How to fix Autodiscover error on ExRCA?

[Tinku-Jia]

Sponsored Links

ExRCA successfully got SSL certificate from remote server autodiscover.company.com via port 443. Below mentioned are some useful information which you would like to know.

Quote:

Remote Certificate Subject: CN=mail.company.com, OU=Domain Control Validated, O=mail.company.com, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.

I have successfully validated the certificate name.

Quote:

Host name autodiscover.company.com was available into Certificate Subject Alternative Name entry.

Certificate trust was validated and it was presented into chain.
ExRCA try to create certificate chains for the certidcate CN=mail.company.com, OU=Domain Control Validated, O=mail.company.com. and it was created succefully.

Quote:

A total of 2 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.

There was no compatibility issue with Windows version when I tested certificate chains for compatibility.

Quote:

The certificate chain has been validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network.

After that I have tested certificate date so that I can figure whether certificate is valid. It passed date validation succfully and it was not expired.

Quote:

The certificate is valid. NotBefore = 2/12/2012 4:14:28 AM, NotAfter = 2/8/2015 9:22:45

I checked IIS configuration of client certificate authentication and there was no Client certificate authentication detected.

Quote:

Accept/Require Client Certificates isn't configured.

I tried to sent Autodiscover POST for potential Autodiscover URLs but there was no Autodiscover POST request.
ExRCA trying to retrieve XML Autodiscover response from below mentioned URL.
https://autodiscover.company.com/Aut...toDiscover.xml for user tom_day@company.com. However it failed to get Autodiscover XML response.
quote

Quote:

An HTTP 403 error was received because ISA Server denied the specified URL.

Let me know how can I resolve above mentioned issue.
Tried to connect with Autodiscover service using HTTP redirect method. But it was not able to contact Autodiscover.

The host name was resolved successfully when I tried to resolved hostname autodiscover.company.com in DNS.

Quote:

IP addresses returned: 208.181.105.239
TCP port 80 on host autodiscover.company.com is listing and open.

When ExRCA is trying to check host autodiscover.company.com through HTTP redirect using Autodiscover service. But it was not working.

Quote:

An HTTP 403 error was received because ISA Server denied the specified URL.

When I tried to contact Autodiscover service utliozing DNS SRV redirect method I got below mentioned mesaage.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.

I tried to find out SRV record _autodiscover._tcp.company.com in DNS. I got.

Quote:

The Autodiscover SRV record wasn't found in DNS.

Let me know me know how can I resolve above mentioned problem.

[Bjork]

Normally Autodiscover uses below mentioned connection attempts.
HTTPS for domain.com/autodiscover
HTTPS for autodiscover.domain.com/autodiscover
DNS for SRV record

The error message which you have mentioned in your post is not an error actually rather its first attempt made to connect with autodiscover through SMTP domain. Normally it gets fails as there are less number of organization setup for DNS who are having root DNS namespace pointing towards same address which is being used by Exchange services. At the time of second attempt, you are trying to use DNS name for autodiscover.domain.com so that it can connection point for Autodiscover. After gong through the log entries I managed to get that ExRCA able to connect without having any major issue and it simply continue with processing of SSL certificate. So it implies that public DNS is correct and connection attempt should be made to connect with ISA server and it would retrieve SL certificate information.
You can have rules for OWA, ActiveSync, and Outlook. It would also make use of web listener in case you are making use of Basic Authentication delegation with CAS.
You should configure authentication settings with publishing rules as well as web listener(s) correlate for authentication methods on Exchange virtual directories on CAS.

ExRCA is showing that URL has been denied by ISA. In case you have implemented multiple rules on Exchange for OWA, ActiveSync, and Outlook then you should see that rules are processed into proper order. If OWA rule is getting processed then it should be configured to accept public name autodiscover.domain.com,. could be possible that Autodiscover or virtual directory is published and it would result into ISA denying your URL. You should enable logging on ISA server to get which rule is blocking ExRCA to authenticate certificate. It would give you better idea of entire issue.

[Ebadaah28]

In order to resolve above mentioned issue I am suggesting that you should try to open exchange rule on ISA server. from public names tab you have to simply add autodiscover record. On paths tab you have to simply add autodiscover directory. So try the above mentioned thing and let me know whether it is working or not.