?
Solved

Exchange 2010 Certificate autodiscover.domain.com error

Posted on 2013-06-06
16
Medium Priority
?
2,175 Views
Last Modified: 2013-06-14
Hi,

I'm running Exchange 2010 and have run through the certificate request & complete pending wizards.

I included the following during the request:

Outlook Web App is on the intranet - exchange3.local.domain.com
Outlook Web App is on the internet - mail.domain.com
Exchange ActiveSync is enabled - mail.domain.com
Exchange Web Services is enabled - mail.domain.com
Outlook Anywhere is enabled - mail.domain.com
Autodiscover url: autodiscover.domain.com

I've added an A record to our DNS:

autodiscover.domain.com                  IP ADDRESS

I then assigned IMAP, POP, IIS, SMTP to the certificate.

My users are still receiving a certificate security error stating:

autodiscover.domain.com

The name on the security certificate is invalid or does not match the name of the site.

And when I view the certificate, it is issued to: mail.domain.com

The certificate is a Starfield certificate.

I have done a lot of searching on this and found all sorts of tips, tricks, commands and things to try but didn't want to go hacking about and make things worse before coming on here and asking a grownup how I should proceed.

Thanks.
0
Comment
Question by:Letterpart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
16 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39225192
If Autodiscover.domain.com is included in the SSL certificate and you have an A record called autodiscover pointing to the IP Address of your Exchange server - then all should be correct.

Do you also have an SRV record setup too?  If you do - please delete it.
0
 
LVL 1

Author Comment

by:Letterpart
ID: 39225206
Hi Alan,

the IP in the DNS record is what mail.domain.com responds to and no, there's no SRV record.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39225220
Please run the following Exchange Management Shell Command and post the output (hide your domain name if you like):

get-clientaccessserver | fl *autodiscover*
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:Letterpart
ID: 39225234
Here's the output from get-clientaccessserver | fl *autodiscover*



AutoDiscoverServiceCN          : exchange3
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://exchange3.local.letterpart.com/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39225322
Get-ClientAccessServer –Identity exchange3 | Set-ClientAccessServer –autodiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml

Please change the domain part in the above command and then copy / paste it into your Exchange Management Shell (assuming I have your Exchange server name correctly as EXCHANGE3) and then re-run the:

get-clientaccessserver | fl *autodiscover*

Command and see if it has changed accordingly.

That should stop the errors as your internal clients would need exchange3.local.letterpart.com as an included name in your SSL certificate.

Alan
0
 
LVL 4

Expert Comment

by:mumbaiexperts
ID: 39225452
Hi,
Currently your Autodiscover Internal url  shows to https://exchange3.local.letterpart.com/Autodiscover/Autodiscover.xml but your certificate contains AUTODISCOVER .DOMAINNAME.COM.To fix your issue kindly perform the below mentioned articles:

http://support.microsoft.com/kb/940726

Regards,
kishore.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39225493
Kishore - can you please explain how your solution differs from mine?

Thanks

Alan
0
 
LVL 1

Author Comment

by:Letterpart
ID: 39225576
Hi Alan,

I've run the command as instructed and now get-clientaccessserver | fl *autodiscover*
shows:


Get-ClientAccessServer –Identity exchange3 | Set-ClientAccessServer –autodiscoverServiceInternalUri https://autodiscover.letterpart.com/autodiscover/autodiscover.xml

but my laptop is still giving me an autodiscover error when using Outlook Anywhere.


I've run the remote Connectivity Analyser on RPC/HTTP connectivity. and get:

Certificate name validation failed.

      Host name letterpart.com doesn't match any name found on the server certificate E=root@localhost.localdomain, CN=localhost.localdomain, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, S=SomeState, C=--.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39226140
What FQDN are you using to connect via Outlook?
0
 
LVL 1

Author Comment

by:Letterpart
ID: 39226151
Hi Alan,

I'm using mail.letterpart.com to connect via Outlook.
0
 
LVL 4

Expert Comment

by:mumbaiexperts
ID: 39226191
Alan Hardisty,

Sorry i opened the EE at that time your update was not available then after i will giv the update to much late .At the i didn't  refresh the page bcz i didn't see your update.

kishore.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 39226202
Well - looking at your certificate, you only have the following names included:

DNS Name=mail.letterpart.com
DNS Name=www.mail.letterpart.com

So, you either need to re-key your certificate and include autodiscover.domain.com or remove the Autodiscover A record and add an SRV record pointing to mail.domain.com instead.

Use an SRV Record instead of Autodiscover:
http://support.microsoft.com/kb/940881

Alan
0
 
LVL 1

Author Comment

by:Letterpart
ID: 39247041
Hi Alan,

sorry to take so long to get back to you.

I have spent some time investigating and found that my certificate only allowed one domain name. I have since upgraded to one that allows up to 5 and am in the process of requesting a new cert with autodiscover.domain.com.

I will report back once I have this installed.

Thanks,

Hedley
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39247072
No problems. You could have tried the SRV record instead, but a multi-name cert won't hurt.

Alan
0
 
LVL 1

Author Closing Comment

by:Letterpart
ID: 39247258
This is the answer that led to me solving my issue.

The certificate we had purchased only allowed one domain. So despite me keying multiple domains in the Exchange request, only the primary domain was being added to the certificate.

Once we had upgraded our cert, the autodiscover nag has stopped and my users are happy (for now).

Next task is to get ActiveSync working so they can read emails on their phones.

Thanks for your help Alan, appreciated.

Hedley
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question