Just migrated a client to a new domain running a single Exchange 2010 server on the internal LAN. Imported the old commercial SSL certificate used for the public FQDN of the Exchange server and assigned it to the IIS role via the Exchange Management Console. Changed all the internal (and external) URLs for OAB etc... to use the public FQDN via the Exchange Management Console. Changed the internal and external URL for the Auto discovery site to use the public FQDN via the Exchange Managenet Shell. Set AutoDiscover SCP record to point to the public FQDN.
What happens is when setting up Outlook internally using AutoDiscover, the user continually gets prompted to log in. The log-in name defaults to their public email address. Tried all known permutations for enterting domain user credentials (i.e. domain\user, firstname.lastname@example.org) but keep getting prompted. Permissions all look correct at the file level and IIS. Changing it all back to the local / internal URLs and using the Exchange self-signed cert restores it back to normal but then I get the security warning on the certificate as it doesn't match the detiniation name.
Am I doing something wrong here or missing some step? Is it possible to use a SSL certificate with the external FQDN for the Exchange AutoDiscover service?