Solved

Autodiscover issue Exchange server

Posted on 2014-01-02
7
149 Views
Last Modified: 2014-11-30
Exchange server is installed with SSL certificated for OWA so that mobile device and browser can connect without warning.
But seems due to autodiscover issue outlook 2010 is constantly popping up alert, I was reading about UC/SAN certificate for solution - is there anyway to resolve this issue or have to get UC/SAN certificate if server is installed with SSL certificate.

Thanks
0
Comment
Question by:joyjohn
7 Comments
 
LVL 2

Accepted Solution

by:
FocIS earned 100 total points
ID: 39752426
Outlook may be attempting to address your server by multiple different names - each will have to be specified on the UC Certificate.  To complicate things, certificates are no longer able to have "internal" names (mail.domain.local) listed on them - and if outlook is trying to use an internal-only name, that may be a bigger problem for SSL.

As a work around, I've been known to "zero out" the resolution for affected workstations by simply adding lines to the hosts file (c:\windows\system32\drivers\etc\hosts) such that names don't resolve for that workstation.  example:
0.0.0.0   mail.domain.local
0.0.0.0   autodiscover.domain.com

The only way i can think of to avoid a UC cert is to make sure your server is identified only as one name, on the lan and wan (mail.domain.com, for example)
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 150 total points
ID: 39752441
You really need to do a SAN cert. It is much easier in the long run. If you use Exchange Management Console it handles all the preparation for you.

1. Open EMC
2. Expand Microsoft Exchange On-Premises
3. Select Server Configuration
4. In the Actions Pane on the far right click New Exchange Certificate.

As you walk through this wizard and fill out what services you plan to use, and what their FQDNs will be, Exchange will typically recommend a SAN certificate and generate a CSR for you.

I use GoDaddy.com for SAN certs because they are normally the cheapest.

Then when you get you certificate, go back through the steps above and click Import Exchange Certificate from the Action Pane instead of New (be aware some certificate providers may want you to load intermediate certs and they should post instructions on how to install these through the Certificates MMC snap-in).

Then you can assign services, such as IIS, to the newly added certificate in the Exchange Certificates window, under Server Configuration.

Also, as a side note, internal URLs can no longer be used on a SAN certificate for certs that expire after 2015. The easiest way to combat this is to make all your InternalURLs match the ExternalURLs. And then use split-brain DNS, where you have your external DNS namespace on your internal DNS servers with A records that point to the internal IPs.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 100 total points
ID: 39752443
A UCC/SAN certificate is not required. You do need to configure your autodiscover, EWS, and OAB URL's to match the name on the certificate. That can ne done via PowerShell. you may also need to configure a split-brain DNS zone on your internal DNS servers if your router doesn't support loopback traffic or if you prefer to avoid it.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 150 total points
ID: 39752462
Depending on the names you currently have included in your SSL certificate, you can run the following commands in the Exchange Management Shell to point the internal URL that Exchange uses to the Public Name configured in your SSL certificate:

Set-AutodiscoverVirtualDirectory -Identity * –internalurl “https://mail.yourdomain.com/autodiscover/autodiscover.xml”

Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri “https://mail.yourdomain.com/autodiscover/autodiscover.xml”

Set-webservicesvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/EWS/Exchange.asmx”

Set-oabvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/oab”

Set-owavirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/owa”

Set-ecpvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/ecp”

Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.yourdomain.com/Microsoft-Server-ActiveSync"

Just change the mail.yourdomain.com part to match the name in your SSL certificate and the problem should go away.

Alan
0
 

Author Comment

by:joyjohn
ID: 39771169
sorry for late reply.

for this server there's only 1 purchased certificate "mail.abcxyz.com" installed and it is working.
so just changing "mail.abcxyz.com" on all above commands should be fine? hope it is not going to create any problem on current settings, thanks
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39772105
Yes. It will work fine.

However, you may need to create a non-authoritative DNS zone on your internal servers, which point all these records to the internal IPs of the server instead.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39777331
It will be just fine - run the command and it will update the relevant settings and solve your problem.

Alan
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A procedure for exporting installed hotfix details of remote computers using powershell
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now