Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Outlook Anywhere keeps requesting the wrong domain??

Posted on 2014-01-28
Medium Priority
Last Modified: 2014-01-29

Have a client setup which has been working for years. Exchange 2010 all patched up.

The domain that everything is set up as is say my-client.com

Everything is set up working great (autodiscover, all URI's, OWA, etc).

3rd Party Wildcard SSL Cert for installed.

Client decides to change the corporate identity to myclientgroup.co.uk

All Primary SMTP emails are set as myclientgroup.co.uk, and it is added as an accepted domain. MX records point to my-client.com records.

All mobile devices etc are still pointing to the old domain, because as the far as the system is concerned that is the only domain that matters.

However on a laptop with Outlook 2010, using Outlook Anywhere and proxy settings all pointing to my-client.com - when Outlook opens it complains that the cert is not matching, because it is looking for autodiscover.myclientgroup.co.uk and the SSL Cert is *.my-client.com

WHY is it asking for autodiscover of the new domain name, when everything still points to the old domain? As far as the system concerned the new domain is just an alias.
Question by:bikerhong
  • 4
  • 2

Author Comment

ID: 39815026
Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri

This also shows it is set to the "old" domain!
LVL 85

Expert Comment

by:David Johnson, CD, MVP
ID: 39816815
in your certificate add the new domain to the SAN certificate (this way the certificate knows about the alternate naming / alias)
LVL 63

Accepted Solution

Simon Butler (Sembee) earned 2000 total points
ID: 39817066
Autodiscover works in one of two ways.
Internally it will query the value of get-clientaccessserver | select identity, autodiscoverserviceinternalUri. The value there has no connection to the primary domain name on the user account.

However externally, because it cannot query the domain, it will use DNS lookups - which will be Autodiscover.example.com, where example.com is the primary email address domain.
As you have now changed the primary domain, that query now fails to work correctly, because the old SSL certificate is in place.

You have two options here, depending on what your external DNS provider supports.

If they support SRV records, then remove the wildcard from the new domain (so Autodiscover.example.com does NOT resolve) and configure an SRV record for Autodiscover to point to a host name in your old domain. http://semb.ee/srv

If they do not support SRV records, then you will have to change your wildcard SSL certificate to a UCC (Aka SAN) type certificate which will allow you to have host names on the certificate for both the old and the new domain. That way you will continue to work correctly for the devices that you cannot modify easily because they are mobile.

A wildcard certificate is NOT a UCC/SAN certificate and is not usually recommended for use with Exchange.

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39817218
Hi Simon

I see, thank you for explaining!

I would like to try the SRV record method.

I removed autodiscover.newdomain.com and for the SRV record I am required to input these values:

Hostname _autodiscover._tcp (example is _sip._tcp)
Type SRV
Priority 20
TTL ???
Destination SRV ??? (example is 1 5061 aaa.domain.com)

Not too sure what to put in for the TTL and destination?

Author Comment

ID: 39817229
Ok, found a help article explaining the numbers!

This is what I have input:

_autodiscover._tcp SRV 20 3600 0 443 mail.olddomain.com

Is this right? Outlook is still prompting the error as it is looking for autodiscover.newdomain.com

Author Comment

ID: 39817237
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       The Microsoft Connectivity Analyzer successfully contacted the Autodiscover service using the DNS SRV redirect method.
      Additional Details
Elapsed Time: 3944 ms.
      Test Steps
      Attempting to locate SRV record _autodiscover._tcp.newdomain.co.uk in DNS.
       The Autodiscover SRV record was successfully retrieved from DNS.
      Additional Details
The Service Location (SRV) record lookup returned host mailhost.olddomain.co.uk.
Elapsed Time: 518 ms.
      Attempting to test potential Autodiscover URL https://mailhost.olddomain.co.uk/Autodiscover/Autodiscover.xml
       Testing of the Autodiscover URL was successful.
      Additional Details
Elapsed Time: 3425 ms.
      Test Steps
      Attempting to resolve the host name mailhost.olddomain.co.uk in DNS.
       The host name resolved successfully.
      Additional Details
IP addresses returned:
Elapsed Time: 389 ms.
      Testing TCP port 443 on host mailhost.olddomain.co.uk to ensure it's listening and open.
       The port was opened successfully.
      Additional Details
Elapsed Time: 353 ms.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
      Additional Details
Elapsed Time: 691 ms.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mailhost.olddomain.co.uk on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
      Additional Details
Remote Certificate Subject: CN=*.olddomain.co.uk, OU=Domain Control Validated, O=*.olddomain.co.uk, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 596 ms.
      Validating the certificate name.
       The certificate name was validated successfully.
      Additional Details
The host name that was found, mailhost.olddomain.co.uk, is a wildcard certificate match for common name *.olddomain.co.uk.
Elapsed Time: 0 ms.
      Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.olddomain.co.uk, OU=Domain Control Validated, O=*.olddomain.co.uk.
       One or more certificate chains were constructed successfully.
      Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Elapsed Time: 21 ms.
      Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
      Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 3 ms.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
      Additional Details
The certificate is valid. NotBefore = 5/10/2011 3:59:15 PM, NotAfter = 5/10/2016 3:59:15 PM
Elapsed Time: 0 ms.
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
      Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 622 ms.
      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
      Additional Details
Elapsed Time: 1367 ms.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://mailhost.olddomain.co.uk/Autodiscover/Autodiscover.xml for user user@newdomain.co.uk.
       The Autodiscover XML response was successfully retrieved.
      Additional Details
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
<DisplayName>user Higgs</DisplayName>
Elapsed Time: 1367 ms.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39817600
It could just be that the changes are cached on the client, because the test site would appear to be working correctly.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Jet database engine errors can crop up out of nowhere to disrupt the working of the Exchange server. Decoding why a particular error occurs goes a long way in determining the right solution for it.
As a matter of fact, Outlook OST files are of much importance in relation to Exchange mailbox. OST files are independent as they are simply copy of data of a user’s mailbox on Exchange Server. Though, if the server’s status is changed or it is dama…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month10 days, 3 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question