?
Solved

Exchange 2010, Autodiscover, CName record, Name Mismatch issue

Posted on 2013-11-05
7
Medium Priority
?
3,022 Views
Last Modified: 2013-11-15
So I searched for a while and can't seem to find an answer that applies to me through here or even with my best google-fu.

My issue is as follows:

I have an Exchange 2010 server that hosts a few dozen completetly different domains. At one point I used to add those domains to a UCC cert. I would add autodiscover.domain.com to the certificate plus the DNS record for autodiscover.domain.com to point at my CAS server. Everything worked great.

One day I found that Office 365 was using a simple CName record to redirect autodiscover.domain.com to autodiscover.outlook.com. For those Office 365 hosted exchange users, they worked great. I have never seen a certificate name mismatch prompt on their side.

Here is where I am at now:
I have setup the same CName record of autodiscover.domain.com and pointed it at my Exchange 2010 CAS server. The cname entry for autodiscover.domain.com is to my external, let's call it, autodiscover.hosted.com. That autodiscover.hosted.com name is on my SSL certificate. Autodiscover tests from testexchangeconnectivity.com fail due to certificate name mismatch. My Outlook users get a popup regarding the same, certificate name mismatch issue. I have verified all CAS based web directories internal and external for OAB, Autodiscover, ECP, EWS, etc point to my external DNS name that is on my SSL certificate.

HOWEVER, I continue to get a prompt about a name mistmatch. Running the autodiscover test from Outlook returns all expected values. There isn't an internal (.local) URL entry there.

I suppose finally, my question is how to resolve this. I have found 3 or 4 references here that were of no help. Adding them to the UCC defeats the purpose as the ease of usage is missing when I had new domains, which I do frequently.
0
Comment
Question by:LSeven
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39625478
There is no way around it. The certificate name must match the domain name that Outlook uses. CNAME records *do NOT* redirect. They provide an alternate name, but if you use that alternate name then the certificate must still contain that alternate name.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 1332 total points
ID: 39626999
What Office365 is doing is a HTTP redirect, not a HTTPS redirect.
The HTTP host name redirects to the actual source of the Autodiscover information. You can do similar with SRV records.

If you want to do a HTTP redirect you need to have a unique IP address, which has no HTTPS services bound to it.

This article on the Exchange WIKI at Microsoft explains how to set it up:
https://social.technet.microsoft.com/wiki/contents/articles/5787.exchange-2010-multi-tenant-autodiscover-and-dns-configuration.aspx

Simon.
0
 

Author Comment

by:LSeven
ID: 39638679
Sembee2, thanks for the response. I will try this out and see how I fair.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:LSeven
ID: 39639563
Sembee2, are you saying for every O365 Hosted Exchange solution they offer, MSFT uses a completely unused (HTTP/HTTPS) IP address?!
0
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 668 total points
ID: 39639615
O365 does not allocate a unique IP address per host, no. But they don't JUST use CNAME records either. Being hosted in Azure, they can leverage the entire virtual network that azure offers, and they use a bit of reverse proxy magic to make sire initial https autodiscover requests fail, so clients fall back to HTTP. Then the http autodiscover request issues an HTTP redirect (not a cname, not DNS), and the subsequent request is done via https and proxies to a service with a certificate that matches.

A third party hosted could replicate this behavior, but it'd take an intelligent reverse proxy setup, and ideally separate dedicated IIS machines for the HTTP redirect. Provisioning new clients would also not be trivial, and some custom automation would likely be desired to avoid easy mistakes.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 1332 total points
ID: 39641702
"Sembee2, are you saying for every O365 Hosted Exchange solution they offer, MSFT uses a completely unused (HTTP/HTTPS) IP address?! "

No, that is not what I am saying.

You need two IP addresses - one for HTTP and one for HTTPS.
They point everything for Autodiscover using the CNAME and HTTP redirection method at the HTTP IP address.

The key point being that HTTP address doesn't listen to HTTPS as well.

Simon.
0
 

Author Comment

by:LSeven
ID: 39652029
It seems a srv record works as expected. Add in a note to tell them to uncheck the pop up box is, while not the cleanest, probably the easiest solution.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question