bakerdrywall
asked on
Exchange 2007 Auto discovery External
I am having trouble with auto discovery. Our subdomain works but for some reason it tries to hit the remote domain, which is hosted by bluehost, it fails. How could I make it forward to the correct IP?
Attempting the Autodiscover and Exchange ActiveSync test (if requested). Autodiscover was successfully tested for Exchange ActiveSync.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name domain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 66.147.244.241
Testing TCP port 443 on host domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server domain.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=*.bluehost.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name domain.com doesn't match any name found on the server certificate CN=*.bluehost.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
Testing of the Autodiscover URL was successful.
Test Steps
Attempting to resolve the host name autodiscover.domain.com in DNS.
The host name resolved successfully.
Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.domain.com on port 443.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Test Steps
Attempting the Autodiscover and Exchange ActiveSync test (if requested). Autodiscover was successfully tested for Exchange ActiveSync.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name domain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 66.147.244.241
Testing TCP port 443 on host domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server domain.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=*.bluehost.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated, Issuer: CN=PositiveSSL CA, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB.
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name domain.com doesn't match any name found on the server certificate CN=*.bluehost.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated.
Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
Testing of the Autodiscover URL was successful.
Test Steps
Attempting to resolve the host name autodiscover.domain.com in DNS.
The host name resolved successfully.
Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.domain.com on port 443.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Test Steps
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is there a way to forward the domain.com to autodiscover.domain.com? When trying to connect via activesync on phones, it displays a cert error, which is true. If you hit cancel, it then defaults to the autodiscover.domain.com
So it is working properly and as intended, good.
I'm not an Exchange pro, however, it sounds like if you had a valid cert for domain.com that you would not get that cert error, and the phone would continue on to autodiscover.domain.com like it should and not give any errors.
Bottom line is here is that autodiscover is working overall, but domain.com does not have a valid cert, and domain.com is queried by activesync clients before autodiscover.domain.com, so you get a cert error.
I'm not an Exchange pro, however, it sounds like if you had a valid cert for domain.com that you would not get that cert error, and the phone would continue on to autodiscover.domain.com like it should and not give any errors.
Bottom line is here is that autodiscover is working overall, but domain.com does not have a valid cert, and domain.com is queried by activesync clients before autodiscover.domain.com, so you get a cert error.
Either get an SSL cert just for domain.com, or change your Wildcard cert to a SAN cert that includes domain.com along with any subdomains you need certs for.
You shouldn't be using a wildcard cert here, you really need a unified coma cert which allows for subject alternative names in the cert.
To be clear on the last comment, a SAN cert is a UCC cert.
ASKER
I am using a SAN cert, but our website is hosted offsite at bluehost, we host our exchange server here locally. So when you are trying to access the https://domain.com it pulls the bluehost cert. Is there a way to forward autodiscover to the correct ip via DNS?
Hi, is this still an issue?
Either redirect http to a cas with the correct certificate or the blue host certificate has to have the correct San entries.
ASKER
Yes.
I created a SRV record, but then my OWA users have a message asking each time to move from http to https and a message about the cert.
I created a SRV record, but then my OWA users have a message asking each time to move from http to https and a message about the cert.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The messages are correct. Wildcard certs are for subdomains, not top-level domains.
autodiscover.domain.com matches *.domain.com
domain.com does not match *.domain.com
If autodiscover.domain.com works externally, then I don't believe there is anything to be concerned about. If another expert knows differently, please speak up, but from what I've read I don't think it's an issue.
http://www.shudnow.net/2008/11/18/autodiscover-dns-certificates-and-what-you-need-to-know/