Exchange 2010 AutoDiscover issue

Stab in the dark:

 

 

Do you have a OneConnect and NTLM profile on the virtual server? If you're not using SNAT the OneConnect profile should have a /32 source mask.

 

 

Else, you might try capturing tcpdumps for connections through LTM and direct to the CAS server to compare what's happening when it fails with successes.

 

 

Aaron

Also, did you follow the F5 Deployment Guide for Exchange? What version are you running on your F5 gear?

hoolio - Yes, I have both OneConnect and NTLM profile on the VIP. I'm not using SNAT. I did tried OneConnect profile with /32 source mask. No luck!

 

 

Michael K. - Yes, i did follow the F5 Deployment Guide. I'm using version 10.2.0.

What's the output of https://www.testexchangeconnectivity.com/ and the "Outlook Autodiscover" or "Exchange ActiveSync Autodiscover" tests? I've got a sneaking suspicion that you've got a certificate name mismatch somewhere; if so, this test will put some big 'ol bells-n-arrows on it.

 

 

This is a Microsoft-operated site; you should use it with a test account (it'll tell you so). When the test is complete, click the "Expand All" dropdown at the top of the screen and look for any red "X" in a circle -- the ones down near the bottom probably describe your issue.

Joel brings up an excellent point - that site often exposes issues that are not easily visible to the naked eye. Also, have you made sure that the SSL certificates are the same on the CAS server and on the F5 device?

 

SSL certificates are the same on the CAS server and F5 device. I have no issue with the OWA, only Internal Outlook.

 

 

I ran https://www.testexchangeconnectivity.com and I don't think it will help because the test is querying top-level domain based of email address. The headquarter forward all incoming mail to our site.

I think it has to do with permission..

 

 

From the IE, I was able to open xml page by typing https:\\IP_address\autodiscover\autodiscover.xml for both of the CAS server with no issue.

 

 

When I typed https:\\F5_IP_address\autodiscover\autodiscover.xml, it prompting me with username and password window.

 

 

 

In my environment, whenever I use IP address in place of hostname I get prompted for authentication no matter whether I'm going direct to CAS or via the F5. This makes sense because the bare IP address in the URL wouldn't be considered an IE "Trusted Site" so it wouldn't attempt automatic NTLM authentication with it. It would prompt me to manually enter the authentication.

 

 

What happens if you set a host file entry for "autodiscover.site.com" pointed at the F5 IP address, then try the request in IE as "https://autodiscover.site.com/autodiscover/autodiscover.xml"? Make sure to remove the entry later after you test. :>

 

 

I've seen four main things go wrong with autodiscovery on Exchange 2010 -- the cert on the autodiscover site does not have the "autodiscover" name set as either a primary or SubjectAlternativeName, the cert for autodiscover is not able to be verified from a trust perspective (self-signed or unknown CA), the Outlook profile the wrong Authentication Type set for Outlook Anywhere connectivity, or the configured Redirect URL on the autodiscover site itself is incorrect. In your case, it sounds like when passing through the F5 VIP the system has some reason to believe that it can no longer do automatic windows integrated authentication -- this could occur as the result of a certificate mismatch or a failure to believe the site can be classified as trusted.

I have this same issue. I am using SNAT. Try disabling basic authentication on your autodiscover virtual directory. It should now work. However, I am having issues with mobile devices once this setting is disabled. It seems to use basic auth to start and then NTLM afterwords. I have also found this article:

 

 

http://support.f5.com/kb/en-us/solu...=14001102v

 

 

 

I am unsure if this is the right track or not...

 

 

Hate to bring up an old topic.. but I"m having the exact same problem. Accessing autodiscover via the VIP prompts for authentication, accessing it directly on the CAS box does not. I have also removed "Negotiate" as a provider as Michael pointed out. Any other ideas?