Exchange Autodiscover with 401 Authentication

[Julian Mooren1709156280]

Hi,

 

Im configuring Exchange 2016 in my lab environment and having problems with the "Autodiscover" service.

 

When I remove the 401 Authentication on the autodiscover vServer everything is working flawless.

After reading serveral whitepapers and blogs this should be the correct configuration:

 

- OWA: FBA

- ECP: FBA

- ActiveSync: 401

- Autodiscover: 401

- Remaing: None

 

 

This is the result of the Microsoft Remote Connectivity Tool:

 

The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.de:443/Autodiscover/Autodiscover.xml for user test@domain.de.
     The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
     
    Additional Details
     
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
HTTP Response Headers:
request-id: ebc671e7-1ca1-4b92-8207-6b003f426345
X-CasErrorCode: UnauthenticatedRequest
Cache-Control: private
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate,NTLM,Basic realm="autodiscover.domain.de"
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-FEServer: EX01
Date: Mon, 17 Jul 2017 14:50:22 GMT
Content-Length: 0
Set-Cookie: NSC_TMAA=2829d751fe703f17f0c06ff44ebb4033;HttpOnly;Path=/;,NSC_TMAS=247fc3bab2d6b592609a6e80a405f4f3;Secure;HttpOnly;Path=/;,NSC_TMAP=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;,NSC_TMAV=xyz;Path=/;expires=Wednesday, 09-Nov-1999 23:12:40 GMT;
Elapsed Time: 1011 ms.

 

The config of my AAA server looks like:

 

Name: AAA_Exchange2016

Certificate: Wildcard

Primary Authentication: LDAP (SAM & UPN Policy) --> SSO Attribut "userPrincipalName"

401 Based Servers: ActiveSync, Autodiscover

Form Based Servers: OWA, ECP

Session Policy: OWA SSO Profile (HTTP.REQ.URL.CONTAINS("/owa/auth/logon.aspx")

 

Load Balancing vServer

Name: lb_exch2016_autodiscovery

Protocol: SSL

Persistence: SourceIP

Timeout: 30mins

401 Based Authentication: ON

Authentication Virtual Server: AAA_Exchange2016

 

Content Switch Policies

 

 

 

nsconmsg -d current -g_hits result:

 

NetScaler NS11.1: Build 49.16.nc


reltime:mili second between two records Mon Jul 17 16:01:00 2017
  Index   rtime totalcount-val      delta rate/sec symbol-name&device-no
      0    7148         183336          9        1 route_tot_hits route(127.0.0.0_255.0.0.0)
      1       0         638887         79       11 route_tot_hits route(192.168.2.0_255.255.255.0)
      2       0         175948          4        0 route_tot_hits route(0.0.0.0_0.0.0.0_192.168.2.253)
      3    7161            529          6        0 pol_hits Policy(LDAP_Lab_SAM)
      4       0            814          6        0 pol_hits Policy(LDAP_Lab_UPN)
      5       0            242          6        0 pcp_hits cspolicy(cs_pol_autodiscovery)
      6       0             69          1        0 pcp_hits tmsession(SETTMSESSPARAMS_ADV_POL)
      7       0             62          6        0 pcb_hits cs_pol(cs_pol_autodiscovery)(cs_exchange2016)
      8       0             69          1        0 pcb_hits policyBinding_26_10000000081_GLOBAL REQ_DEFAULT_65534(SETTMS      ESSPARAMS_ADV_POL)
      9       0         183357         21        2 route_tot_hits route(127.0.0.0_255.0.0.0)
     10       0         638993        106       14 route_tot_hits route(192.168.2.0_255.255.255.0)
     11       0         175971         23        3 route_tot_hits route(0.0.0.0_0.0.0.0_192.168.2.253)
     12       0           2297          1        0 ssl_ctx_tot_session_hits vserver_ssl_192.168.2.250:443(cs_exchange201      6)
     13    7074         183369         12        1 route_tot_hits route(127.0.0.0_255.0.0.0)
     14       0         639058         65        9 route_tot_hits route(192.168.2.0_255.255.255.0)
     15       0         175976          5        0 route_tot_hits route(0.0.0.0_0.0.0.0_192.168.2.253)
 

 

 

 

Did I miss something?

[Robert Pate]

Hi, I am having similar issues. Did you ever figure this out?

[Julian Mooren1709156280]

Hello Robert,

 

you need to disable ADAL on the client (registry) or upgrade to NetScaler >= 12.x 

 

HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL (REG_DWORD 0)

 

For more Information: https://support.citrix.com/article/CTX216539

 

Julian

[Robert Pate]

Hi Julian,

 

I actually saw this article, though we are already using NS 12.0, plus are using Outlook 2013 clients. Thanks for the info though.

[Sascha Böcker]

I have the same issue with the Microsoft Connectivity Analyzer and Autodiscover.

NetScaler Firmware: NS12.1 51.19.nc

 

[Mauro Trabucco]

Hi everyone,

I have the same issue.

We tried also to set HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL (REG_DWORD 0), but it didn't work.

Do you solve with some settings.

 

Thanks a lot,