Outlook Anywhere keeps requesting the wrong domain??

Posted on 2014-01-28
Last Modified: 2014-01-29

Have a client setup which has been working for years. Exchange 2010 all patched up.

The domain that everything is set up as is say

Everything is set up working great (autodiscover, all URI's, OWA, etc).

3rd Party Wildcard SSL Cert for installed.

Client decides to change the corporate identity to

All Primary SMTP emails are set as, and it is added as an accepted domain. MX records point to records.

All mobile devices etc are still pointing to the old domain, because as the far as the system is concerned that is the only domain that matters.

However on a laptop with Outlook 2010, using Outlook Anywhere and proxy settings all pointing to - when Outlook opens it complains that the cert is not matching, because it is looking for and the SSL Cert is *

WHY is it asking for autodiscover of the new domain name, when everything still points to the old domain? As far as the system concerned the new domain is just an alias.
Question by:bikerhong
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2

Author Comment

ID: 39815026
Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri

This also shows it is set to the "old" domain!
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 39816815
in your certificate add the new domain to the SAN certificate (this way the certificate knows about the alternate naming / alias)
LVL 63

Accepted Solution

Simon Butler (Sembee) earned 500 total points
ID: 39817066
Autodiscover works in one of two ways.
Internally it will query the value of get-clientaccessserver | select identity, autodiscoverserviceinternalUri. The value there has no connection to the primary domain name on the user account.

However externally, because it cannot query the domain, it will use DNS lookups - which will be, where is the primary email address domain.
As you have now changed the primary domain, that query now fails to work correctly, because the old SSL certificate is in place.

You have two options here, depending on what your external DNS provider supports.

If they support SRV records, then remove the wildcard from the new domain (so does NOT resolve) and configure an SRV record for Autodiscover to point to a host name in your old domain.

If they do not support SRV records, then you will have to change your wildcard SSL certificate to a UCC (Aka SAN) type certificate which will allow you to have host names on the certificate for both the old and the new domain. That way you will continue to work correctly for the devices that you cannot modify easily because they are mobile.

A wildcard certificate is NOT a UCC/SAN certificate and is not usually recommended for use with Exchange.

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Author Comment

ID: 39817218
Hi Simon

I see, thank you for explaining!

I would like to try the SRV record method.

I removed and for the SRV record I am required to input these values:

Hostname _autodiscover._tcp (example is _sip._tcp)
Type SRV
Priority 20
TTL ???
Destination SRV ??? (example is 1 5061

Not too sure what to put in for the TTL and destination?

Author Comment

ID: 39817229
Ok, found a help article explaining the numbers!

This is what I have input:

_autodiscover._tcp SRV 20 3600 0 443

Is this right? Outlook is still prompting the error as it is looking for

Author Comment

ID: 39817237
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       The Microsoft Connectivity Analyzer successfully contacted the Autodiscover service using the DNS SRV redirect method.
      Additional Details
Elapsed Time: 3944 ms.
      Test Steps
      Attempting to locate SRV record in DNS.
       The Autodiscover SRV record was successfully retrieved from DNS.
      Additional Details
The Service Location (SRV) record lookup returned host
Elapsed Time: 518 ms.
      Attempting to test potential Autodiscover URL
       Testing of the Autodiscover URL was successful.
      Additional Details
Elapsed Time: 3425 ms.
      Test Steps
      Attempting to resolve the host name in DNS.
       The host name resolved successfully.
      Additional Details
IP addresses returned:
Elapsed Time: 389 ms.
      Testing TCP port 443 on host to ensure it's listening and open.
       The port was opened successfully.
      Additional Details
Elapsed Time: 353 ms.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
      Additional Details
Elapsed Time: 691 ms.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
      Additional Details
Remote Certificate Subject: CN=*, OU=Domain Control Validated, O=*, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=, O=", Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 596 ms.
      Validating the certificate name.
       The certificate name was validated successfully.
      Additional Details
The host name that was found,, is a wildcard certificate match for common name *
Elapsed Time: 0 ms.
      Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*, OU=Domain Control Validated, O=*
       One or more certificate chains were constructed successfully.
      Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Elapsed Time: 21 ms.
      Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
      Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 3 ms.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
      Additional Details
The certificate is valid. NotBefore = 5/10/2011 3:59:15 PM, NotAfter = 5/10/2016 3:59:15 PM
Elapsed Time: 0 ms.
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
      Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 622 ms.
      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
      Additional Details
Elapsed Time: 1367 ms.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL for user
       The Autodiscover XML response was successfully retrieved.
      Additional Details
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="" xmlns:xsi="" xmlns="">
<Response xmlns="">
<DisplayName>user Higgs</DisplayName>
Elapsed Time: 1367 ms.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39817600
It could just be that the changes are cached on the client, because the test site would appear to be working correctly.


Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Outlook for dependable use in a very small business   This article is about using the Outlook application (part of Microsoft Office) in a very small business, or for homeowners where dependability and reliability are critical requirements. This …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question