Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 795
  • Last Modified:

Exchange 2007 Auto discovery External

I am having trouble with auto discovery.  Our subdomain works but for some reason it tries to hit the remote domain, which is hosted by bluehost, it fails.  How could I make it forward to the correct IP?

Attempting the Autodiscover and Exchange ActiveSync test (if requested).  Autodiscover was successfully tested for Exchange ActiveSync.  
       Test Steps
              Attempting each method of contacting the Autodiscover service.
       The Autodiscover service was tested successfully.
              Test Steps
              Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
              Test Steps
              Attempting to resolve the host name domain.com in DNS.
       The host name resolved successfully.
              Additional Details
       IP addresses returned: 66.147.244.241

       Testing TCP port 443 on host domain.com to ensure it's listening and open.
       The port was opened successfully.
       Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
              Test Steps
              ExRCA is attempting to obtain the SSL certificate from remote server domain.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
              Additional Details
       Remote Certificate Subject: CN=*.bluehost.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.

       Validating the certificate name.
       Certificate name validation failed.
         Tell me more about this issue and how to resolve it

              Additional Details
       Host name domain.com doesn't match any name found on the server certificate CN=*.bluehost.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.





       Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
       Testing of the Autodiscover URL was successful.
              Test Steps
              Attempting to resolve the host name autodiscover.domain.com in DNS.
       The host name resolved successfully.
       
 

       Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
       The port was opened successfully.
       Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
              Test Steps

       ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.domain.com on port 443.
      
      
       Validating the certificate name.
       The certificate name was validated successfully.
              Additional Details
       Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.

       Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
              



       Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
              Additional Details






       Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
              Additional Details
       Accept/Require Client Certificates isn't configured.

       Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.
              Test Steps







0
bakerdrywall
Asked:
bakerdrywall
  • 6
  • 3
  • 3
2 Solutions
 
PapertripCommented:
      Host name domain.com doesn't match any name found on the server certificate CN=*.bluehost.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
      Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.

The messages are correct.  Wildcard certs are for subdomains, not top-level domains.  

autodiscover.domain.com matches *.domain.com
domain.com does not match *.domain.com

If autodiscover.domain.com works externally, then I don't believe there is anything to be concerned about.  If another expert knows differently, please speak up, but from what I've read I don't think it's an issue.

http://www.shudnow.net/2008/11/18/autodiscover-dns-certificates-and-what-you-need-to-know/
0
 
PapertripCommented:
According to the link I provided, going to domain.com first before autodiscover.domain.com is normal operating procedure.
Because our Outlook 2007 clients don’t have access to Active Directory, we cannot obtain the AutodiscoverServiceinternalURI since the client can’t get to the SCP record.  Because of this, Outlook 2007 will fall back to utilizing a different method.  The first method is to contact the following DNS records in order (domain = the user’s primary SMTP domain):

    https://shudnow.net/autodiscover/autodiscover.xml
    https://autodiscover.shudnow.net/autodiscover/autodiscover.xml
0
 
bakerdrywallAuthor Commented:
Is there a way to forward the domain.com to autodiscover.domain.com?   When trying to connect via activesync on phones, it displays a cert error, which is true.  If you hit cancel, it then defaults to the autodiscover.domain.com
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
PapertripCommented:
So it is working properly and as intended, good.

I'm not an Exchange pro, however, it sounds like if you had a valid cert for domain.com that you would not get that cert error, and the phone would continue on to autodiscover.domain.com like it should and not give any errors.

Bottom line is here is that autodiscover is working overall, but domain.com does not have a valid cert, and domain.com is queried by activesync clients before autodiscover.domain.com, so you get a cert error.
0
 
PapertripCommented:
Either get an SSL cert just for domain.com, or change your Wildcard cert to a SAN cert that includes domain.com along with any subdomains you need certs for.
0
 
RadweldCommented:
You shouldn't be using a wildcard cert here, you really need a unified coma cert which allows for subject alternative names in the cert.
0
 
PapertripCommented:
To be clear on the last comment, a SAN cert is a UCC cert.
0
 
bakerdrywallAuthor Commented:
I am using a SAN cert, but our website is hosted offsite at bluehost, we host our exchange server here locally.   So when you are trying to access the https://domain.com it pulls the bluehost cert.  Is there a way to forward autodiscover to the correct ip via DNS?
0
 
PapertripCommented:
Hi, is this still an issue?
0
 
RadweldCommented:
Either redirect http to a cas with the correct certificate or the blue host certificate has to have the correct San entries.
0
 
bakerdrywallAuthor Commented:
Yes.

I created a SRV record, but then my OWA users have a message asking each time to move from http to https and a message about the cert.
0
 
RadweldCommented:
As stated the certificate supplied by blue host isn't configured correctly, you either have to redirect https to an endpoint secured with a correctly configured certificate or blue host need to modify their certificate to add your domain name to it, this would be

autodiscover.domain.com
Mail.domain.com or what ever name your using for the external URL
Legacy of your supporting co existence.

This has to be configured correctly to work. Owa and active sync will work with a wildcard *domain but autodiscover needs the exact name to be added as a subject alternative name (San)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now