This post comes as a result to a recent issue that I encountered on a support incident with high production impact.
In my case, there was installed a new CAS role server in the Exchange 2010 organization, but still not added in the CasArray or Load Balancer and not even published on TMG.
Actually, more important than everything, on this new CAS there was enabled Outlook Anywhere feature with a different client authentication method than on the other existing CAS servers.
What really happened?
Even if the Outlook Anywhere Autodiscover requests didn’t arrive on the new server, as it was not reachable from outside (consulting IIS/TMG logs), Autodiscover service provided as authentication method the one that was set on the new CAS.
As a result 90% of the Outlook Anywhere clients weren’t any more able to authenticate.
So, I decided to blog this topic in order to explain in more details Micrososft Technet documentation regarding Outlook Anywhere’s configuration retrieval in multi-CAS environment.
Please follow the detailed Autodiscover White Paper for Exchange 2007 (http://technet.microsoft.com/en-us/library/bb332063(v=EXCHG.80).aspx) – which is applicable for Exchange 2010 too, and pay more attention to the 4th and 5th lines:
Actually, you might be thinking that if Autodiscover HTTP request arrives on a specific CAS,only that CAS Server alone will provide the information below, ifthe features are enabled:
But, actually that’s not what happens!
Autodiscover, on whichever server gets the request, it enumerates all the CAS in the AD site for values and then randomly choses one, and then returns it.
We should never assume that any one CAS only looks at itself for values to return to users, because we’ll be wrong. Following this logic, we should never thinkthat is possible to manipulate the flow in order to have predictable behavior.
Actually, we have in the CAS code the algorithm it uses to pick a certain URL.
There should never be used inconsistent configuration for Outlook Anywhere, from CAS to CAS in the same site, even if you might be thinking thatAutodiscover service isn’t reachable from it, because Autodiscover service queries all the available CAS servers in the site, having the feature enabled.
For further investigation on Autodiscover behavior :
really interesting I never knew the end part of this article(that the CAs that eventually gets the request ,STILL enumerates all values from all other cas servers.
Thanks for sharing