Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Outlook SSL warning / Exchange autodiscover

Posted on 2014-04-23
14
Medium Priority
?
933 Views
Last Modified: 2014-04-24
HI All

I am getting a strange SSL error in Outlook 2010 when using it externally only with a self signed certificate to remote.domain.co.uk with an SBS2011 as in this link and many more http://blogs.technet.com/b/danielkenyon-smith/archive/2010/05/13/the-name-on-the-certificate-is-invalid-or-does-not-match-the-name-of-the-site-part-2.aspx  BUT my certificate mismatch says autodiscover.domain.co.uk instead of the example of mbx1.nwtraders.msft .
I have seen a lot of talk on the internet that you need to change the AutoDiscoverServiceInternalUri setting from the netbois name to the name on the certificate which is remote.domain.co.uk .

Problem I have is that when I run "Get-ClientAccessServer -Identity w2k11sbs | FL" from the Exchange shell and look at AutoDiscoverServiceInternalUri I get https://remote.domain.co.uk/Autodiscover/Autodiscover.xml which does not have the netbois name in it.

I have now drawn a blank on this Can anyone help?

Thanks
0
Comment
Question by:COIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +1
14 Comments
 
LVL 27

Expert Comment

by:MAS
ID: 40016969
can you add autodiscover.domain.com in the cert?
if possible add it and create an A record autodiscover.domain.com in your DNS pointing to exchange server IP
0
 

Author Comment

by:COIT
ID: 40016987
Sorry how do I add autodiscover.domain.co.uk into the cert? It is a selfsigned certificate I'm using , would that be possible?

thanks
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 40017044
The self signed certificate that Exchange installs isn't really designed for production use. You need to change to a trusted SSL certificate.

SBS presumes that you will use a single name SSL certificate, and that your external DNS provider supports SRV records. It then uses that method for Autodiscover. It depends on Autodiscover.example.com NOT resolving on the internet - which usually means DNS records changing as most web hosts will put a wildcard entry in (so anything.example.com resolves).

Switching to a trusted UC/SAN certificate with the relevant host names in it is the best option here. http://semb.ee/sbs2011ssl

Simon.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 27

Expert Comment

by:MAS
ID: 40017050
I agree with Simon
0
 

Author Comment

by:COIT
ID: 40017116
Point taken but what I don't understand is that has worked OK for over a year and I can't think of anything that has changed with the setup.

Is this the sort of thing? http://uk.godaddy.com/ssl/ssl-certificates.aspx?ci=9039 . The middle option on the website "Multiple Domains UCC"  

What would I do order it with remote.domain.co.uk and autodiscover.domain.co.uk  as well? all to the same IP address?

Thanks

Paul
0
 
LVL 27

Expert Comment

by:MAS
ID: 40017124
Please check this

This will give you an option to add multiple SAN
They have CSR request tool and step by step installation steps
For Exchange2007
For Exchange2010
0
 

Author Comment

by:COIT
ID: 40017135
I have used Digicert before and they are very good but I can not see my client wanting to spend that much compared to Go daddy's lower price as he has never had to get a certificate before.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40017145
remote.example.com and Autodiscover.example.com can point to the same IP address. That is fine, and the certificate you have selected it fine as well.

Setup the host names first, before you do the SSL request, then it should go through a little quicker.

As to why it has worked up to now - no idea. The self signed certificate should have been replaced as soon as the server went live.

Simon.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40017148
remote.example.com and Autodiscover.example.com can point to the same IP address. That is fine, and the certificate you have selected it fine as well.

Setup the host names first, before you do the SSL request, then it should go through a little quicker.

As to why it has worked up to now - no idea. The self signed certificate should have been replaced as soon as the server went live.

Simon.
0
 

Author Comment

by:COIT
ID: 40017172
Simon

there is just one more question. I have setup remote.domain.co.uk and autodiscover.domain.co.uk previously at the hosting company to go to the same ip address of the sbs server and remote.domain.co.uk works perfectly to the user login but autodiscover.domain.co.uk just goes to the IIS7 welcome screen . Is that correct? as the DNS records for both are just the same " A " records on the internet
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40017197
That is correct.
The reason remote.example.com goes to the login screen is because of the way the underlying code is written.
Autodiscover.example.com/remote would also go to the login screen - which is all that the code does for remote.example.com

Simon.
0
 
LVL 12

Expert Comment

by:Md. Mojahid
ID: 40019394
Go with SAN certificate.
0
 

Author Comment

by:COIT
ID: 40019429
What is the difference with a UCC verses a SAN certificate? Much difference with cost?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40020408
They are the same thing - different name.
UCC - Unified Communications Certificate
SAN - Subject Alternative Name

Tend to use UCC though, so people don't get confused with overpriced storage systems.

Simon.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question