Windows – Exchange 2013 (on premises): cannot get external AutoDiscover to work

autodiscoverexchange-2013windows

Background

Exchange Server Standard 2013 (CU13) running on premises on Windows Server 2012 R2 (fully updated) on a 2012 R2 Active Directory Domain.

  1. External DNS is set correctly: autodiscover.mydomain.com successfully results from an external connection
  2. Wildcard SSL certificate is installed and functional
  3. I can access https://autodiscover.mydomain.com/autodiscover/autodiscover.xml from an external connection. I am prompted for username and password, which are accepted and I am then presented with a page showing Error 600 (expected result).
  4. AutoDiscover works and tests fine on the internal LAN.

Problem

However, I cannot get AutoDiscover to function over the Internet.

  1. I cannot get Outlook to connect via an external connection: not when using Outlook 2013 nor when using Outlook for Android or iOS. Outlook Web Access does work, but that is not relevant.
  2. https://testconnectivity.microsoft.com/ reports the following error:

.

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.  
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.

Additional Details

Test Steps

The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.mydomain.com:443/Autodiscover/Autodiscover.xml for user testuser@mydomain.com.  
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.  

Additional Details

An HTTP 401 Unauthorized response was received from the remote Unknown server.  
This is usually the result of an incorrect username or password.  
If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).  
HTTP Response Headers:  
request-id: 03440b6d-56e0-405c-9f4e-eb663abca5b  
Set-Cookie: ClientId=AFD789F9E0A427AB; expires=Tue, 26-Sep-2017 12:53:11 GMT; path=/; HttpOnly  
Server: Microsoft-IIS/8.5  
WWW-Authenticate: Basic realm="autodiscover.mydomain.com",Negotiate,NTLM  
X-Powered-By: ASP.NET  
X-FEServer: EXCHANGE-SERVER  
Date: Mon, 26 Sep 2016 12:53:11 GMT  
Content-Length: 0  
Elapsed Time: 424 ms.

Attempted Solutions

  1. Per https://community.spiceworks.com/topic/550046-exchange-autodiscover-not-working-correctly-in-2010-2013-environment I have checked my bindings in IIS and see nothing amiss. Here they are:
    Default Web Site: http Port:80 IP:*, net.pipe Binding:*, net.msmq Binding:localhost, msmq.formatname Binding:localhost, net.tcp Binding:808:*, https Port:443, http Port:80 IP:127.0.0.1, http Port:443 IP:127.0.0.1
    Exchange Back End: http Port:81 IP:*, https Port:444 IP:*, net.pipe Binding:*

  2. Per https://social.technet.microsoft.com/Forums/exchange/en-US/cc9ffe71-b4fe-4217-9343-14956ccf30d9/autodiscover-authentication?forum=exchangesvrgenerallegacy and http://www.itnotes.eu/?p=2455 I have checked authentication methods for the /Autodiscover application in IIS. Anyonymous, Basic, and Windows are enabled for /Autodiscover and Anonymous and Windows are enabled for the /Autodiscover Exchange Back End.

  3. I have checked that Authenticated users have permissions to the /Autodiscover applications in IIS. For Default Web Site, /Autodiscover has Allow Read permissions for Authenticated Users. For Exchange Back End, /Autodiscover has Allow Read & execute, List folder contents and Read for Authenticated Users

I'm really stuck here. I have no idea why this isn't working.

Best Answer

Just got this figured so contributing- I had to create on the local LAN DNS a zone with the EXTERNAL domain, then point the mail.xyz.com to the EXTERNAL IP, and also create a corresponding CNAME for the autodiscover.xyz.com entry, All basically emulating the external DNS in the LOCAL LAN.

Related Topic