Blog Stats
  • Posts - 74
  • Articles - 1
  • Comments - 73
  • Trackbacks - 0

 

Troubleshooting exchange web services

Since exchange versions from 2007 and up put more emphasis on the webservices for use in the distribution of the offline address book, out of office, the scheduling assistant and autodiscover (a.k.a outlook connectivity to exchange) the correct configuration of the virtual directories and IIS components is the main key to a healthy exchange environment.
It is for this reason that I have compiled a quick reference as to how these components should be configured in order to function properly and so that most of the information needed to troubleshoot issues is in one place.
Exchange default IIS virtual directory authentication settings
I have often seen that issues with exchange connectivity or web related services have been caused by not having these authentication and SSL settings placed correctly.
Exchange 2010
Client access server role

Virtual directory
Authentication method
SSL settings
Default Web site
·         Anonymous
·         Required
aspnet_client
·         Anonymous authentication
·         SSL required
·         Requires 128-bit encryption
Autodiscover
·         Anonymous authentication
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
ecp
·         Anonymous authentication
·         Basic authentication
·         SSL required
·         Requires 128-bit encryption
EWS
·         Anonymous authentication
·         Windows authentication
·         SSL required
·         Requires 128-bit encryption
Microsoft-Server-ActiveSync
·         Basic authentication
·         SSL required
·         Requires 128-bit encryption
OAB
·         Windows authentication
·         Not required
owa
·         Basic
·         SSL required
·         Requires 128-bit encryption
Powershell
·         Anonymous authentication
·         Not required
Rpc
·         Basic authentication
·         Windows authentication
·         SSL required
·         Requires 128-bit encryption
RpcWithCert
·         By default, all authentication methods are disabled
·         Required
 Mailbox Server Role

Virtual directory
Authentication method
SSL settings
Default Web site
·         Anonymous authentication
·         SSL required
·         Requires 128-bit encryption
PowerShell
·         Anonymous authentication
·         Not required
Exchange 2007
Client access server role

Virtual directory
Authentication method
SSL settings
Default Web Site
·         Anonymous authentication
·         SSL required
·         Require 128-bit encryption
aspnet_client
·         Anonymous authentication
·         SSL required
·         Require 128-bit encryption
Autodiscover
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
EWS
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
owa
·         Basic authentication
·         SSL required
·         Require 128-bit encryption
Exchange
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
Public
·         Basic authentication
·         Windows authentication
·         Not required
Exchweb
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
OAB
·         Windows authentication
Not required
UnifiedMessaging
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
Microsoft-Server-ActiveSync
·         Basic authentication
·         SSL required
·         Require 128-bit encryption
Rpc
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
RpcWithCert
·         By default, all authentication methods are disabled
SSL required
Mailbox server role

Virtual directory
Authentication method
SSL settings
Default Web Site
·         Anonymous
Not required
Exadmin
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
Exchange
·         Basic authentication
·         Windows authentication
Not required
Public
·         Basic authentication
·         Windows authentication
Not required
 Windows SBS 2008
Default Exchange-related IIS authentication and SSL settings.

Virtual directory
Authentication method
SSL settings
Default Web Site
·         Anonymous authentication
Not required
aspnet_client
·         Anonymous authentication
Not required
Autodiscover
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
EWS
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
Exadmin
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
Exchange
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
Exchweb
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
Microsoft-Server-ActiveSync
·         Basic authentication
·         SSL required
·         Require 128-bit encryption
OAB
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
owa
·         Basic authentication
·         SSL required
·         Require 128-bit encryption
Public
·         Basic authentication
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
Rpc
·         Basic authentication
·         Windows authentication
Not required
RpcWithCert
·         By default, all authentication methods are disabled
·         SSL required
·         Require 128-bit encryption
UnifiedMessaging
·         Windows authentication
·         SSL required
·         Require 128-bit encryption
Certificate SAN names
Split DNS setups
Required:
·         Exchangeservername.contoso.com
·         Autodiscover.contoso.com
·         Exchangeservername
Non-split DNS setups
Required:
·         Exchangeservername.contoso.com
·         Autodiscover.contoso.com
·         Exchangeservername
·         Exchangeservername.contoso.local
·         Autodiscover.contoso.local
Loopbackcheck
In case you have a commercial certificate and do not have the budget or possibility to switch to the SAN certificate required for the proper operation of exchange 2007/2010 you can disable the loopback check to solve your issues:
1.       Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
281308  (http://support.microsoft.com/kb/281308/ ) Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name .
2.       Click Start, click Run, type regedit, and then click OK.
3.       In Registry Editor, locate and then click the following registry key:
4.       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
5.       Right-click Lsa, point to New, and then click DWORD Value.
6.       Type DisableLoopbackCheck, and then press ENTER.
7.       Right-click DisableLoopbackCheck, and then click Modify.
8.       In the Value data box, type 1, and then click OK.
9.       Quit Registry Editor, and then restart your computer.
Configuring the webservice URLs
AutoDiscover
Because all internal clients that belong to the domain will use the service connection point (SCP) object in active directory to retrieve the web services URL information we need to make sure the information they receive will be correct. Using the following command we can see what has been configured and change the configuration if needed:
To view the configuration:
·         Get-ClientAccessServer | Select Name, *Internal* | fl
To change the configuration:
·         Set-ClientAccessServer –Identity <CAS Server Name> -AutoDiscoverServiceInternalUri: <https://Internal URL>
Offline address book
Whilst the offline address book can also be configured through the GUI I prefer a shell environment.
To view the configuration:
·         Get-OabVirtualDirectory | select Server,Name,*URL* | fl
To change the configuration:
·         Set-OabVirtualDirectory -identity “OAB (Default Web Site) –internalURL <http://internal URL>
Web Services
Responsible for the availability service and the out of office connectivity we set up these URLs through the web services virtual directory.
To view the configuration:
·         Get-WebServicesVirtualDirectory | Select name, *url* | fl
To change the configuration
·         Set-WebServicesVirtualDirectory –Identity “EWS (Default Web Site)” –InternalUrl: https://url.domain.local/EWS/Exchange.asmx
 
Test-outlookwebservices
Most problems returned by the “test-outlookwebservices” tool will be solved by the information in the other sections of this article. However there is one, particular nasty, error that will leave you baffled if you don’t know where to look...
WARNING: An unexpected error has occurred and debug information is being generated: Object reference not set to an instance of an object.
Test-OutlookWebServices : Object reference not set to an instance of an object.
At line:1 char:24 
This error is caused by a broken .NET Framework 2.0 and required you to perform a repair or uninstall of this package the error should be fixed. Note that, even though you did not install it, it will always be there if you installed the .NET Framework 3.0. The package can be found under “Programs and features” in the control panel and will be listed as "Update for Microsoft Windows (KB948609)".

Feedback

# re: Troubleshooting exchange web services

Gravatar Thanks for the great info. Am still getting the exact error mentioned. Here's how we got to that: ran updates for Exchange 2007 SP2 on WIndows server 2003. Updates installed .Net3.5 SP1. Crashed the server ansd stopped all mail flow. Uninstalled .Net3.5 SP1 and got mail going again. Also unistalled .Net 3.0 and .Net2.0 SP2 then reinstalled .Net3.5 which includes .Net 3.0SP1 and .Net 2.0SP1 Now we're stuck with this error and no Out of Office and free/busy function. Any thoughts?
Thanks 10/21/2011 8:01 PM | Kaiso

# re: Troubleshooting exchange web services

Gravatar Kaiso,

I take it you're refering to the following error? "Object reference not set to an instance of an object"

Well you reinstalled everything but did you try to run the repair option from the programs and features in the control panel? That's what usually does the trick for me.

Note that if that doesn't work your IIS might be bogged and need reinstalling. Which is a pain cause you're going to have to uninstall exchange as well...

Let me know... 10/24/2011 5:01 PM | Marc

# re: Troubleshooting exchange web services

Gravatar This is very good and informative article i come across. I was trying to get rid of mfewserrordomain error 56 in mac mail application and not able to connect the exchange server.
Now after follow the above chart i could solve my issue and now its working fine.
Thank you very much to the author.

Regards,
Huzefa M Sultan
IT Administrator 7/19/2012 7:51 AM | Huzefa M Sultan

Post A Comment
Title:
Name:
Email:
Comment:
Verification:
 
 

 

 

Copyright © marc dekeyser