?
Solved

Change autodiscover so it uses proper https/proxy settings

Posted on 2013-11-25
6
Medium Priority
?
3,461 Views
Last Modified: 2013-12-11
Hi There,

I recently set up a brand new Exchange 2013 environment. Outlook is configured using autodiscover. Outlook 2013 works just fine, but for some reason I get this error using Outlook 2010r:

There is a problem with the proxy server's security certificate. The name on the security ticket is invalid or does not match the name of the target site [FQDN].

So, in my SSL cert I do have my server's FQDN, but if I check the exchange proxy settings I see the proxy server as https://server.sub.domain.com and the principal name as msstd:server.sub.domain.com

The principal name in my SAN cert is actually what I intended to use for all of my external URLs for the virtualdirectories, which is https://mail.domain.com

My question: How do I get autodiscover to use my principal name in my SAN SSL Cert, which is what I want to use, which is https://mail.domain.com instead of the FQDN of the server? Where can I make that change?

Cheers!
0
Comment
Question by:mmahelpdesk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 1

Author Comment

by:mmahelpdesk
ID: 39676645
I guess I need to find out something like this for Exchange 2013. I'll see if I can find some documentation for Exchange 2013.

http://technet.microsoft.com/en-us/library/aa998424(v=exchg.80).aspx
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39677271
You need to ensure that your public name resolves internally via split DNS.
Then change the internal and external URLs to match. That will be on all Outlook Anywhere and the EWS, OWA, ActiveSync virtual directories, plus the Autodiscover value on set-clientaccessserver.

My Exchange 2010 article outlines what needs to be changed - it is the same thing in Exchange 2013 via PowerShell. http://semb.ee/hostnames

Simon.
0
 
LVL 1

Author Comment

by:mmahelpdesk
ID: 39679516
This looks glorious, thanks for the reply. I'll be making these changes tonight when everyone is asleep thinking about turkey. I'll let you know how it goes, mate. Thanks!
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 1

Author Comment

by:mmahelpdesk
ID: 39680055
Simon,

It worked great, except it broke the Outlook 2010 Profiles in the process. I can't rightly ask my Helpdesk to completely re-do all of the Outlook 2010 profiles.

I'm guessing this has to do with the Outlook Anywhere authentication method, which for me was "negotiate" which I'm just now learning was a bad choice. Basic isn't an option as we don't have port 80 open, HTTP is out of the question.

The answer is NTLM, but as I said before the old profiles break.

Thanks,
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39680807
Shouldn't have caused problems with the old profiles unless Autodiscover isn't working correctly. The changes should have been picked up by Autodiscover and reflected by the clients.

Basic doesn't require port 80 to be open. It is an authentication method over SSL. The problem with Basic is that it requires authentication by the client separately from the domain. I tend to only use it when NTLM doesn't work. NTLM gets broken by firewalls in a lot of cases. However you should be able to use NTLM internally.

Simon.
0
 
LVL 1

Author Closing Comment

by:mmahelpdesk
ID: 39712328
This was an excellent reference. Thanks!
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question