We help IT Professionals succeed at work.

Web Service

Semperfi4000 asked
I could use some help and understanding,  when moving Web Services and Autodisover
I am moving all Webservices (AS,OA,OWA) and AutoDiscover from  CAS1 (2007)  to CAS2 (2010)
Both are in different AD sites.
CAS1 goes out Gateway1,  but will be shutdown,  
CAS2 goes out a new Gateway2
The Cert will change,   from  owa.Orange.com (CAS1) ,  to owa.Apple.com (CAS2) a Wildcard Cert
I've done a test,  by moving all WebServices to CAS2.  
OWA worked ,   but ActiveSync failed
      Test-OutlookWebservice –identity  User1
1)         A valid Autodiscover Service Connection point was found.
2)         When contacting https://owa.Apple.com/Autodiscover/autodiscover.xml  received  the error The remote server returned an error: <401> unauthorized
Since I am using Wildcard Cert,  do I need to do the following ?  Set-OutlookProvider EXPR -CertPrincipalName msstd:*.Apple.com  .  And will I have to create a New AudioDiscover on Apple ? since I am using a new Cert  ?

 any other suggestions on moving webservices and Autodiscover to a different CAS server, would be greatly appreciated.

Below, is my current config for CAS1 and CAS2
CAS1  (2007)
AutoDiscover.    InternalUrl = Https://owa.Orange.com/autodiscover/autodiscover.xml
EWS                       InternalUrl = Https://owa.Orange.com/EWS/Exchange.asmx
                                ExternalUrl = Https://owa.Orange.com/EWS/Exchange.asmx
ActiveSync          InternalUrl = Https://CAS1.Network.local/Mircosoft-Server-ActiveSync
                                ExternalUrl = Https://owa.Orange.com/Mircosoft-Server-ActiveSync

CAS2 (2010) will have a New Wildcard Cert.
AutoDiscover.    InternalUrl = Https://CAS2.Network.local/autodiscover/autodiscover.xml
EWS                       InternalUrl = Https://CAS2.Network.local/EWS/Exchange.asmx
ActiveSync          InternalUrl = Https://CAS2.Network.local/Mircosoft-Server-ActiveSync
Watch Question

You cant use a wild card certificate to public autodiscover, you need a subject alternative name (SAN) or unified coms certificate to do this. A SAN cert has a main subject, ususally your CAS endpoint and then subkect alternative names to cater for Autodiscover or other services such as a Legacy URL.

did you migrate from Exchange 2007 to 2010? one thing you may not be aware of is that a mailbox server must has a CAS and HTS in the same site and you cannot render mailboxes hosted on Exchange 2010 on a 2007 CAS and vise versa. You should be aware of this restricton.

An overview of the certificate generation process.


Transitioning Exchange 2007 client access to 2010


Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

there is command line code in Exchange 2007 said :
set-ClientAccessServer -identity "ServerName" -internalURL https://CAS2.Network.local/autodiscover/autodiscover.xml

its should be available , also try to test your exchange using :

test RPC over HTTP (outlook anywhere ) and post the result here , it will simplify everything

I see that you have already configured Split DNS for your CAS2007
 ->owa.Orange.com is pointing to your internal IP of your CAS2007
First do the same for owa.Apple.com
->owa.Apple.com  should point to your internal IP of your CAS2010
If you are not sure how to create a Split DNS :
- Create an internal DNS zone with the same name as the one showing in your existing certificate (Apple.com) ,create an A record for owa, so you have owa.Apple.com pointing it to your local IP address of CAS2010
You get 401 because you already set :
[PS] C:\>Get-ClientAccessServer -Identity "ExCaS2010" | Set-ClientAccessServer -AutoDiscoverServiceInternalUri "https://owa.Apple.com/autodiscover/autodiscover.xml "
BUT either you did not configure your split dns correctly or you have wrong setting on your autodiscover virtual directory under IIS
Also do not forget to change the internal urls of the following v'dirs
[PS] C:\>Get-WebServicesVirtualDirectory -Identity "ExCaS2010" | Set-WebServicesVirtualDirectory -InternalUrl "https://owa.Apple.com/ews/exchange.asmx"

[PS] C:\>Get-OabVirtualDirectory -Identity "ExCaS2010" | Set-OabVirtualDirectory -InternalUrl "http://owa.Apple.com/oab"

[PS] C:\>Get-ActiveSyncVirtualDirectory -Identity "ExCaS2010" | Set-ActiveSyncVirtualDirectory -InternalUrl "https://owa.Apple.com/Microsoft-Server-ActiveSync"

Run the same cmdlets above again but change InternalUrl to ExternalUrl to fix your external URLs
[PS] C:\>iisreset

Finally  > YES  for OA you will need to run this:
Set-OutlookProvider EXPR -CertPrincipalName msstd:*.Apple.com

As stated you can't use a wildcard certificate to secure autodiscover, it's well documented.


@Radweld this is only you statement and it is not correct !
Maybe you read that Outlook Anywhere won't work with a self-signed certificate > true
BUT wildcard certificate are OK except for some legacy mobile devices and those with Windows Mobile 5.0
Please check your facts before making such statements


Sirakov, thank you for your reply.   I'm still getting an error.  It appears to be an autodiscover issue.  When preforming a test,  it says ,that it can't find

Attempting to test potential Autodiscover URL https://apple.com/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed.

Testing TCP port 443 on host merge.com to ensure it's listening and open.
  The specified port is either blocked, not listening, or not producing the expected response

Attempting to test potential Autodiscover URL https://autodiscover.apple.com/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed.

I know port 443 is open on our TMG

Queston:  If CAS1 cert owa.orange.com ,   for domain orange.com.   also has domain apple.com for authorized domain and alaises.   will this be an issue for CAS2, using a Wildcard Cert for owa.apple.com ?
I only have an internal url for autodiscover,  Is an External url for autodiscover required ?  I don't currently have an External URL for Orange.com, and it works.

Thank you
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

can you telnet locally to server IP on port 443?
externalURL required if you are using outlook from outside of company.
if problem with TMG :
please read this article its may help you to check your TMG


You should use a uc cert however you can configure things to work with wildcards..


Does owa work ok?


Yea Owa works fine .  
Just to be on the same page … keep in mind that there are 2 situations, the mechanism of retrieving the famous autodiscover.xml are different:
-for domain joined machines
We have an AutoDiscoverServiceInternalUri parameter of the Client Access Server. This is referring to a SCP(service connection point), an object that only internal Outlook clients can query from AD
-for no domain joined machines
External OL clients are searching an A record for autodiscover.domain.com in an external DNS, therefore we don’t use an ExternalUrl for autodiscover.
Your situation gets more complex with a TMG in front. Here is an excellent doc to use as a reference:
You need to make sue you configured the publishing rules on TMG correctly.
For the cert keep in mind that whatever you put on the TMG then this should be trusted by your external client. Actually there are only 2 names needed ( for owa and autodiscover.domain.com)
What is important > the TMG itself shall trust the CA which issued the cert on your CAS (it could be an internal CA). So if you have your rule  for example for https://owa.apple.com/ews, then *.apple.com must be in the cert of the CAS.
Your outlook anywhere clients are retrieving an autodiscover.apple.com A record which is pointing to your TMG.
Basically, when I set such environment, personally I don’t point domain joined machines through TMG, only the external clients.
When you test-outlookwebservices user@apple.com |fl  > then EXCH (internal) should pass successfully IF your
> AutoDiscoverServiceInternalUri is pointing to your local IP of your CAS2010 and not your TMG
Check with Get-ClientAccessServer -Identity "ExCaS2010" | fl *uri
>the InternalUrl of the virtual directories (EWS,OAB,ActivSync .. etc) are also resolved locally  > check how to set from my previous post

You get forbidden (403) probably because you didn’t alow local nework IPs on your TMG rule
 local ipsYou can also test you rules :
 test rule
I'm not sure, I explained clearly with so many details but hope it helps
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

do you have SRV Record in domain DNS ?
if there is not you need to add it in domain management for your domain provider :
add svc record type _tcp name autodiscover.yourdomain.com
other wise it will never work SRV record is more important that A record , after add it wait 15 minutes then go to www.testexchangeconnectivity.com 
its must work , other wise post the result here .


ahh ha --- I think both siraokov and Jordannet make sense...   It will be a few days before I can test again.  I have to work with our Network Engineer on the TMG side.   One orange.com  we did use an A record, but it didn't go through a TMG,  whereas  apple.com will.  
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

so update us , to help you
Well, I still can't connect.  I've attached the complete TestExchangeconnection.   but, I think it can't find the SRV record.  

Attempting to contact the Autodiscover service using the DNS SRV redirect method.
 ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
 Test Steps
 Attempting to locate SRV record _autodiscover._tcp.Apple.com in DNS.
 The Autodiscover SRV record wasn't found in DNS.
  Tell me more about this issue and how to resolve it

An HTTP 403 error was received because ISA Server denied the specified URL
Like i said check your TMG publishing rules ... there is nothing to do with SRV records
Srv record is queried if autodiscover.domain.com fails.  In your case the same works OK and certificate is validated also OK


Hello Sirakov,  I was just working with our Network Engineer..  And as you sugguested, he didn't have "All Network (and local Host)" configured.  Then Tested the Rules, and they were successful.  I am planning another Test later this week...
Thank you
Maen Abu-TabanjehNetwork Administrator, Network Consultant
Top Expert 2011

try to test your exchange using :


and post the result here.


Unfortunately,  I am in a position where I have to cancel all Testing.   I don’t have a Test environment, and testing in our Production Environment is becoming disruptive to our users.
On 17th, I will be moving Orange.com to Apple.com.  So, now it’s an all or nothing type deal.   I’ve attached a diagram (orange) current config,  and Apple (new config).  I can only hope I have everything covered , when I preform move the Web Services.
Thank you



follow up -  this turned out to be a disaster.
Nothing worked.  
We moved webservices from a CAS server (Cherry) AD site 2,  owa.Orange.com (exch 2007)
CAS server (Plum) AD Site 1, owa.Apple.com ( exch 2010 ) through  a TMG.  

Going through a TMG created authentication problems, nothing would work.    Authentication worked, (Owa)  if you accessed  https//localhost:443

So, the end result  ( was for now )  to use the Exch 2007 CAS (cherry)  owa.Orange.com that doesn’t have a TMG.  And use owa.apple.com instead.

my orginal question was,  can i use wildcard cert,  and you can , and it works.  so I am awaring points to sirakov


it answered my orginal issue