I understand it is recommended to disable Basic Authentication (but i believe it was like this because we tried to publish through Forefront and have the authentication on Forefront then Authentication Delegation using Basic Auth) which eventually failed so now we use no Delegation Authentication, clients can authenticate directly.
One thing i noticed is that the TMG logs show when a client tries to download the OAB, there are a couple of succesful connections but then there are anonymous requests that are unauthorized. Microsoft BITS/7.5 Yes Reverse Proxy autodiscover.remarkgroup.com TCP HEAD Req ID: 0b4a6bf5; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, updated=no, logged off=no, client type=unknown, user activity=yes text/html Internet 0x44000008 0x180 62261 - - - 1 711 325 - 12/11/2012 8:25:42 AM 0 0 0 0 - - - - - - - - autodiscover.remarkgroup.com 12/11/2012 9:25:42 AM 84.207.224.138 10.1.1.200 443 https Allowed Connection Outlook Anywhere 2010 Publishing Rule 401 Unauthorized anonymous Internal Local Host http://autodiscover.remarkgroup.com/OAB/58f7c878-80e4-43f5-b847-e6e8ebc3b4fd/oab.xmlREMDMZSV03 - Web Proxy Filter 0 - - I have a call opened with Microsoft but after a week of asking me for logs they cant find anything yet. I am surprised that it looked like it worked this morning after i fixed some replication partner issue (a ex2k10 server was not a replication partner on the OAB Public Folder). I am back to the same issue now that none of users setup with the web-based OAB can download it successfully outside the corporate LAN. On Thu, Dec 6, 2012 at 9:20 PM, Michael B. Smith <mich...@smithcons.com>wrote: > That’s perfectly normal for Get-AutodiscoverVirtualDirectory. I think > you have probably overconfigured your OAB VDir. This is what mine looks > like on my Exchange 2010 server:**** > > ** ** > > [PS] C:\Scripts>get-oabvirtualdirectory -server $env:computername | fl *** > ** > > ** ** > > ** ** > > PSComputerName : win2008r2ex2010.smithcons.local**** > > RunspaceId : 0cea11e5-08a4-4674-9333-7ca41080e814**** > > Name : OAB (Default Web Site)**** > > PollInterval : 480**** > > OfflineAddressBooks : {\Default Offline Address Book}**** > > RequireSSL : False**** > > BasicAuthentication : False**** > > WindowsAuthentication : True**** > > MetabasePath : > IIS://Win2008R2Ex2010.smithcons.local/W3SVC/1/ROOT/OAB**** > > Path : C:\Program Files\Microsoft\Exchange > Server\V14\ClientAccess\OAB**** > > ExtendedProtectionTokenChecking : None**** > > ExtendedProtectionFlags : {}**** > > ExtendedProtectionSPNList : {}**** > > Server : WIN2008R2EX2010**** > > InternalUrl : > http://win2008r2ex2010.smithcons.local/OAB**** > > InternalAuthenticationMethods : {WindowsIntegrated}**** > > ExternalUrl : https://mail.smithcons.com/OAB**** > > ExternalAuthenticationMethods : {WindowsIntegrated}**** > > AdminDisplayName :**** > > ExchangeVersion : 0.10 (14.0.100.0)**** > > DistinguishedName : CN=OAB (Default Web > Site),CN=HTTP,CN=Protocols,CN=WIN2008R2EX2010,CN=Servers,CN=Excha**** > > nge Administrative Group > (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organiza**** > > tion,CN=Microsoft > Exchange,CN=Services,CN=Configuration,DC=smithcons,DC=local**** > > Identity : WIN2008R2EX2010\OAB (Default Web Site)** > ** > > Guid : e5ffe3b4-3a65-4ecb-b3d6-b466593378ff**** > > ObjectCategory : > smithcons.local/Configuration/Schema/ms-Exch-OAB-Virtual-Directory**** > > ObjectClass : {top, msExchVirtualDirectory, > msExchOABVirtualDirectory}**** > > WhenChanged : 11/5/2009 11:00:52 AM**** > > WhenCreated : 10/18/2009 2:19:07 PM**** > > WhenChangedUTC : 11/5/2009 4:00:52 PM**** > > WhenCreatedUTC : 10/18/2009 6:19:07 PM**** > > OrganizationId :**** > > OriginatingServer : Win2008R2Ex2010.smithcons.local**** > > IsValid : True**** > > ** ** > > *From:* Al Rose [mailto:arose...@gmail.com] > *Sent:* Thursday, December 6, 2012 11:07 AM > *To:* MS-Exchange Admin Issues > *Subject:* Re: Web-based OAB not working**** > > ** ** > > So i dont have problem with Autodiscover at all internally, exrca.comreespond > succesfully from outside and i can autoconfigure Outlook clients > from outside too.**** > > ** ** > > Though i dont see any URL in get-autodiscovervirtualdirectory, is that > normal?**** > > ** ** > > And i still cant get the OAB to download...**** > > ** ** > > ** ** > > [PS] C:\windows\system32>Get-Autodiscovervirtualdirectory | FL**** > > ** ** > > ** ** > > RunspaceId : a66846e8-147a-49ce-be7f-2d499343c503**** > > Name : Autodiscover (Default Web Site)**** > > InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, > WSSecurity}**** > > ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, > WSSecurity}**** > > LiveIdSpNegoAuthentication : False**** > > WSSecurityAuthentication : True**** > > LiveIdBasicAuthentication : False**** > > BasicAuthentication : True**** > > DigestAuthentication : False**** > > WindowsAuthentication : True**** > > MetabasePath : > IIS://acmeEXCH10.corp.acmegroup.local/W3SVC/1/ROOT/Autodiscover**** > > Path : E:\Program Files\Microsoft\Exchange > Server\V14\ClientAccess\Autodiscover**** > > ExtendedProtectionTokenChecking : None**** > > ExtendedProtectionFlags : {}**** > > ExtendedProtectionSPNList : {}**** > > Server : acmeEXCH10**** > > InternalUrl :**** > > ExternalUrl :**** > > AdminDisplayName :**** > > ExchangeVersion : 0.10 (14.0.100.0)**** > > DistinguishedName : CN=Autodiscover (Default Web > Site),CN=HTTP,CN=Protocols,CN=acmeEXCH10,CN=Servers,C**** > > N=Exchange Administrative Group > (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=acmeG**** > > ROUP,CN=Microsoft > Exchange,CN=Services,CN=Configuration,DC=acmegroup,DC=local**** > > Identity : acmeEXCH10\Autodiscover (Default Web > Site)**** > > Guid : 931cf1f0-4dd6-4ee9-ae3e-f743f667cbea**** > > ObjectCategory : > acmegroup.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory > **** > > ObjectClass : {top, msExchVirtualDirectory, > msExchAutoDiscoverVirtualDirectory}**** > > WhenChanged : 7/6/2012 4:31:04 PM**** > > WhenCreated : 7/6/2012 4:31:04 PM**** > > WhenChangedUTC : 7/6/2012 2:31:04 PM**** > > WhenCreatedUTC : 7/6/2012 2:31:04 PM**** > > OrganizationId :**** > > OriginatingServer : acmevdc01.corp.acmegroup.local**** > > IsValid : True**** > > ** ** > > RunspaceId : a66846e8-147a-49ce-be7f-2d499343c503**** > > Name : Autodiscover (Default Web Site)**** > > InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, > WSSecurity}**** > > ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated, > WSSecurity}**** > > LiveIdSpNegoAuthentication : False**** > > WSSecurityAuthentication : True**** > > LiveIdBasicAuthentication : False**** > > BasicAuthentication : True**** > > DigestAuthentication : False**** > > WindowsAuthentication : True**** > > MetabasePath : > IIS://REMTC4EXCH10.corp.acmegroup.local/W3SVC/1/ROOT/Autodiscover**** > > Path : E:\Program Files\Microsoft\Exchange > Server\V14\ClientAccess\Autodiscover**** > > ExtendedProtectionTokenChecking : None**** > > ExtendedProtectionFlags : {}**** > > ExtendedProtectionSPNList : {}**** > > Server : REMTC4EXCH10**** > > InternalUrl :**** > > ExternalUrl :**** > > AdminDisplayName :**** > > ExchangeVersion : 0.10 (14.0.100.0)**** > > DistinguishedName : CN=Autodiscover (Default Web > Site),CN=HTTP,CN=Protocols,CN=REMTC4EXCH10,CN=Servers,CN**** > > =Exchange Administrative Group > (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=acmeGR**** > > OUP,CN=Microsoft > Exchange,CN=Services,CN=Configuration,DC=acmegroup,DC=local**** > > Identity : REMTC4EXCH10\Autodiscover (Default Web > Site)**** > > Guid : 3e85a80d-0f8e-4939-a37e-7f8bc9851ce7**** > > ObjectCategory : > acmegroup.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory > **** > > ObjectClass : {top, msExchVirtualDirectory, > msExchAutoDiscoverVirtualDirectory}**** > > WhenChanged : 9/26/2012 11:50:58 AM**** > > WhenCreated : 9/26/2012 11:50:58 AM**** > > WhenChangedUTC : 9/26/2012 9:50:58 AM**** > > WhenCreatedUTC : 9/26/2012 9:50:58 AM**** > > OrganizationId :**** > > OriginatingServer : acmevdc01.corp.acmegroup.local**** > > IsValid : True**** > > ** ** > > On Thu, Dec 6, 2012 at 3:08 PM, Al Rose <arose...@gmail.com> wrote:**** > > Just did the test, the autodiscover was tested successfully on my account. > The xml retrieved the OABUrl > https://autodiscover.acme.com/OAB/58f7c878-80e4-43f5-b847-e6e8ebc3b4fd/oab.xml<http://autodiscover.acme.com/OAB/58f7c878-80e4-43f5-b847-e6e8ebc3b4fd/oab.xml> > successfully.**** > > If i click Download Address book it just times out, i have to cancel > manually otherwise it keeps showing progress "processing"**** > > ** ** > > All other email accounts that are still using the Default Address book > (housed on the 2003 server) don't have issues downloading the OAB from > inside or outside.**** > > ** ** > > On Thu, Dec 6, 2012 at 2:25 PM, Michael B. Smith <mich...@smithcons.com> > wrote:**** > > You need to look at the autodiscover response. The easiest way to see it > is exrca.com.**** > > **** > > *From:* Al Rose [mailto:arose...@gmail.com] > *Sent:* Thursday, December 6, 2012 4:32 AM > *To:* MS-Exchange Admin Issues > *Subject:* Web-based OAB not working**** > > **** > > Hi,**** > > **** > > Since i have moved a lot of users from Exchange 2003 to 2010,i have > created a new OAB and enabled web distribution (not public folders). I have > assigned this OAB to myself to test via an Adress Book Policy.**** > > **** > > I can download the address book from Outlook from the internal network but > when on the Internet it doesn't work.**** > > We use TMG forefront for publishing OAB and the rule errors out:**** > > **** > > Failed Connection Attempt REMDMZSV03 12/6/2012 9:47:54 AM **** > > Log type: Web Proxy (Reverse) **** > > Status: 0x80004001 **** > > Rule: Outlook Anywhere 2010 Publishing Rule **** > > Source: Internal (86.102.4.38:55311) **** > > Destination: Local Host (10.1.1.200:443) **** > > Request: GET > http://autodiscover.acme.com/OAB/58f7c878-80e4-43f5-b847-e6e8ebc3b4fd/oab.xml > **** > > Filter information: Req ID: 0b43d5a3; Compression: client=No, server=No, > compress rate=0% decompress rate=0% ; FBA cookie: exists=no, valid=no, > updated=no, logged off=no, client type=unknown, user activity=yes, > Range=0-4829 **** > > Protocol: https **** > > User: anonymous **** > > Additional information **** > > Client agent: Microsoft BITS/7.5**** > > Object source: Internet (Source is the Internet. Object was added to the > cache.)**** > > Cache info: 0x802040 (Request includes the RANGE header. Request includes > the IF-UNMODIFIED-SINCE header. Response includes the LAST-MODIFIED header.) > **** > > Processing time: 1 MIME type: text/xml**** > > **** > > And the IIS logs:**** > > **** > > 2012-12-05 07:27:39 10.1.1.210 GET > /OAB/58f7c878-80e4-43f5-b847-e6e8ebc3b4fd/oab.xml - 443 - 10.254.2.1 > Microsoft+BITS/7.5 401 2 5 0**** > > 2012-12-05 07:27:39 10.1.1.210 GET > /OAB/58f7c878-80e4-43f5-b847-e6e8ebc3b4fd/oab.xml - 443 - 10.254.2.1 > Microsoft+BITS/7.5 401 1 2148074254 0**** > > 2012-12-05 07:27:39 10.1.1.210 GET > /OAB/58f7c878-80e4-43f5-b847-e6e8ebc3b4fd/oab.xml - 443 - 10.254.2.1 > Microsoft+BITS/7.5 401 1 2148074254 0**** > > **** > > **** > > **** > > If i try to browse to > http://autodiscover.acme.com/OAB/58f7c878-80e4-43f5-b847-e6e8ebc3b4fd/oab.xmli > get and access denied, but if i try via SSL i can login correctly. > **** > > **** > > I don't get why, Outlook is trying to get the OAB via http in the first > place.**** > > **** > > Thank you.**** > > **** > > This is what our OAB looks like:**** > > **** > > [PS] C:\windows\system32>Get-OabVirtualDirectory| fl**** > > **** > > **** > > RunspaceId : a66846e8-147a-49ce-be7f-2d499343c503**** > > Name : OAB (Default Web Site)**** > > PollInterval : 240**** > > OfflineAddressBooks : {\Address Book Primary}**** > > RequireSSL : True**** > > BasicAuthentication : True**** > > WindowsAuthentication : True**** > > MetabasePath : > IIS://corpEXCH10.corp.acme.local/W3SVC/1/ROOT/OAB**** > > Path : E:\Program Files\Microsoft\Exchange > Server\V14\ClientAccess\OAB**** > > ExtendedProtectionTokenChecking : None**** > > ExtendedProtectionFlags : {}**** > > ExtendedProtectionSPNList : {}**** > > Server : corpEXCH10**** > > InternalUrl : https://webmail.acme.com/oab**** > > InternalAuthenticationMethods : {Basic, WindowsIntegrated}**** > > ExternalUrl : https://webmail.acme.com/OAB**** > > ExternalAuthenticationMethods : {Basic, WindowsIntegrated}**** > > AdminDisplayName :**** > > ExchangeVersion : 0.10 (14.0.100.0)**** > > DistinguishedName : CN=OAB (Default Web > Site),CN=HTTP,CN=Protocols,CN=corpEXCH10,CN=Servers,CN=Exchang**** > > e Administrative Group > (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=acme,CN=M**** > > icrosoft > Exchange,CN=Services,CN=Configuration,DC=acme,DC=local**** > > Identity : corpEXCH10\OAB (Default Web Site)**** > > Guid : 0af0b88d-8f0a-4c00-a832-4aa69bc858e1**** > > ObjectCategory : > acme.local/Configuration/Schema/ms-Exch-OAB-Virtual-Directory**** > > ObjectClass : {top, msExchVirtualDirectory, > msExchOABVirtualDirectory}**** > > WhenChanged : 11/12/2012 3:11:38 PM**** > > WhenCreated : 7/6/2012 4:30:38 PM**** > > WhenChangedUTC : 11/12/2012 2:11:38 PM**** > > WhenCreatedUTC : 7/6/2012 2:30:38 PM**** > > OrganizationId :**** > > OriginatingServer : corpvdc01.corp.acme.local**** > > IsValid : True**** > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist**** > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist**** > > ** ** > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist**** > > ** ** > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist**** > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe exchangelist > --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist