Professional Documents
Culture Documents
In the current article, we will learn to know the ExRCA also known as Microsoft
Connectivity Analyzer web-based tool, that serves as the name implies for testing
and analyzing information that is related to relationships of different Exchange
clients with their Exchange server.
I will review only the general concepts such as how to read the results, the logical
structure of the test results, etc.
A Under the Exchange Server tab, we can find all the available tests that can
be used when we need to test the Exchange On-Premise services.
B Under the Office 365 tab, we can find all the available tests that can be used
when we need to test the Exchange Online infrastructure.
2. Different type of remote connectivity test
In the following screenshots, we can see that the Autodiscover connectivity test
appears under the Exchange server tab (Exchange on-Premises).
For example, we can implement a connectivity test for Outlook (RPC\HTTPS) mail
client, ActiveSync (mobile Exchange client) etc.
Note that under the section Microsoft Office Outlook Connectivity Tests, we
have two different connectivity tests.
For example, there are two different types of Outlook connectivity tests.
The test that can be implemented in the Exchange on-Premises environment exists
also for the Office 365 environment but, the Microsoft Connectivity Analyzer Tool
includes additional tests that are relevant only to Office 365 environment.
In the following screenshot, we can see that the interface of Office 365
environment include seven different connectivity test versus the Exchange onPremises tab that includes four connectivity tests.
In the following screenshot, we can see that there are additional tabs beside the
test that relate to Exchange.
5. The test client Microsoft Remote Connectivity Analyzer Tool | The Host
that perform the test
The subject of the Host who performs the test is a very important subject and a
little confusing.
The Microsoft Remote Connectivity Analyzer Tool is a Microsoft public server whom
we can use for simulating access to various exchange services such as
Autodiscover.
2. A specific network from which the user tries to access the Autodiscover
Endpoint.
3. A general problem in the Autodiscover infrastructure that affects all the
external mail client that needs to access their Autodiscover Endpoint.
The Microsoft Remote Connectivity Analyzer Tool, is implemented by using a public
Microsoft server that performs the different connectivity tests.
The Public server server for simulating Exchange client sessions with the
Exchange server.
We should be aware of the important fact that the Microsoft Remote Connectivity
Analyzer Tool Autodiscover test can be used only for testing a very specific scenario,
a scenario in which the Exchange client (Autodiscover client) is addressing the
public interface of the Exchange server.
In other words, a scenario in which the Exchange client is located on a public
network and the Exchange server configured as Public facing Exchange server.
The option of testing the Autodiscover flow from external Exchange client is
suitable for many scenarios, but in some Autodiscover troubleshooting scenarios,
we will need to perform the Autodiscover connectivity test from a different
direction.
The meaning is performing the Autodiscover test by using a specific user desktop
or performing the Autodiscover test from a specific network such as the
organizations private network.
In case that we want to perform the Autodiscover test from an internal network or,
from a specific network in which the Exchange client is located, we can download
and install the Microsoft Connectivity Analyzer client.
In the following screenshot, we can see the client tab that we can use for
downloading the: Microsoft Connectivity Analyzer client.
2. Click on the Exchange Server tab and under the Microsoft Office Outlook
connectivity test, choose the option Outlook Autodiscover
3. On the bottom right corner, click on the Next option
3. Password this is the domain user password, meaning the password that the
user use when he login to the corporate domain.
4. Approval for the Autodiscover test choose the option of :
I understand that I must use the credentials of a working account from my
Exchange domain to be able to test connectivity with it remotely. I also
acknowledge that I am responsible for the management and security of this
account.
This is a mandatory requirement.
When choosing this option, we are approving that we trust Microsoft (we provide
the ExRCA server our secret the private domain user credentials).
5. Verification we will need to complete the verification process by re-type the
letters that appear (this is how Microsoft verifies that we are a human factor and
not a malicious code).
To complete the process click on the verify button
In the next screenshot, we can see that the verification process was completed
successfully.
To start that Autodiscover test, click on the Next option
Each of the steps can be expanded so we can see the content of the additional
steps that were included in the father step and so on.
To demonstrate the Hierarchy concept of the ExRCA Results interface, lets use an
example of ExRCA Autodiscover test results that simulate Autodiscover access to an
on-Premises, Public facing Exchange CAS server.
Level 1
At this level, we can see a clear answer for the ExRCA Results. In our example, the
test completes successfully.
Level 2
When choosing the option of -expand under the Test Steps, we can see
additional level of information.
In our example, we can see that the Autodiscover test was started by looking for
the host named o365info.com and, the result is failure.
The next Autodiscover test, was performed using the host named
autodiscover.o365info.com and the result is Success
Level 3
The next level (Level 3) is the level in which we can review all the steps that are
included in the Autodiscover flow.
In the following diagram, we can see the logic of the displayed results.
In the following screenshot, we can see a short description for each of the steps
that was included in the Autodiscover process.
Step 1: described as Attempting to resolve the host names
autodiscover.o365info.com in DNS.
Step 2: described as Testing TCP port 443 on host autodiscover.o365info.com to
ensure its listening and open.
Step 3: described as Testing the SSL certificate to make sure its valid.
Step 4: described as- Checking the IIS configuration for client certificate
authentication.
Step 5: described as Attempting to send an Autodiscover POST request to
potential Autodiscover URLs.
Level 4
This is the deepest level of information that enables us to take a deeper look at
the specific Autodiscover step.
In the following example, we have expanded the Name resolution steps in which
the Autodiscover client accesses the DNS server and asks for the IP address of the
Autodiscover Endpoint.
In our scenario, we can see that the IP address that was returned to the client is:
212.25.80.239 and, the round trip time that took to complete the process is: 221
ms
When looking at the screenshot, we can see that the icon of the test result is green,
but at the same time we can see that we see a yellow icon with an exclamation
mark.
So the most obvious question is is it good or bad?
Can we understand that our Autodiscover infrastructure was configured correctly
or, we need to fix some issues?
The simple answer is Yes, this is good.
The reason for the notification of Test Successful with Warnings is that the
Autodiscover process is based on a concept of trial and error.
While looking for the final result, the Autodiscover client is programed to execute
a couple of methods and 99% of the time, some of this methods or tests will fail.
What matter is the end result that answers the question did the client was able
or not able to find the answer, meaning the Autodiscover response.
The reason for the yellow icon with an exclamation mark are as follows:
1. Root domain
The most popular cause for the result Test Successful with Warnings is, that be
default, the Autodiscover client is programed to look for the Autodiscover Endpoint
by extracting the domain name from the recipient E-mail address (the right part
that includes the recipient SMTP domain name) and create a DNS query using the
domain name as the Host name.
For example, in the case that the recipient name is John@o365info.com , the
Autodiscover client such as Outlook, will create a DNS query looking for the
hostname o365info.com
Most of the time, this method will fail, because its a very rare scenario in which the
organization public domain name is mapped in the DNS for the IP address of the
Exchange server.
The outcome is the most of the time the first step in the Autodiscover process will
appear as failed.
Generally speaking, the method of looking for the hostname of the Autodiscover
Endpoint using the root domain name can even cause minor or major problem.
In case that the organization uses a public website and additionally maps the
address of the domain name of the website, the Autodiscover client will get a
positive answer from the DNS regarding the IP address of the Root domain name
but when he tries to communicate with the Apparent Autodiscover Endpoint using
HTTPS, the communication will fail.
So, besides of the time that was spent in implementing this method, theres no
harm.
In fewer good scenarios, in case that the destination host (the website) has a
problematic certificate such as a certificate that her date was expired and so on, the
Autodiscover client will stop the Autodiscover process because, the Autodiscover
client understand that there is a problem with the Autodiscover Endpoint.
To be honest, I think that the Autodiscover method of looking for the hostname
of the Autodiscover Endpoint using the root domain name should be removed
because, for myself, I cannot see any advantage to using this method.
Testing TCP port 443 on host o365info.com to ensure its listening and open. The
specified port is either blocked, not listening, or not producing the expected
response.
2. Certificate chains
An additional reason for the result of Test Successful with Warnings is the
process that described as testing the Certificate chains
The Autodiscover client, request from the Autodiscover Endpoint to prove his
identity, by providing a certificate.
The public certificate infrastructure, is built upon a hierarchical concept.
The public server certificate is provided by a higher authority and, many times, the
higher authority is a subordinate of additional higher authority.
In this scenario, there at least two elements that are involved the element that
provides the certificate (described as CA- Certificate Authority) and the client that
uses the certificate (Exchange server for example).
Part of the security test that Autodiscover client will perform is check the
element which provides the certificate meaning the CA and the CA certificate.
The ability of the Autodiscover client of verifying the CA certificate, is based on the
assumption that the CA is well know and that the client (the Autodiscover client)
has the CA certificate in his certificate store.
When we perform the Autodiscover test by using the ExRCA tool, even when the
phase of testing the Certificate chains is completed successfully, the ExRCA tool
notifies us that the fact the he (the ExRCA), manage to verify the certificate chains,
doesnt mean that a user desktop will also manage to complete successfully the
certificate chains test because these depend on the specific desktop certificate
store.
When looking at the ExRCA test results, we can see this type of notification:
Analyzing the certificate chains for compatibility problems with versions of
Windows. Potential compatibility problems were identified with some versions of
Windows. Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the
Root Certificate Update functionality from Windows Update. Your certificate may
not be trusted on Windows if the Update Root Certificates feature isnt enabled.
Just to recap, despite the fact that the Autodiscover phase of testing the certificate
chains appears with a yellow exclamation mark, the issue is not a problem and
there is nothing that we can do to avoid from this information to appear in the
Autodiscover test results.
The ExRCA tool, enable us to save the result from the Autodiscover test, using three
different options:
1. Copy to clipboard
This option will copy the ExRCA test result to the local desktop clipboard using an
XML format. Personally, I prefer the other method such as saving the
Autodiscover test result, to an HTML format because the reading of the result is
much clearer.
2. Save the result to HTML file
This is my prefer method. The option of saving the ExRCA test result HTML file is
identical to the result that appears on the screen. The use of the green and red
icons, unable to find area of problems very easily and additionally, the option of
expand and collapse enable us to navigate through the data very easily.
3. Save the result to XML file
The option of saving the data into an XML format is interesting because when using
the option of XML, we can use tolls such as Microsoft Excel for presenting the data
in a custom format.
In case that we save the ExRCA Autodiscover test result in an XML file format, and
we use Excel for opening the XML file, the following message will appear please
select how you would like to open this file
We will choose the option of As an XML table
An additional option is to open the XML file using an advanced text editor such as:
Notepad++
In the following screenshot, we can see the result of opening an XML file with
Notepad++. We can see that the Text editor understand the special XML format
and display the data using a color, Hierarchy of XML tags etc.
An HTTP 403.4 was Returned Because SSL was Required on the Virtual
Directory
An HTTP 500 was Returned to ISA Because the Certificate on the Published
Server Doesnt Match the Name in the Publishing Rule
Access is Denied Error was Thrown by the RPC Runtime
Exchange ActiveSync Returned an HTTP 500 Error
Exchange ActiveSync Returned an HTTP 451 Error
ActiveSync ExternalUrl is Not in the Expected Format
Windows Mobile Root Certificates
Missing Intermediate Certificates in Chain
The Act As Account Does Not Have Permissions to Create Items in this Folder
The Act As Account May Not Have Permission to Delete Items in this Folder
The Act As Account May Not Have Permissions to Access this Folder
The Service Account Specified Does Not Have Impersonation Rights on Client
Access Server
The Service Account Specified Does Not Have Impersonation Rights on the
Act As Account Specified
Invalid XML Response Unable to Retrieve Availability or OOF Settings
IP Address does not have a PTR record in DNS
IP Address Found on RBL
Name Space is not Federated
The domain is a federated domain but the user <User>@contoso.com is not
known by Office 365
Active Directory Federated Services (AD FS) HTTPS endpoint name could not
be resolved
Active Directory Federated Services (AD FS) server is down or unreachable
ADFS SSL Certificate Name Mismatch
ADFS SSL Certificate Trust
ADFS SSL Certificate Expired
Token Signing Certificate Expired
ADFS token not accepted by Authentication Platform (for later version of
RCA)
Unknown Username or bad password
General issues that may occur for one or all users
UPN issues when authenticating
You must uninstall all interim updates before you install Exchange Server
2010 Service Pack 2
Missing EXCH Element in Autodiscover XML Response
Additional reading
Video links