If Autodiscovery is set in IIS and a single cert was present but an SSL CA cert has been added to exchange, does it need to be added in IIS as well?

Posted on 2014-07-27
Medium Priority
Last Modified: 2014-08-07
Since installing a 3rd party cert to exchange and Intermediary cert to root, Outlook is asking for a password when trying to connect a new client to Exchange 2013. The password is set in AD and works on OWA but will not connect in Outlook. Does the cert or some other permissions need to be changed in IIS?
Question by:JRome225
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 16

Assisted Solution

by:Bruno PACI
Bruno PACI earned 1000 total points
ID: 40224094

Nothing as to be changed in IIS if it was working before wiht another certificate.

For a certificate to be accepted by clients, you must meet the following requirements :

1) The certificate of the issuer of the server certificate (in you case the certificate of the intermediary certification authority) must be trusted be the clients. To do that, you must ensure that client computers have the root authority and intermediray authority certificates in their "trusted root authorities" containers in the certificates console.
2) The name of the certificate must match exactly the hostname in the URL used by Outlook to access Exchange.
3) The server certificate must be valid.

Else, outlook fails to connect and asks for a password, but as the password is not the problem you'll still have the prompt after retyping the password.

As a simple test, from client computer open a web browser and go to the OWA url using the name in the certificate. To be more clear, if the certificate is issued for the host name myserver.mycompany.com then go to the URL https://myserver.mycompany.com/owa

If you have a certificate security alert then something is missing on the client computer to trust certificate.

Hope this helps.

Have a nice day.
LVL 11

Accepted Solution

NetoMeter Screencasts earned 1000 total points
ID: 40224115
You don't have to configure anything in IIS. Normally, the new CSR (Certificate Signing Request) is generated in Exchange Admin center. When you download the new certificate, you make sure that the intermediate certs are in place and install the certificate again in Exchange Admin Center. Of course, if you love PowerShell, you can perform this in Exchange Management Shell.

In your case, you are dealing with a single domain certificate - for example "mail.yourdomain.com". And let's say that the internal Exchange 2013 FQDN is "exchange13.internaldomain.local". By default, the internal Exchange server URL use the internal Exchange server FQDN - "Exchange13.internaldomain.local" and that name is included in the self-signed certificate that's generated by Exchange 2013 setup. BTW, I hope you didn't delete this self-signed certificate as this might get you in a different problem.

You need to perform the following:
1. Configure Split-Brain DNS or PinPoint DNS zone (I recommend the second) for the name that is included in the certificate - "mail.yourdomain.com" on the internal DNS servers. If the PinPoint DNS zone is AD integrated, it will be propagated automatically to all internal DC/DNS servers.
2. Modify the Internal Virtual Directories URL - you might prefer to do this in EAC (Exchange Admin Center).
3. Modify the Autodiscover Internal URI in Exchange Management Shell - it cannot be modified in EAC, and has only Internal URI, that is modified with the Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri "https://mail.yourdomain.com/autodiscover/autodiscover.xml" (replace the domain name).

The internal Outlook clients are  using OutlookAnywhere as well, and they get the address from the SCP (Service Connection Point) which is stored in AD - that's how you change the SCP with Set-ClientAccessServer.

If you want to enable autodiscover for remote OutlookAnywhere clients, you need to delete the autodiscover CNAME record in the external/public DNS zone for "yourdomain.com" and configure an autodiscover SRV record.
LVL 11

Expert Comment

ID: 40224251
If you are having problems with all your users in your organization with this certificate you should check the name or names on it.

If you having this problem only with a new user on the organization, I will recommend you to start over the user profile and make sure the client is fully updated and the user information is entered in the format of DOMAIN\Username.

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
New style of hardware planning for Microsoft Exchange server.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question