Solved

Exchange 2010 Certificate autodiscover.domain.com error

Posted on 2013-06-06
16
1,924 Views
Last Modified: 2013-06-14
Hi,

I'm running Exchange 2010 and have run through the certificate request & complete pending wizards.

I included the following during the request:

Outlook Web App is on the intranet - exchange3.local.domain.com
Outlook Web App is on the internet - mail.domain.com
Exchange ActiveSync is enabled - mail.domain.com
Exchange Web Services is enabled - mail.domain.com
Outlook Anywhere is enabled - mail.domain.com
Autodiscover url: autodiscover.domain.com

I've added an A record to our DNS:

autodiscover.domain.com                  IP ADDRESS

I then assigned IMAP, POP, IIS, SMTP to the certificate.

My users are still receiving a certificate security error stating:

autodiscover.domain.com

The name on the security certificate is invalid or does not match the name of the site.

And when I view the certificate, it is issued to: mail.domain.com

The certificate is a Starfield certificate.

I have done a lot of searching on this and found all sorts of tips, tricks, commands and things to try but didn't want to go hacking about and make things worse before coming on here and asking a grownup how I should proceed.

Thanks.
0
Comment
Question by:Letterpart
  • 7
  • 6
  • 2
16 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39225192
If Autodiscover.domain.com is included in the SSL certificate and you have an A record called autodiscover pointing to the IP Address of your Exchange server - then all should be correct.

Do you also have an SRV record setup too?  If you do - please delete it.
0
 
LVL 1

Author Comment

by:Letterpart
ID: 39225206
Hi Alan,

the IP in the DNS record is what mail.domain.com responds to and no, there's no SRV record.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39225220
Please run the following Exchange Management Shell Command and post the output (hide your domain name if you like):

get-clientaccessserver | fl *autodiscover*
0
 
LVL 1

Author Comment

by:Letterpart
ID: 39225234
Here's the output from get-clientaccessserver | fl *autodiscover*



AutoDiscoverServiceCN          : exchange3
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://exchange3.local.letterpart.com/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39225322
Get-ClientAccessServer –Identity exchange3 | Set-ClientAccessServer –autodiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml

Please change the domain part in the above command and then copy / paste it into your Exchange Management Shell (assuming I have your Exchange server name correctly as EXCHANGE3) and then re-run the:

get-clientaccessserver | fl *autodiscover*

Command and see if it has changed accordingly.

That should stop the errors as your internal clients would need exchange3.local.letterpart.com as an included name in your SSL certificate.

Alan
0
 
LVL 4

Expert Comment

by:mumbaiexperts
ID: 39225452
Hi,
Currently your Autodiscover Internal url  shows to https://exchange3.local.letterpart.com/Autodiscover/Autodiscover.xml but your certificate contains AUTODISCOVER .DOMAINNAME.COM.To fix your issue kindly perform the below mentioned articles:

http://support.microsoft.com/kb/940726

Regards,
kishore.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39225493
Kishore - can you please explain how your solution differs from mine?

Thanks

Alan
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 
LVL 1

Author Comment

by:Letterpart
ID: 39225576
Hi Alan,

I've run the command as instructed and now get-clientaccessserver | fl *autodiscover*
shows:


Get-ClientAccessServer –Identity exchange3 | Set-ClientAccessServer –autodiscoverServiceInternalUri https://autodiscover.letterpart.com/autodiscover/autodiscover.xml

but my laptop is still giving me an autodiscover error when using Outlook Anywhere.


I've run the remote Connectivity Analyser on RPC/HTTP connectivity. and get:

Certificate name validation failed.

      Host name letterpart.com doesn't match any name found on the server certificate E=root@localhost.localdomain, CN=localhost.localdomain, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, S=SomeState, C=--.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39226140
What FQDN are you using to connect via Outlook?
0
 
LVL 1

Author Comment

by:Letterpart
ID: 39226151
Hi Alan,

I'm using mail.letterpart.com to connect via Outlook.
0
 
LVL 4

Expert Comment

by:mumbaiexperts
ID: 39226191
Alan Hardisty,

Sorry i opened the EE at that time your update was not available then after i will giv the update to much late .At the i didn't  refresh the page bcz i didn't see your update.

kishore.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39226202
Well - looking at your certificate, you only have the following names included:

DNS Name=mail.letterpart.com
DNS Name=www.mail.letterpart.com

So, you either need to re-key your certificate and include autodiscover.domain.com or remove the Autodiscover A record and add an SRV record pointing to mail.domain.com instead.

Use an SRV Record instead of Autodiscover:
http://support.microsoft.com/kb/940881

Alan
0
 
LVL 1

Author Comment

by:Letterpart
ID: 39247041
Hi Alan,

sorry to take so long to get back to you.

I have spent some time investigating and found that my certificate only allowed one domain name. I have since upgraded to one that allows up to 5 and am in the process of requesting a new cert with autodiscover.domain.com.

I will report back once I have this installed.

Thanks,

Hedley
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39247072
No problems. You could have tried the SRV record instead, but a multi-name cert won't hurt.

Alan
0
 
LVL 1

Author Closing Comment

by:Letterpart
ID: 39247258
This is the answer that led to me solving my issue.

The certificate we had purchased only allowed one domain. So despite me keying multiple domains in the Exchange request, only the primary domain was being added to the certificate.

Once we had upgraded our cert, the autodiscover nag has stopped and my users are happy (for now).

Next task is to get ActiveSync working so they can read emails on their phones.

Thanks for your help Alan, appreciated.

Hedley
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now