[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Autodiscover Certificate Error

Posted on 2009-04-26
18
Medium Priority
?
1,289 Views
Last Modified: 2012-05-06
I have setup Outlook Anywhere running on SBS 2008/Exchange 2007.  We use https://remote.domain.com for owa and outlook anywhere to connect.  I have just added "Autodiscover.domain.com" into my external dns to resolve some issues we were having with the scheduler service not running properly among other things.  This appears to be working now however when users first connect their Outlook over Outlook Anywhere they are prompted with a certificate error.  The autodiscover service is attempting to connect to autodiscover.domain.com but our certificate name is remote.domain.com.  Can anyone tell me what the best solution to resolve this problem is?  Do I need a second certificate?  or can somehow get the autodiscover service to connect over the existing cert.  Also, the cert is an internally generated cert not third party.  Any help would be appreciated.
0
Comment
Question by:DennisDavis
  • 9
  • 4
  • 3
  • +1
18 Comments
 
LVL 9

Expert Comment

by:Raghuv
ID: 24237060
You can get a SAN (UCC) certificate which basically supports multiple DNS entries, so you can have remote.domain.com and Autodiscover.domain.com on a Single certificate.

-> http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html

-> http://www.digicert.com/subject-alternative-name.htm

And and alternate way to get rid of the Certificate prompts is by following the KB article,
http://support.microsoft.com/?id=940726.
0
 
LVL 6

Expert Comment

by:ikshf143
ID: 24237142
Hi There,

You can create a DNS SRV record for autodiscover pointing to remote.domain.com. Refer the following Microsoft KB article to create a DNS SRV record. By following this you won't have to do anything with the certificate just have to install the certificate on the client machines as this is an Internal Certificate
http://support.microsoft.com/kb/940881
0
 

Author Comment

by:DennisDavis
ID: 24238773
hi ikshf143...I did see that article however our dns provider does not support creating SRV records.  I am assuming based on the kb article that this SRV entry must be created on the external facing dns?  Any other option if we are not able to do this?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:DennisDavis
ID: 24238788
Hi Raghuv..the microsoft 940726 article you referenced refers to changing the internal urls.  My problem is from the outside.  Will altering the internal url have any effect externally?
0
 
LVL 9

Expert Comment

by:Raghuv
ID: 24239548
Hi Dennis,

The commands work for External URL's as well, you just need to modify the Parameter -InternalURL to -ExternalURL.

For Eg:

# Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -ExternalUrl https://mail.contoso.com/ews/exchange.asmx

# Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -ExternalUrl https://mail.contoso.com/oab

# Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -ExternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx

# Open IIS Manager.
# Expand the local computer, and then expand Application Pools.
# Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
0
 
LVL 6

Accepted Solution

by:
ikshf143 earned 2000 total points
ID: 24240294
Hi Dennis,

If that is the case and you do not want to create a SAN(UCC) certificate then you can either create another Single Name Certificate for autodiscover.domain.com and follow Scenario 3 of the autodiscover whitepaper or if you do not want to purchase another certificate then follow Scenario 4 of the white paper that will allow autodiscover to connect through HTTP and then redirect it to https://webmail.domain.com/autodiscover.
Autodiscover White Paper
http://technet.microsoft.com/en-us/library/bb332063.aspx
0
 
LVL 3

Expert Comment

by:Sourabh-Excahnge
ID: 24240472
i am not sure if you really want to use Autodiscover service from outside
if you want to use it the best available option is changing the URLs using the KB 940726 or you can have a SAN certificate

second thing is if you really want to get ried of the certificate error please remove that srv record so that it will not resolve the autodiscover url and after removing that you outlook clients will work normally


0
 

Author Comment

by:DennisDavis
ID: 24261432
ok I have looked at the whitepape and I haved decided to try the autodiscover http redirect option.  I am supporting multiple domains so my question is do I need to create and external autodiscover dns record for all domains being supported?  My understanding is the autodiscover server will use the primary smtp domain of the user so I believe each domain would require an autodiscover.domain.com record all pointing to my secondary web site hosting the redirect?  Is this correct?  
0
 
LVL 6

Expert Comment

by:ikshf143
ID: 24262417
Yes you are absolutly right and then by following the 4th scenario of the White Paper you can setup the redirection.
0
 

Author Comment

by:DennisDavis
ID: 24262443
ok..so i am trying to setup the second web site in IIS7 and when I add the second internal IP to my exchange box IIS 7 does not see so I cannot create a new web site and assign the new IP to it.  Does anyone know how to get IIS 7 to recognize a second IP that I added?
0
 
LVL 3

Expert Comment

by:Sourabh-Excahnge
ID: 24262512
you just need to right click on the sites under iismanager
and there you will get an option for the new website
0
 

Author Comment

by:DennisDavis
ID: 24262586
yes I have done that however the problem is when I try to assign the new website the second IP address I have assigned to the server does not show up as an available IP address.  
0
 
LVL 6

Expert Comment

by:ikshf143
ID: 24262808
Select the second web site and select bindings from the actions pane and select http 80 and hit edit and there you can assign the new IP address to the web site.
0
 

Author Comment

by:DennisDavis
ID: 24266717
HI ikshf143.  I think you are misunderstanding my issue.  The second IP Address does not appear in the bindings anywhere.  When I create the second web site and attempt to bind an IP address to it the ip address does not even appear as an option.
0
 
LVL 9

Expert Comment

by:Raghuv
ID: 24267517
Dennis: To get the 2nd IP address, did you add another NIC card to the Exchange Server ?

There's a note mentioned on the Autodiscover White paper stating

"Similar to using two single-name certificates, this solution also requires a second public IP address which must be assigned to the second Web site."

Let us know if you are still have any queries.
0
 

Author Comment

by:DennisDavis
ID: 24273046
I just assigned a 2nd Iinternal P address to the same nic.  The public IP address is not the problem.  The problem is the 2nd internal ip address that I assigned to the nic does show up as an available ip to bind any web site to it wether it be an existing site or a new web site.  It is as though IIS 7 does not even recoginize a 2nd IP address exists.  I am trying to determine if there is something new in IIS7 that has to be done in order to get IIS to recognize the 2nd IP.
0
 

Author Comment

by:DennisDavis
ID: 24274440
I have just tested on my own internal sbs 2008 server and when I add a second IP address it shows up immediately in IIS to be able to bind that address to a new web site.  I have no idea why my Exchange 2007 server will not do the same.  Does anyone have any suggestions?  I am desperately trying to get this autodiscover working for my client and this is holding me up...
0
 

Author Closing Comment

by:DennisDavis
ID: 31574718
Thank you.  I followed step 4 in the whitepaper using the http redirect which has worked quite nicely.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question