Solved

Autodiscover issue Exchange server

Posted on 2014-01-02
7
157 Views
Last Modified: 2014-11-30
Exchange server is installed with SSL certificated for OWA so that mobile device and browser can connect without warning.
But seems due to autodiscover issue outlook 2010 is constantly popping up alert, I was reading about UC/SAN certificate for solution - is there anyway to resolve this issue or have to get UC/SAN certificate if server is installed with SSL certificate.

Thanks
0
Comment
Question by:joyjohn
7 Comments
 
LVL 2

Accepted Solution

by:
FocIS earned 100 total points
ID: 39752426
Outlook may be attempting to address your server by multiple different names - each will have to be specified on the UC Certificate.  To complicate things, certificates are no longer able to have "internal" names (mail.domain.local) listed on them - and if outlook is trying to use an internal-only name, that may be a bigger problem for SSL.

As a work around, I've been known to "zero out" the resolution for affected workstations by simply adding lines to the hosts file (c:\windows\system32\drivers\etc\hosts) such that names don't resolve for that workstation.  example:
0.0.0.0   mail.domain.local
0.0.0.0   autodiscover.domain.com

The only way i can think of to avoid a UC cert is to make sure your server is identified only as one name, on the lan and wan (mail.domain.com, for example)
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 150 total points
ID: 39752441
You really need to do a SAN cert. It is much easier in the long run. If you use Exchange Management Console it handles all the preparation for you.

1. Open EMC
2. Expand Microsoft Exchange On-Premises
3. Select Server Configuration
4. In the Actions Pane on the far right click New Exchange Certificate.

As you walk through this wizard and fill out what services you plan to use, and what their FQDNs will be, Exchange will typically recommend a SAN certificate and generate a CSR for you.

I use GoDaddy.com for SAN certs because they are normally the cheapest.

Then when you get you certificate, go back through the steps above and click Import Exchange Certificate from the Action Pane instead of New (be aware some certificate providers may want you to load intermediate certs and they should post instructions on how to install these through the Certificates MMC snap-in).

Then you can assign services, such as IIS, to the newly added certificate in the Exchange Certificates window, under Server Configuration.

Also, as a side note, internal URLs can no longer be used on a SAN certificate for certs that expire after 2015. The easiest way to combat this is to make all your InternalURLs match the ExternalURLs. And then use split-brain DNS, where you have your external DNS namespace on your internal DNS servers with A records that point to the internal IPs.
0
 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 100 total points
ID: 39752443
A UCC/SAN certificate is not required. You do need to configure your autodiscover, EWS, and OAB URL's to match the name on the certificate. That can ne done via PowerShell. you may also need to configure a split-brain DNS zone on your internal DNS servers if your router doesn't support loopback traffic or if you prefer to avoid it.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 150 total points
ID: 39752462
Depending on the names you currently have included in your SSL certificate, you can run the following commands in the Exchange Management Shell to point the internal URL that Exchange uses to the Public Name configured in your SSL certificate:

Set-AutodiscoverVirtualDirectory -Identity * –internalurl “https://mail.yourdomain.com/autodiscover/autodiscover.xml”

Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri “https://mail.yourdomain.com/autodiscover/autodiscover.xml”

Set-webservicesvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/EWS/Exchange.asmx”

Set-oabvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/oab”

Set-owavirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/owa”

Set-ecpvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/ecp”

Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.yourdomain.com/Microsoft-Server-ActiveSync"

Just change the mail.yourdomain.com part to match the name in your SSL certificate and the problem should go away.

Alan
0
 

Author Comment

by:joyjohn
ID: 39771169
sorry for late reply.

for this server there's only 1 purchased certificate "mail.abcxyz.com" installed and it is working.
so just changing "mail.abcxyz.com" on all above commands should be fine? hope it is not going to create any problem on current settings, thanks
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39772105
Yes. It will work fine.

However, you may need to create a non-authoritative DNS zone on your internal servers, which point all these records to the internal IPs of the server instead.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39777331
It will be just fine - run the command and it will update the relevant settings and solve your problem.

Alan
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Find out what you should include to make the best professional email signature for your organization.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question