Solved

Autodiscover issue Exchange server

Posted on 2014-01-02
7
163 Views
Last Modified: 2014-11-30
Exchange server is installed with SSL certificated for OWA so that mobile device and browser can connect without warning.
But seems due to autodiscover issue outlook 2010 is constantly popping up alert, I was reading about UC/SAN certificate for solution - is there anyway to resolve this issue or have to get UC/SAN certificate if server is installed with SSL certificate.

Thanks
0
Comment
Question by:joyjohn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 2

Accepted Solution

by:
FocIS earned 100 total points
ID: 39752426
Outlook may be attempting to address your server by multiple different names - each will have to be specified on the UC Certificate.  To complicate things, certificates are no longer able to have "internal" names (mail.domain.local) listed on them - and if outlook is trying to use an internal-only name, that may be a bigger problem for SSL.

As a work around, I've been known to "zero out" the resolution for affected workstations by simply adding lines to the hosts file (c:\windows\system32\drivers\etc\hosts) such that names don't resolve for that workstation.  example:
0.0.0.0   mail.domain.local
0.0.0.0   autodiscover.domain.com

The only way i can think of to avoid a UC cert is to make sure your server is identified only as one name, on the lan and wan (mail.domain.com, for example)
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 150 total points
ID: 39752441
You really need to do a SAN cert. It is much easier in the long run. If you use Exchange Management Console it handles all the preparation for you.

1. Open EMC
2. Expand Microsoft Exchange On-Premises
3. Select Server Configuration
4. In the Actions Pane on the far right click New Exchange Certificate.

As you walk through this wizard and fill out what services you plan to use, and what their FQDNs will be, Exchange will typically recommend a SAN certificate and generate a CSR for you.

I use GoDaddy.com for SAN certs because they are normally the cheapest.

Then when you get you certificate, go back through the steps above and click Import Exchange Certificate from the Action Pane instead of New (be aware some certificate providers may want you to load intermediate certs and they should post instructions on how to install these through the Certificates MMC snap-in).

Then you can assign services, such as IIS, to the newly added certificate in the Exchange Certificates window, under Server Configuration.

Also, as a side note, internal URLs can no longer be used on a SAN certificate for certs that expire after 2015. The easiest way to combat this is to make all your InternalURLs match the ExternalURLs. And then use split-brain DNS, where you have your external DNS namespace on your internal DNS servers with A records that point to the internal IPs.
0
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 100 total points
ID: 39752443
A UCC/SAN certificate is not required. You do need to configure your autodiscover, EWS, and OAB URL's to match the name on the certificate. That can ne done via PowerShell. you may also need to configure a split-brain DNS zone on your internal DNS servers if your router doesn't support loopback traffic or if you prefer to avoid it.
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 150 total points
ID: 39752462
Depending on the names you currently have included in your SSL certificate, you can run the following commands in the Exchange Management Shell to point the internal URL that Exchange uses to the Public Name configured in your SSL certificate:

Set-AutodiscoverVirtualDirectory -Identity * –internalurl “https://mail.yourdomain.com/autodiscover/autodiscover.xml”

Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri “https://mail.yourdomain.com/autodiscover/autodiscover.xml”

Set-webservicesvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/EWS/Exchange.asmx”

Set-oabvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/oab”

Set-owavirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/owa”

Set-ecpvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/ecp”

Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.yourdomain.com/Microsoft-Server-ActiveSync"

Just change the mail.yourdomain.com part to match the name in your SSL certificate and the problem should go away.

Alan
0
 

Author Comment

by:joyjohn
ID: 39771169
sorry for late reply.

for this server there's only 1 purchased certificate "mail.abcxyz.com" installed and it is working.
so just changing "mail.abcxyz.com" on all above commands should be fine? hope it is not going to create any problem on current settings, thanks
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39772105
Yes. It will work fine.

However, you may need to create a non-authoritative DNS zone on your internal servers, which point all these records to the internal IPs of the server instead.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39777331
It will be just fine - run the command and it will update the relevant settings and solve your problem.

Alan
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question