen [MVP] on 15 Dec 2009 23:28 On Tue, 15 Dec 2009 18:14:02 -0800, Mike W. <MikeW(a)discussions.microsoft.com> wrote: >Hey Rich, > > >"Rich Matheisen [MVP]" wrote: > >> Where are you doing this "toggling" from? > >IIS Manager. I browse to the Autodiscover application within the "SBS Web >Applications" site. I then click the Authentication properties, select >"Windows Authentication," choose Disable, then Enable. SBS? Well, you can use all their wizards, but if it's not changing the Exchange stuff with a Powershell cmdlet you're on your own. >> If it's autodiscover that's causing you a problem, try this: >> >> Get-AutodiscoverVirtualDirectory|fl *authentication* >> >> If it's Web Services: >> Get-WebServicesVirtualDirectory|fl *authentication* > >I will get a baseline for those commands since this is all working now. When >it breaks again, I will check for any differences within the output. They should be reporting what's in the AD. If you're altering the IIS config then you'll be really confused! >> There's a thread that runs in the MSExchangeServiceHost service that >> sets (or resets) the authentication method for the OA (RPC-Over-HTTPS) >> every 15 minutes based on what it finds in the AD. > >Interesting. Thanks. My experience of all this resetting, for lack of a >better word, takes much longer than 15 minutes. Indeed, it took perhaps many >hours. I mentioned that only because you didn't mention how you were changing the auth methods. That's the only virtual directory affected by that thread. Please use the E2K7 Powershell cmdlets to make the changes. If that goes against the "SBS does things differently" grain then you really should be asking for help in a SBS newsgroup. >I should mention that I was tracking down another issue showing up in our >Security Logs. That led me to find out that we hadn't applied a Rollup for >Exchange 2007 SP1. I installed that and rebooted the server. I honestly >expected the problem is recur at that point, but it has not. I will keep >monitoring. Good! --- Rich Matheisen MCSE+I, Exchange MVP
|
Next
|
Last
Pages: 1 2 Prev: Outlook Anywhere connection problems Next: Extracting Exchange User Data From AD |