Add hostname to SBS 2011 self signed certificate for autodiscover

Hello,

I am trying to get the autodiscover service to work on my SBS 2011 server and when I use www.testexchangeconnectivity.com it fails when it try's to validate the certificate name because it doesn't contain autodiscover.domain.com in the certificate.  I'm assuming this is because it is the standard SBS 2011 self signed cert that was installed with the server.  Is there a way to simply add a new hostname, autodiscover.domain.com, to my existing certificate, and if not what is the best method in changing this without having to go through a third party certificate authority?  Any information is appreciated.  

Thanks
ColumbiaMarketingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
A self-signed certificate will always fail the testexchangeconnectivity.com test because it isn't generated by a Certificate Authority that site trusts. Additionally, there is no way to make a self-signed certificate with multiple FQDNs on it. You have to either build a SAN cert with a Domain Certificate Authority or use a Third Party CA.
0
Cliff GaliherCommented:
There are several methods that autodiscover uses to find the appropriate mail server. For self-signed certificates (or any single-name certificate, even if purchased from a certificate authority), is to use the SRV record method for autodiscover.

With this method, the certificate will not be required to have autodiscover.domain.com and thus will not fail that particular test. For SBS, the self-signed certificate, as well as the certificate wizard to install a 3rd-party certificate, it is assumed that you will use the SRV record since the cost of a single-name cert is much lower and SBS is a price conscious product.

So configure your external DNS properly. Deploy the self-issued cert properly, and autodiscover will work.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Adam BrownSr Solutions ArchitectCommented:
A SRV record will allow you to bypass the need for autodiscover.domain.com, but it will not remove certificate errors when using a self-signed certificate and it will not prevent errors from showing up in the exchange connectivity test utility.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

ColumbiaMarketingAuthor Commented:
I apologize for misleading that autodiscover was not working at all.  I actually do have it working for remote clients by simply adding a CNAME record in my public DNS for autodiscover.  It does seem to work, but when I tested with exchange connectivity it failed because of the autodiscover CN missing from my self-signed cert.  Besides the cert warnings and still failing the exchange connectivity tests, would there be any other complications down the road to leaving it as is?
0
Adam BrownSr Solutions ArchitectCommented:
No real complications beyond certificate errors, but you will run into issues if you want to use Domain Authenticated TLS or other advanced features that require a valid certificate.
0
Cliff GaliherCommented:
The CNAME record is the wrong approach. Create a SRV record instead. Or purchase a UCC/SAN certificate.

ACBrown: It is true that testexchangeconnectivity will still fail because the certificate is not trusted, but the error is different and is clear on that point. And a SRV record (with a properly deployed self-issued cert) *does* remove certificate errors when actually using autodiscover from a legitimate client. The client experience is the same with a SRV record and self-signed, a SRV record and a single-name, or a UCC/SAN, when implemented properly.
0
Cliff GaliherCommented:
Ignoring certificate errors always has the risk of complications. Most importantly, by choosing to ignore the error, you are actively telling the client that things are "okay" when they may not be. A good example is that I could, in theory, set up my own certificate authority, create my own self-signed certificate, and issue a man-in-the-middle attack. Your client would see my certificate as untrusted and throw an error...but since YOUR certificate throws an error, you would click right on past it and not realize the difference between a "good" error and a "bad" one.

Ignoring certificate errors always introduces the risk of a secure nature and every precaution should be taken to avoid such conditions. Otherwise you might as well not bother encrypting at all.
0
ColumbiaMarketingAuthor Commented:
Thank you.  These are all very good recommendations.  Pertaining to the SRV record.  Would one need to be created only on my public DNS, or both my local and public DNS?
0
Cliff GaliherCommented:
Public. Locally, active directory service connection point references are used instead. Neither cname nor srv records take precedence over SCPs.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.