I've got an odd problem.
I got my PC reimaged, and now it won't connect properly to the autodiscover service.
I cannot see free/busy information, cannot set my out of office, and don't get tooltips about other people who have out of office on when I am emailing them.
If I run the "Test email autoconfiguration" tool, it fails.
All of that used to work before my PC was reimaged.
Furthermore, if I log in to another PC (same OS, Win7) it does all work.
So I think the problem is specific to my PC, and not a problem with our Exchange setup.
If I browse to the url http://mail.mydomain/autodiscover/autodiscover.xml I get a 403 error.
Doing the above on the other PC works.
Weirdly, if I browse to https://mail.mydomain/autodiscover/autodiscover.xml on the PC with the problem it works OK.
So there's something configured wrong on my PC, but I don't know what. Maybe it's not passing my credentials properly.
Other sites that rely on my Windows credentials are working OK, so it's passing them correctly sometimes.
Any ideas, before I get them to reimage my PC again?
Thanks
When I run Test mail autoconfiguration, on the Results tab I get:
Autoconfiguration has started, this may take up to a minute
Autoconfiguration was unable to determine your settings!
The log is:
SMTP=my.email#my.domain
Attempting URL httpx://mail.my.domain/autodiscover/autodiscover.xml found through SCP
Autodiscover to httpx://mail.my.domain/autodiscover/autodiscover.xml starting
GetLastError=0; httpStatus=403
Autodiscover request completed with http status code 403
Autodiscover to httpx://mail.my.domain/autodiscover/autodiscover.xml failed (0x80004005)
Autodiscover to httpsx://mail.my.domain/autodiscover/autodiscover.xml starting
GetLastError=12007; httpStatus=0
Autodiscover to httpsx://mail.my.domain/autodiscover/autodiscover.xml failed (0x800C8203)
Autodiscover to httpsx://autodiscover.my.domain/autodiscover/autodiscover.xml starting
GetLastError=12007; httpStatus=0
Autodiscover to httpsx://autodiscover.my.domain/autodiscover/autodiscover.xml failed (0x800C8203)
Local autodiscover for my.domain starting
Local autodiscover for my.domain failed (0x8004010F)
Redirect check to httpx://autodiscover.my.domain/autodiscover/autodiscover.xml starting Redirect check to httpx://autodiscover.my.domain/autodiscover/autodiscover.xml starting
Srv Record lookup for httpx://my.domain starting
Srv Record lookup for my.domain Failed (0x8004010F)
Note I had to change http to httpx and https to httpsx to allow it to post.
Firstly, this is not a programming question. Secondly, try to run a test from https://testconnectivity.microsoft.com/
Related
When logging on to OWA using a browser, receive a 503 error. In the Fiddler trace will see a more detailed response status code:
503 Failed authentication on backend server: Unauthorized
On the Exchange Server, see the following System event log (intermittently):
Event 4 Security-Kerberos
The Kerberos client received a KRB_APP_ERR_MODIFIED error from the server exchangeserver$.
The target name used was HTTP/exchangeserver.ad.root.
This indicates that the target server failed to decrypt the ticket provided by the client.
I hope someone only receives this in a lab environment!
Here is a link to enable Kerberos logging, which could be helpful as well: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging
After enabling Kerberos logging, would see the KRB_APP_ERR_MODIFIED error more frequently, whereas before would not be logged each time a logon attempt occurred.
The issue here (in the lab) was that a duplicate SPN for the Exchange Server in question was added erroneously to another server, causing a duplicate. This was due to trying to enable Kerberos delegation for a separate web application.
Although there could be a quicker way to do this, you can list the SPNs on each server to look for your erroneous exchangeserver record by running
setspn -l otherservername (this is a lower-case L)
And if you find that SPNs like http/exchangeserver or http/exchangeserver.ad.root are listed on another server (say 'otherservername'), you can carefully remove them by running
setspn -D http/exchangeserver otherservername
setspn -D http/exchangeserver.ad.root otherservername
I was able to logon to OWA immediately after the duplicate SPN was removed, without restarting any servers or services.
Check, if the bindings for Exchange Backend website in IIS is correctly configured. You can check this by visiting IIS console in the server and open bindings for Backend website for 443 port. See, if the certificate is assigned well
Also, check, if the Default website's binding is correct. It should have thirdparty SSL certificate assigned or the self signed certificate
If any of the bindings are incorrect, fix it and restart IIS (iisrest from cmd prompt). Check again
I loaded the EchoBot template from Microsoft here: https://marketplace.visualstudio.com/items?itemName=BotBuilder.botbuilderv4
I started a new project and try to run it locally. No MicrosoftAppID or MicrosoftAppPassword is provided.
Then I loaded the latest Bot Framework Emulator v4.7
I connect locally, again no App ID or App Password:
However when I try to send a message I get unauthorized error, why would I get unauthorized error when connecting locally?
The server is definitely running locally and the local URL is correct:
One question I want to ask is the login dependent on any 3rd party URL call? My company security policy is blocking all URL unless whitelisted, so if this is the case, maybe the authentication is blocked? What would be the URL for me to whitelist?
EDIT: I tried it a VM outside of the company network and it works! So something must be getting blocked. Any idea?
I got around it by using a VM outside the company network instead. It's not a solution, but it is a work around. I highly suspect some port are being blocked by company firewall but not sure what so I am not sure how to get it whitelisted.
I am trying to figure out what is giving me a 403 error.
Details
I cannot find the call in the IIS logs.
Windows Defender Firewall is turned off
If I run Message Analyzer on the system I can see the call coming in and can see that it is sending out 403.
If I run Process Monitor I can see that the process "System" does a "TCP Receive" that is probably my call (the number of bytes in it seem to be correct).
It is an App in IIS off of the Default Website
How can tell Where it is being given a 403?
Is there another place to log or another thing I can look at to figure out what is blocking it?
To figure out the root cause of 403 error, you need to find the sub-status code first. If the request was not logged in IIS log, you could try to force IIS to return detailed error message.
<system.webServer>
<httpErrors errorMode="Detailed" />
</system.webServer>
Besides, did you bind host name for your website? If the domain is pointing to the wrong place. Then your IIS would probably not log the request.
Since 403 error is returned from remote server, trace the IIS pipeline with Failed request tracing would be more helpful.
In addition, Please ensure application pool identity (IIS Apppool\) and IUSR have read permission to access the root folder of your web application.
Please also remember to check whether unrequired URL rewrite or IP address deny rule was created in Site/Server node.
Finally, remember to clean cache before trying to access the website again.
I've installed Web Deploy 2.1 on a Server 2008 R2 running under VMWare.
In the IIS Manager (Management Service applet) I can see that "Enable Remote Connections" is checked and the port is set to 8172. Under "IIS Manager Permissions" I've added my Windows account (CORP\ekkis) and under the "Authentication" applet (for IIS) I have enabled "Windows Authentication".
I've also turned off the firewall.
So from the command line I test the system to work like this:
C:\Program Files\IIS\Microsoft Web Deploy V2>msdeploy -verb:dump -source:contentPath=\temp,wmsvc=192.168.0.70,username=CORP\ekkis,password=MyPass,authType=Basic -allowUntrusted=True
and get this:
Info: Using ID '9b954a0f-ff07-4e77-ba2c-d27472f5fda0' for connections to the rem
ote server.
Error Code: ERROR_USER_UNAUTHORIZED
More Information: Connected to the destination computer ("192.168.0.70") using t
he Web Management Service, but could not authorize. Make sure that you are using
the correct user name and password, that the site you are connecting to exists,
and that the credentials represent a user who has permissions to access the sit
e.
Error: Object of type 'contentPath' and path '\temp' cannot be created.
Error: The remote server returned an error: (401) Unauthorized.
Error count: 1.
I've also tried deploying with Visual Studio 2010 from the host OS with the following service urls (I haven't found proper documentation on how to form this url):
https://192.168.0.70/
https://192.168.0.70:8172/
https://192.168.0.70:8172/MsDeployAgentService/
https://192.168.0.70/MsDeployAgentService/
I've tried the non-secure versions as well but just cannot get it to work. What is the correct format for the url? and what permissions am I missing?
the errors from VS have varied depending on how I attempt it but below is a sample:
Could not complete the request to remote agent URL 'http://192.168.0.70:8172//MSDEPLOYAGENTSERVICE'.
The underlying connection was closed: An unexpected error occurred on a receive.
Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
An existing connection was forcibly closed by the remote host
Publish failed to deploy.
there really should be a guide out there to do this (yes, I've googled myself blue in the face)!
thanks - ekkis
ok, I've figured out that the correct url is:
https://192.168.0.70:8172/MsDeploy.axd
and that having the "Windows Authentication" enabled doesn't seem to make a difference. Also, having my account in the "Managers" list doesn't seem to make a difference either.
so the back end was all working fine (I've turned off the Web Deployment Agent Service). it was just the url I had wrong.
I have an annoying problem.
On every machine on the network, browsing to our internal MS CRM URL works fine. However, if I log into the actual server itself and try to connect the same credentials just do not work. I get this error:
HTTP Error 401.1 - Unauthorized
You do not have permission to view this directory or page using the credentials that you supplied.
I can't figure it out. They're on the same domain, everything should be fine. It's a big problem because there is an application running on the server that needs to connect to the CRM webservice - and fails.
Even with Basic Auth, I enter the username and password and it fails.
Any ideas?
You might be hitting the loopback security check. Read this KB article to see if you are, and how to disable it so things will work: http://support.microsoft.com/default.aspx?scid=kb;en-us;896861