Solved

Exchange 2010 Certificate autodiscover.domain.com error

Posted on 2013-06-06
16
1,896 Views
Last Modified: 2013-06-14
Hi,

I'm running Exchange 2010 and have run through the certificate request & complete pending wizards.

I included the following during the request:

Outlook Web App is on the intranet - exchange3.local.domain.com
Outlook Web App is on the internet - mail.domain.com
Exchange ActiveSync is enabled - mail.domain.com
Exchange Web Services is enabled - mail.domain.com
Outlook Anywhere is enabled - mail.domain.com
Autodiscover url: autodiscover.domain.com

I've added an A record to our DNS:

autodiscover.domain.com                  IP ADDRESS

I then assigned IMAP, POP, IIS, SMTP to the certificate.

My users are still receiving a certificate security error stating:

autodiscover.domain.com

The name on the security certificate is invalid or does not match the name of the site.

And when I view the certificate, it is issued to: mail.domain.com

The certificate is a Starfield certificate.

I have done a lot of searching on this and found all sorts of tips, tricks, commands and things to try but didn't want to go hacking about and make things worse before coming on here and asking a grownup how I should proceed.

Thanks.
0
Comment
Question by:Letterpart
  • 7
  • 6
  • 2
16 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If Autodiscover.domain.com is included in the SSL certificate and you have an A record called autodiscover pointing to the IP Address of your Exchange server - then all should be correct.

Do you also have an SRV record setup too?  If you do - please delete it.
0
 
LVL 1

Author Comment

by:Letterpart
Comment Utility
Hi Alan,

the IP in the DNS record is what mail.domain.com responds to and no, there's no SRV record.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Please run the following Exchange Management Shell Command and post the output (hide your domain name if you like):

get-clientaccessserver | fl *autodiscover*
0
 
LVL 1

Author Comment

by:Letterpart
Comment Utility
Here's the output from get-clientaccessserver | fl *autodiscover*



AutoDiscoverServiceCN          : exchange3
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://exchange3.local.letterpart.com/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Get-ClientAccessServer –Identity exchange3 | Set-ClientAccessServer –autodiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml

Please change the domain part in the above command and then copy / paste it into your Exchange Management Shell (assuming I have your Exchange server name correctly as EXCHANGE3) and then re-run the:

get-clientaccessserver | fl *autodiscover*

Command and see if it has changed accordingly.

That should stop the errors as your internal clients would need exchange3.local.letterpart.com as an included name in your SSL certificate.

Alan
0
 
LVL 4

Expert Comment

by:mumbaiexperts
Comment Utility
Hi,
Currently your Autodiscover Internal url  shows to https://exchange3.local.letterpart.com/Autodiscover/Autodiscover.xml but your certificate contains AUTODISCOVER .DOMAINNAME.COM.To fix your issue kindly perform the below mentioned articles:

http://support.microsoft.com/kb/940726

Regards,
kishore.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Kishore - can you please explain how your solution differs from mine?

Thanks

Alan
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:Letterpart
Comment Utility
Hi Alan,

I've run the command as instructed and now get-clientaccessserver | fl *autodiscover*
shows:


Get-ClientAccessServer –Identity exchange3 | Set-ClientAccessServer –autodiscoverServiceInternalUri https://autodiscover.letterpart.com/autodiscover/autodiscover.xml

but my laptop is still giving me an autodiscover error when using Outlook Anywhere.


I've run the remote Connectivity Analyser on RPC/HTTP connectivity. and get:

Certificate name validation failed.

      Host name letterpart.com doesn't match any name found on the server certificate E=root@localhost.localdomain, CN=localhost.localdomain, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, S=SomeState, C=--.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
What FQDN are you using to connect via Outlook?
0
 
LVL 1

Author Comment

by:Letterpart
Comment Utility
Hi Alan,

I'm using mail.letterpart.com to connect via Outlook.
0
 
LVL 4

Expert Comment

by:mumbaiexperts
Comment Utility
Alan Hardisty,

Sorry i opened the EE at that time your update was not available then after i will giv the update to much late .At the i didn't  refresh the page bcz i didn't see your update.

kishore.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
Well - looking at your certificate, you only have the following names included:

DNS Name=mail.letterpart.com
DNS Name=www.mail.letterpart.com

So, you either need to re-key your certificate and include autodiscover.domain.com or remove the Autodiscover A record and add an SRV record pointing to mail.domain.com instead.

Use an SRV Record instead of Autodiscover:
http://support.microsoft.com/kb/940881

Alan
0
 
LVL 1

Author Comment

by:Letterpart
Comment Utility
Hi Alan,

sorry to take so long to get back to you.

I have spent some time investigating and found that my certificate only allowed one domain name. I have since upgraded to one that allows up to 5 and am in the process of requesting a new cert with autodiscover.domain.com.

I will report back once I have this installed.

Thanks,

Hedley
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
No problems. You could have tried the SRV record instead, but a multi-name cert won't hurt.

Alan
0
 
LVL 1

Author Closing Comment

by:Letterpart
Comment Utility
This is the answer that led to me solving my issue.

The certificate we had purchased only allowed one domain. So despite me keying multiple domains in the Exchange request, only the primary domain was being added to the certificate.

Once we had upgraded our cert, the autodiscover nag has stopped and my users are happy (for now).

Next task is to get ActiveSync working so they can read emails on their phones.

Thanks for your help Alan, appreciated.

Hedley
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now