The other day I was asked to look at problem with a new deployment of Exchange 2007. The customer is migrating from an Exchange 2003 single server to a Exchange 2007 two-server configuration.

When running Test-OutlookWebServices from the CAS/Hub server they would get the following:

1003 Information       About to test AutoDiscover with the e-mail address testuser@externaldomain.net.

1007 Information       Testing server DAA30181EXC003.internaldomain.local with the published name https://exc003.internaldomain.local/EWS/Exchange.asmx & https://owa.externaldomain.net/EWS/Exchange.asmx.

1019 Information       Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://EXC003.internaldomain.local/Autodiscover/Autodiscover.xml.

1006 Information       The Autodiscover service was contacted at https://EXC003.internaldomain.local/Autodiscover/Autodiscover.xml.

1016 Success           [EXCH]-Successfully contacted the AS service at https://exc003.internaldomain.local/EWS/Exchange.asmx. The elapsed time was 109 milliseconds.

1015 Information       [EXCH]-The OAB is not configured for this user.

1014 Success           [EXCH]-Successfully contacted the UM service at https://exc003.internaldomain.local/UnifiedMessaging/Service.asmx. The elapsed time was 31 milliseconds.

1013 Error             When contacting https://owa.externaldomain.net/EWS/Exchange.asmx received the error The request failed with HTTP status 401: Unauthorized.

1016 Error             [EXPR]-Error when contacting the AS service at https://owa.externaldomain.net/EWS/Exchange.asmx. The elapsed time was 31 milliseconds.

1015 Information       [EXPR]-The OAB is not configured for this user.

1014 Information       [EXPR]-The UM is not configured for this user.

1017 Success           [EXPR]-Successfully contacted the RPC/HTTP service at https://owa.externaldomain.net/Rpc. The elapsed time was 0 milliseconds

Why does it work for the internal URLs but not the external URLS for the Exchange Web Services (EWS)?

This appears to be a security feature added in Windows Server 2003 SP1 that prevents a loopback check. When you use a FQDN (Fully Qualified Domain Name) or a host header to browse a local Web site that uses Integrated Authentication you may receive a 401.1 (Unauthorized: Logon Failed).

There are two ways around this problem disable the loopback check for specific host names or for all host names. Article 896861 describes the two fixes.

Method 1: Disable the loopback check

1. In Registry Editor, locate and then click the following registry key:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
2. Add a new DWORD Value called DisableLoopbackCheck and assign it a value of 1
3. Quit Registry Editor, and then restart your computer.

Method 2: Specify host names

1. In Registry Editor, locate and then click the following registry key:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
2. Add a new Multi-String Value called BackConnectionHostNames
3. In the values assign the host name or the host names for the sites that are on the local computer
4. Quit Registry Editor, and then restart the IISAdmin service.