Exchange Autodiscover Cert Question
Posted on 2014-10-08
On Exchange 2010/2013, what's the best way of handling adding additional domains to the server so that certain users can have different primary email addresses.
Specifically the problem I have is that external users using Outlook Anywhere will get a security alert pop-up whenever they open up Outlook that "autodiscover.new2nddomain.com" is not valid or doesn't match the name of the site. You can just click Yes to proceed and it will work. I have a public CNAME record that points the above to the autodiscover domain that is on the SAN Certificate "autodiscover.primarydomain.com".
I know one way of doing it is just add that new domain to the SAN certificate. But that's kind of a nuisance if you have to do that every time you want to add a domain to your exchange environment.
Hosted Exchange Providers (like Intermedia, Godaddy, Office365) must get around this somehow as they have 1000s of domains of their 1000s of users and they just tell you to create a CNAME "autodiscover.domain.com" that points to their specific autodiscover FQDN. Out of the 20 or so companies I have on hosted exchange providers, I've never seen a certificate error, only some initial warning when setting up the account about some redirect and then it never comes up again.
I found some articles about deleting your CNAME for autodiscover and creating an SRV record. This seems plausible. However, hosted providers make you just create that CNAME.
I did an Exchange autodiscover test on one of the hosted providers and it seems to use some sort of HTTP conversion of some sort.
Anyhow, just wondering what other solutions are out there instead of having to add the domain to the SAN cert or creating the Public Service Record?