Solved

Autodiscover issue Exchange server

Posted on 2014-01-02
7
159 Views
Last Modified: 2014-11-30
Exchange server is installed with SSL certificated for OWA so that mobile device and browser can connect without warning.
But seems due to autodiscover issue outlook 2010 is constantly popping up alert, I was reading about UC/SAN certificate for solution - is there anyway to resolve this issue or have to get UC/SAN certificate if server is installed with SSL certificate.

Thanks
0
Comment
Question by:joyjohn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 2

Accepted Solution

by:
FocIS earned 100 total points
ID: 39752426
Outlook may be attempting to address your server by multiple different names - each will have to be specified on the UC Certificate.  To complicate things, certificates are no longer able to have "internal" names (mail.domain.local) listed on them - and if outlook is trying to use an internal-only name, that may be a bigger problem for SSL.

As a work around, I've been known to "zero out" the resolution for affected workstations by simply adding lines to the hosts file (c:\windows\system32\drivers\etc\hosts) such that names don't resolve for that workstation.  example:
0.0.0.0   mail.domain.local
0.0.0.0   autodiscover.domain.com

The only way i can think of to avoid a UC cert is to make sure your server is identified only as one name, on the lan and wan (mail.domain.com, for example)
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 150 total points
ID: 39752441
You really need to do a SAN cert. It is much easier in the long run. If you use Exchange Management Console it handles all the preparation for you.

1. Open EMC
2. Expand Microsoft Exchange On-Premises
3. Select Server Configuration
4. In the Actions Pane on the far right click New Exchange Certificate.

As you walk through this wizard and fill out what services you plan to use, and what their FQDNs will be, Exchange will typically recommend a SAN certificate and generate a CSR for you.

I use GoDaddy.com for SAN certs because they are normally the cheapest.

Then when you get you certificate, go back through the steps above and click Import Exchange Certificate from the Action Pane instead of New (be aware some certificate providers may want you to load intermediate certs and they should post instructions on how to install these through the Certificates MMC snap-in).

Then you can assign services, such as IIS, to the newly added certificate in the Exchange Certificates window, under Server Configuration.

Also, as a side note, internal URLs can no longer be used on a SAN certificate for certs that expire after 2015. The easiest way to combat this is to make all your InternalURLs match the ExternalURLs. And then use split-brain DNS, where you have your external DNS namespace on your internal DNS servers with A records that point to the internal IPs.
0
 
LVL 58

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 100 total points
ID: 39752443
A UCC/SAN certificate is not required. You do need to configure your autodiscover, EWS, and OAB URL's to match the name on the certificate. That can ne done via PowerShell. you may also need to configure a split-brain DNS zone on your internal DNS servers if your router doesn't support loopback traffic or if you prefer to avoid it.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 150 total points
ID: 39752462
Depending on the names you currently have included in your SSL certificate, you can run the following commands in the Exchange Management Shell to point the internal URL that Exchange uses to the Public Name configured in your SSL certificate:

Set-AutodiscoverVirtualDirectory -Identity * –internalurl “https://mail.yourdomain.com/autodiscover/autodiscover.xml”

Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri “https://mail.yourdomain.com/autodiscover/autodiscover.xml”

Set-webservicesvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/EWS/Exchange.asmx”

Set-oabvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/oab”

Set-owavirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/owa”

Set-ecpvirtualdirectory –Identity * –internalurl “https://mail.yourdomain.com/ecp”

Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.yourdomain.com/Microsoft-Server-ActiveSync"

Just change the mail.yourdomain.com part to match the name in your SSL certificate and the problem should go away.

Alan
0
 

Author Comment

by:joyjohn
ID: 39771169
sorry for late reply.

for this server there's only 1 purchased certificate "mail.abcxyz.com" installed and it is working.
so just changing "mail.abcxyz.com" on all above commands should be fine? hope it is not going to create any problem on current settings, thanks
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39772105
Yes. It will work fine.

However, you may need to create a non-authoritative DNS zone on your internal servers, which point all these records to the internal IPs of the server instead.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39777331
It will be just fine - run the command and it will update the relevant settings and solve your problem.

Alan
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question