Solved

Change autodiscover so it uses proper https/proxy settings

Posted on 2013-11-25
6
2,941 Views
Last Modified: 2013-12-11
Hi There,

I recently set up a brand new Exchange 2013 environment. Outlook is configured using autodiscover. Outlook 2013 works just fine, but for some reason I get this error using Outlook 2010r:

There is a problem with the proxy server's security certificate. The name on the security ticket is invalid or does not match the name of the target site [FQDN].

So, in my SSL cert I do have my server's FQDN, but if I check the exchange proxy settings I see the proxy server as https://server.sub.domain.com and the principal name as msstd:server.sub.domain.com

The principal name in my SAN cert is actually what I intended to use for all of my external URLs for the virtualdirectories, which is https://mail.domain.com

My question: How do I get autodiscover to use my principal name in my SAN SSL Cert, which is what I want to use, which is https://mail.domain.com instead of the FQDN of the server? Where can I make that change?

Cheers!
0
Comment
Question by:mmahelpdesk
  • 4
  • 2
6 Comments
 
LVL 1

Author Comment

by:mmahelpdesk
ID: 39676645
I guess I need to find out something like this for Exchange 2013. I'll see if I can find some documentation for Exchange 2013.

http://technet.microsoft.com/en-us/library/aa998424(v=exchg.80).aspx
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39677271
You need to ensure that your public name resolves internally via split DNS.
Then change the internal and external URLs to match. That will be on all Outlook Anywhere and the EWS, OWA, ActiveSync virtual directories, plus the Autodiscover value on set-clientaccessserver.

My Exchange 2010 article outlines what needs to be changed - it is the same thing in Exchange 2013 via PowerShell. http://semb.ee/hostnames

Simon.
0
 
LVL 1

Author Comment

by:mmahelpdesk
ID: 39679516
This looks glorious, thanks for the reply. I'll be making these changes tonight when everyone is asleep thinking about turkey. I'll let you know how it goes, mate. Thanks!
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:mmahelpdesk
ID: 39680055
Simon,

It worked great, except it broke the Outlook 2010 Profiles in the process. I can't rightly ask my Helpdesk to completely re-do all of the Outlook 2010 profiles.

I'm guessing this has to do with the Outlook Anywhere authentication method, which for me was "negotiate" which I'm just now learning was a bad choice. Basic isn't an option as we don't have port 80 open, HTTP is out of the question.

The answer is NTLM, but as I said before the old profiles break.

Thanks,
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39680807
Shouldn't have caused problems with the old profiles unless Autodiscover isn't working correctly. The changes should have been picked up by Autodiscover and reflected by the clients.

Basic doesn't require port 80 to be open. It is an authentication method over SSL. The problem with Basic is that it requires authentication by the client separately from the domain. I tend to only use it when NTLM doesn't work. NTLM gets broken by firewalls in a lot of cases. However you should be able to use NTLM internally.

Simon.
0
 
LVL 1

Author Closing Comment

by:mmahelpdesk
ID: 39712328
This was an excellent reference. Thanks!
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
how to add IIS SMTP to handle application/Scanner relays into office 365.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now