You may be wondering why iOS6 on the Apple iPhone does not Autodiscover anymore? It doesn't work! We have done extensive testing with multiple mobile devices on Exchange Server 2010 SP2 UR4:
iPhone (4 or 4S) running IOS5 works great
iPhone (4, 4S or 5) running IOS6 does not work.
This article was posted 16/10/2012 - Apple might release an update for IOS6 which resolves this issue in the near future which will make this article redundant.
iPhone (4 or 4S) running IOS5 works great
iPhone (4, 4S or 5) running IOS6 does not work.
This article was posted 16/10/2012 - Apple might release an update for IOS6 which resolves this issue in the near future which will make this article redundant.
![Clint Boessen [MVP]](http://3.bp.blogspot.com/_nldKmk1qZaA/SdGtiaemEvI/AAAAAAAAAAM/4RmgIHpj-0M/S187/profile.jpg)
Yep, I can concur. Exchange 2010SP2RU4v1 as CAS.
ReplyDeleteSame for when the mailbox is on 2007 (with the 2010 CAS).
I saw that @JasonSherry tweeted that when upn=mailaddres it does work.
Yes your correct only when the UPN matches there mailaddress does it work which is not the case for most organisations.
ReplyDeleteCan you describe the symptoms of this issue? Will it affect already provisioned phones?
ReplyDeleteThe symptom is your phone will ask you for the Exchange server address when attempting to setup an Exchange profile on the device. This is ususally autodiscovered.
ReplyDeleteNo it will not effect already provisioned phones.
it your phone will ask you for the Exchange server address when attempting to setup an Exchange profile on the device.coque iphone 4
ReplyDeletethanks for sharing.
ReplyDeleteThis has saved me ripping my hair out, thanks!!
ReplyDeleteWe're on Exchange Server 2010 SP2 UR2, and going through ISA Server 2006. I can confirm it does work with iOS6.0, but the email name (before the @) must match their AD username (FYI we have a .local UPN). Hope that helps someone!
ReplyDeleteHi guys,
ReplyDeleteTo ensure people do not get confused:
If the users email address matches their UPN suffix it will work. For most organizations this is not the case.
If the users email address does not match the UPN it will fail. This is because IOS6 no longer asks for the username like IOS5 did. It tries to authenticate with the email address as the username.
Hope this makes sense
Regards,
Clint
Hi Clint, I can assure you the users UPN does not match their email address. The key to it (for us) was to set the ActiveSync IIS folder to use 'basic authentication' and make sure you set the 'default domain' to your internal NetBIOS name, failure to do this will stop autodiscover from filling out the details automatically.
ReplyDeleteRegards,
Terry
Hi Terry,
ReplyDeleteFrom my experiance IOS5 asks for:
Email Address
Username
Password
Description
IOS6 asks for:
Email Address
Password
Description
Because IOS6 does not ask for username you cannot enter domain\username which is required for the authentication. Only if your email address matches the UPN suffix can it authenticate using the email address instead of domain\username.
Regardless if you populate the Default Domain field or not within the Active Sync IIS folder, how are you going to authenticate if you do not have the field to enter the username?
Regards,
Clint
Hi Clint, the username is derived from the email address, if we use an email that doesn't match the username it will fail e.g. username = terryj, so tj@domain.com will fail, but terryj@domain.com will authenticate successfully (but don't forget that default domain name!)
ReplyDeleteHTH
Regards,
Terry
Hi Terry,
ReplyDeleteIt's not derived from the email address, it's using a UPN suffix in your instance. Please read into what UPN suffixes are and what they are used for so you understand.
Regards,
Clint
Your articles are very well written and unique.
ReplyDeletethis URL
Hi Clint, there are no other UPN suffix's in our domain, just the .local UPN (our email addresses are .co.uk, so don't match the UPN).
ReplyDeleteI'd like to just state again, that iOS 5 and 6 works with autodiscovery in our environment. To help others who may google this in future, our setup:
We're on Exchange Server 2010 SP2 UR2, and using ISA Server 2006 for all iPhone / iPad users.
For IIS the default settings should already set (if not see here: http://blogs.technet.com/b/exchange/archive/2010/09/23/3411146.aspx), the ActiveSync folder should already be using 'basic authentication', just make sure you set the 'default domain' (for basic auth) to your internal NetBIOS name.
I'm also assuming you've setup a different external URL for external users already (if not see: http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html), we're using a wildcard cert and not a SAN cert, but it works just as well.
ISA server is pretty easy to setup, just follow the many guides on the net, one point to note, break out autodiscovery on it's own, set Users to 'All Users', Authentication Delegation to either 'basic' or 'no delegation, but client may authenticate directly'. One thing that caught us out was in the listener -> Authentication -> Advanced -> Require all users to authenticate, was ticked (untick it or the All Users entry will not work).
Regards,
Terry
One last thing you need to do, in IIS you'll need to set NTFS permissions on the autodiscover virtual directory to include everyone (as it uses basic authentication as the preferred choice).
ReplyDeleteSo go to:
IIS manager -> Sites -> Default Web Site -> Autodiscover -> 'Right Click' -> Edit Permissions... -> 'Security' tab -> Edit... -> Add.. -> type: Everyone -> OK -> OK -> OK (Job done!)
Regards,
Terry
Here are the logs from our IIS server (using an iPhone4 with iOS6) to prove it's not purley a UPN issue:
ReplyDelete2012-11-16 18:02:29 e.e.e.e POST /Autodiscover/Autodiscover.xml - 443 terryj p.p.p.p Apple-iPhone4C1/1001.403 401 1 1326 109
2012-11-16 18:02:29 e.e.e.e POST /Autodiscover/Autodiscover.xml - 443 terryj p.p.p.p Apple-iPhone4C1/1001.403 401 1 1326 62
2012-11-16 18:02:31 e.e.e.e POST /Autodiscover/Autodiscover.xml - 443 terryj@domain.com p.p.p.p Apple-iPhone4C1/1001.403 401 1 1326 0
2012-11-16 18:02:31 e.e.e.e POST /Autodiscover/Autodiscover.xml - 443 terryj@domain.com p.p.p.p Apple-iPhone4C1/1001.403 401 1 1326 15
2012-11-16 18:02:31 e.e.e.e POST /Autodiscover/Autodiscover.xml - 443 terryj p.p.p.p Apple-iPhone4C1/1001.403 401 1 1326 62
2012-11-16 18:02:31 e.e.e.e POST /Autodiscover/Autodiscover.xml - 443 terryj@domain.com p.p.p.p Apple-iPhone4C1/1001.403 401 1 1326 0
2012-11-16 18:02:31 e.e.e.e POST /Autodiscover/Autodiscover.xml - 443 terryj@domain.com p.p.p.p Apple-iPhone4C1/1001.403 401 1 1326 0
2012-11-16 18:02:31 e.e.e.e POST /Autodiscover/Autodiscover.xml - 443 terryj p.p.p.p Apple-iPhone4C1/1001.403 401 1 1326 62
Notice it tries the username first, THEN the email address? This is why it works using basic auth (and why it needs to match their AD account), in combination with the default domain name and the everyone permissions on the autodiscover folder in IIS.
Regards,
Terry
The innovative solution in the iPhone was to remove the traditional keyboard; instead, there is a touch screen supported by the Multi-Touch technology. No stylus is needed; everything is operated with the use of a finger or multiple fingers. Coque iphone 4
ReplyDeletelooks great but too unbelievable
ReplyDeleteGreat blog you people have maintained there, I totally appreciate the work.
ReplyDeleterestore iphone contacts
This is a great article. I too thought IOS6 and Autodiscover would not work. After playing with our Exchange this weekend, I can confirm these settings DO work! However there was one "gotcha" I'd like to throw out there for anyone else. When you set the "Default Domain" in IIS, you also MUST set "Realm" to the internal domain name as well. At first all I did was set the Default Domain and left Realm blank and it did not work. As soon as I set Realm, Autodiscover worked beautifully!!
ReplyDeleteI had to make the autodiscover folder (basic authentication) use the 'default domain' as well.
ReplyDeleteWhy are people still amazed that iOS 6 works with autodiscover? The guy never said it does not if you read the comments! The simple fact is that the UPN needs to match the users email address. If that is the case, autodiscover works fine. If, however, the logon name does NOT match the email address then there is absolutely no way the iOS device knows the logon name to use with the password and that is when autodiscover fails. It's as simple as that really. If the UPN matches the email and you have a default domain set in IIS then iOS works fine.
ReplyDeleteNow its time to use latest technology. iphone ipad and other latest technology made our life so easy.
ReplyDelete