• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3683
  • Last Modified:

Change autodiscover so it uses proper https/proxy settings

Hi There,

I recently set up a brand new Exchange 2013 environment. Outlook is configured using autodiscover. Outlook 2013 works just fine, but for some reason I get this error using Outlook 2010r:

There is a problem with the proxy server's security certificate. The name on the security ticket is invalid or does not match the name of the target site [FQDN].

So, in my SSL cert I do have my server's FQDN, but if I check the exchange proxy settings I see the proxy server as https://server.sub.domain.com and the principal name as msstd:server.sub.domain.com

The principal name in my SAN cert is actually what I intended to use for all of my external URLs for the virtualdirectories, which is https://mail.domain.com

My question: How do I get autodiscover to use my principal name in my SAN SSL Cert, which is what I want to use, which is https://mail.domain.com instead of the FQDN of the server? Where can I make that change?

Cheers!
0
mmahelpdesk
Asked:
mmahelpdesk
  • 4
  • 2
1 Solution
 
mmahelpdeskAuthor Commented:
I guess I need to find out something like this for Exchange 2013. I'll see if I can find some documentation for Exchange 2013.

http://technet.microsoft.com/en-us/library/aa998424(v=exchg.80).aspx
0
 
Simon Butler (Sembee)ConsultantCommented:
You need to ensure that your public name resolves internally via split DNS.
Then change the internal and external URLs to match. That will be on all Outlook Anywhere and the EWS, OWA, ActiveSync virtual directories, plus the Autodiscover value on set-clientaccessserver.

My Exchange 2010 article outlines what needs to be changed - it is the same thing in Exchange 2013 via PowerShell. http://semb.ee/hostnames

Simon.
0
 
mmahelpdeskAuthor Commented:
This looks glorious, thanks for the reply. I'll be making these changes tonight when everyone is asleep thinking about turkey. I'll let you know how it goes, mate. Thanks!
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
mmahelpdeskAuthor Commented:
Simon,

It worked great, except it broke the Outlook 2010 Profiles in the process. I can't rightly ask my Helpdesk to completely re-do all of the Outlook 2010 profiles.

I'm guessing this has to do with the Outlook Anywhere authentication method, which for me was "negotiate" which I'm just now learning was a bad choice. Basic isn't an option as we don't have port 80 open, HTTP is out of the question.

The answer is NTLM, but as I said before the old profiles break.

Thanks,
0
 
Simon Butler (Sembee)ConsultantCommented:
Shouldn't have caused problems with the old profiles unless Autodiscover isn't working correctly. The changes should have been picked up by Autodiscover and reflected by the clients.

Basic doesn't require port 80 to be open. It is an authentication method over SSL. The problem with Basic is that it requires authentication by the client separately from the domain. I tend to only use it when NTLM doesn't work. NTLM gets broken by firewalls in a lot of cases. However you should be able to use NTLM internally.

Simon.
0
 
mmahelpdeskAuthor Commented:
This was an excellent reference. Thanks!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now