This issue affect to almost al the domain joined worksation machines and outlookanywhere users who all are using outlook 2007. It took some time to resolve and quiet challenging especially it affects Exchange 2007 server main components like Autodiscover and OAB.
Thought to share my experiance in this problem and i am sure some will get some kind of benifit. I will try to explain my level best and if anybody want more detail please put a comment so i can reply back.
1) Continuously Poping up certificate warning message in computers who all are using outlook 2007.
2) Related to this issue few of the users are getting username and password window in outlook frequently
3) Some of the users are facing issue with Out of office assistance settings.
4) Outlook Anywhere users also getting same warning message
All these issues were related with Auto discover service in Exchange Server.
To check Autodiscover is working fine or not we have two methods
1) Opened Outlook and checked Test email auto-configuration, found succeeded through SCP. ( press ctrl and right click from outlook icon near clock)
2) httpsL//webmail.domain.com/autodisover/autodiscover.xml ( If you get error 600 at the middle Autodiscover is working fine)
As per my understanding there are several reasons
We have single singn on certificate from Verisign. That means https://webamil.domain.com contains both internal and external URL. Since our domain name domain.local and our external webmail address contain webmail.domain.com. So we notice that internel URL was set webmail.domain.local instead of webmail.domain.com.
Affected users were using proxy server to connect internet. We entered webmail.domain.com in exception list
IIS had some issues, will describe in detail below
- Resolved IIS related issues
- Checked IIS for authentication on respective virtual directories on Exchange server ( Client Access Server ) and did changes as per below,
Default Web site: Found Anonymous access enabled with SSL forced.
Autodiscover: Found Basic & Integrated authentication enabled with SSL forced.
EWS: Found Basic & Integrated authentication enabled with SSL forced. Disabled Basic authentication.
OAB: Found integrated authentication enabled and no SSL forced.
- Ran IISreset command to restart IIS services.
- Resolved Exchange Server side Issues
- Checked internal URL for web services and OAB virtual directory, found not set
- Set-WebServicesVirtualDirectory -Identity “CASservername\EWS (Default Web Site)” -InternalUrl https://webmail.domain.com/ews/exchange.asmx
- Set-OABVirtualDirectory -Identity “CASservername\OAB (Default Web Site)” -InternalUrl https://webmail.domain.com/oab
- Set OAB web distribution folder in Organization configuration tab ( Exchange Management console–>Organization configuration tab–>Mailbox server–>Offline address book tab–> Select Enable web distribution folder)
- Resolved Client side Outlook issues
- Checked and found proxy configured in Internet explorer. So we added webmail.domain.com in exception list.
- Again tried to browse same URL i.e., https://webmail.domain.com/autodiscover/autodiscover.xml, found successfully able to browse.
- Opened Outlook and checked Test email auto-configuration, found succeeded through SCP.
- Also able to access emails in Outlook 2010 without any certificate warning message.
- Found credential popup issue with one user. So ran control keymgr.dll, found credential stored without password. Removed the same.
- Checked Outlook 2007, found working fine without any credential popup.
- Created new outlook profile to few client machines ( found Outlook profile was corrupted)
- Created Windows profile to few client machines ( Found Windows profile was corrupted)
- ISP Side Issues ( External DNS Server has wrong configuration) – To resolve outlook anywhere users
- Asked ISP to create an SRV record for Autodiscover service for Outlook Anywhere users
- Need to deleted any Autodiscover record from External DNS server before creating SRV record
Below URL’s help me to get solve this issue and give more idea about Autodiscover service
A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service
White Paper: Exchange 2007 Autodiscover Service
https://testexchangeconnectivity.com ( Can check Autodiscover is working fine against your Exchange Server)
Finally all the users are happy and Autodiscover service is working fine.