Exchange 2010 Certificate autodiscover.domain.com error

Hi,

I'm running Exchange 2010 and have run through the certificate request & complete pending wizards.

I included the following during the request:

Outlook Web App is on the intranet - exchange3.local.domain.com
Outlook Web App is on the internet - mail.domain.com
Exchange ActiveSync is enabled - mail.domain.com
Exchange Web Services is enabled - mail.domain.com
Outlook Anywhere is enabled - mail.domain.com
Autodiscover url: autodiscover.domain.com

I've added an A record to our DNS:

autodiscover.domain.com                  IP ADDRESS

I then assigned IMAP, POP, IIS, SMTP to the certificate.

My users are still receiving a certificate security error stating:

autodiscover.domain.com

The name on the security certificate is invalid or does not match the name of the site.

And when I view the certificate, it is issued to: mail.domain.com

The certificate is a Starfield certificate.

I have done a lot of searching on this and found all sorts of tips, tricks, commands and things to try but didn't want to go hacking about and make things worse before coming on here and asking a grownup how I should proceed.

Thanks.
LVL 1
LetterpartAsked:
Who is Participating?
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
Well - looking at your certificate, you only have the following names included:

DNS Name=mail.letterpart.com
DNS Name=www.mail.letterpart.com

So, you either need to re-key your certificate and include autodiscover.domain.com or remove the Autodiscover A record and add an SRV record pointing to mail.domain.com instead.

Use an SRV Record instead of Autodiscover:
http://support.microsoft.com/kb/940881

Alan
0
 
Alan HardistyCo-OwnerCommented:
If Autodiscover.domain.com is included in the SSL certificate and you have an A record called autodiscover pointing to the IP Address of your Exchange server - then all should be correct.

Do you also have an SRV record setup too?  If you do - please delete it.
0
 
LetterpartAuthor Commented:
Hi Alan,

the IP in the DNS record is what mail.domain.com responds to and no, there's no SRV record.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Alan HardistyCo-OwnerCommented:
Please run the following Exchange Management Shell Command and post the output (hide your domain name if you like):

get-clientaccessserver | fl *autodiscover*
0
 
LetterpartAuthor Commented:
Here's the output from get-clientaccessserver | fl *autodiscover*



AutoDiscoverServiceCN          : exchange3
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://exchange3.local.letterpart.com/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
0
 
Alan HardistyCo-OwnerCommented:
Get-ClientAccessServer –Identity exchange3 | Set-ClientAccessServer –autodiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml

Please change the domain part in the above command and then copy / paste it into your Exchange Management Shell (assuming I have your Exchange server name correctly as EXCHANGE3) and then re-run the:

get-clientaccessserver | fl *autodiscover*

Command and see if it has changed accordingly.

That should stop the errors as your internal clients would need exchange3.local.letterpart.com as an included name in your SSL certificate.

Alan
0
 
mumbaiexpertsCommented:
Hi,
Currently your Autodiscover Internal url  shows to https://exchange3.local.letterpart.com/Autodiscover/Autodiscover.xml but your certificate contains AUTODISCOVER .DOMAINNAME.COM.To fix your issue kindly perform the below mentioned articles:

http://support.microsoft.com/kb/940726

Regards,
kishore.
0
 
Alan HardistyCo-OwnerCommented:
Kishore - can you please explain how your solution differs from mine?

Thanks

Alan
0
 
LetterpartAuthor Commented:
Hi Alan,

I've run the command as instructed and now get-clientaccessserver | fl *autodiscover*
shows:


Get-ClientAccessServer –Identity exchange3 | Set-ClientAccessServer –autodiscoverServiceInternalUri https://autodiscover.letterpart.com/autodiscover/autodiscover.xml

but my laptop is still giving me an autodiscover error when using Outlook Anywhere.


I've run the remote Connectivity Analyser on RPC/HTTP connectivity. and get:

Certificate name validation failed.

      Host name letterpart.com doesn't match any name found on the server certificate E=root@localhost.localdomain, CN=localhost.localdomain, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, S=SomeState, C=--.
0
 
Alan HardistyCo-OwnerCommented:
What FQDN are you using to connect via Outlook?
0
 
LetterpartAuthor Commented:
Hi Alan,

I'm using mail.letterpart.com to connect via Outlook.
0
 
mumbaiexpertsCommented:
Alan Hardisty,

Sorry i opened the EE at that time your update was not available then after i will giv the update to much late .At the i didn't  refresh the page bcz i didn't see your update.

kishore.
0
 
LetterpartAuthor Commented:
Hi Alan,

sorry to take so long to get back to you.

I have spent some time investigating and found that my certificate only allowed one domain name. I have since upgraded to one that allows up to 5 and am in the process of requesting a new cert with autodiscover.domain.com.

I will report back once I have this installed.

Thanks,

Hedley
0
 
Alan HardistyCo-OwnerCommented:
No problems. You could have tried the SRV record instead, but a multi-name cert won't hurt.

Alan
0
 
LetterpartAuthor Commented:
This is the answer that led to me solving my issue.

The certificate we had purchased only allowed one domain. So despite me keying multiple domains in the Exchange request, only the primary domain was being added to the certificate.

Once we had upgraded our cert, the autodiscover nag has stopped and my users are happy (for now).

Next task is to get ActiveSync working so they can read emails on their phones.

Thanks for your help Alan, appreciated.

Hedley
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.