[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 104
  • Last Modified:

Autodiscover issues with single ssl and multiple email domains

Hi

I have an exchange 2013 server for only external users connecting via exchange active sync.

External name: hostedex.domain.com

I have an ssl on that domain and exchange is all setup and telnet in and out test work fine for mail flow.

The server will have quite a few different domains setup on it for email.

Users will not have access to all of the domains.

I want to try and setup autodiscover so they can setup their email accounts themselves but at the moment when i try to setup an email account such as

test@domain1.com the autodiscover is moaning that the ssl is for test@domain.com.

I have created a cname on domain1.com to point to the autodiscover address on domain.com but still no luck.

Can this be done without having to have an ssl cert for each domain we have on the server?

thanks
0
timb551
Asked:
timb551
  • 6
  • 5
1 Solution
 
Simon Butler (Sembee)ConsultantCommented:
You cannot use a CNAME, because that is just a DNS entry, it doesn't change what the client tries to connect to.
If you want to use a single certificate then you have two (well technically three)

1. Autodiscover redirect method. This uses a non-HTTPS web site (needs to be separate from the main site, different IP address etc) to direct the clients to the SSL secured Autodiscover site.
2. SRV records. For SRV records to work correctly you must ensure that there are NO wildcards in the domain, so that Autodiscover.example.com does NOT resolve.

The third method is no Autodiscover support at all.
As you have said this is just for ActiveSync, this is a viable option. Not only because you can avoid it with mobile devices, but also because there is usually a very high failure rate in my experience with mobile devices and Autodiscover. Android it is very hit and miss, depending on the vendor and OS version. Apple a bit better. Blackberry OS 10 and Windows Phone usually work correctly.

Therefore whatever you do, you will need to have manual instructions.

Simon.
0
 
timb551Author Commented:
Thanks

Why does option 2 involve manual instructions?
0
 
Simon Butler (Sembee)ConsultantCommented:
You need to have manual instructions for the reasons I have given - Autodiscover more often than not does not work on mobile devices.

Simon.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
timb551Author Commented:
ah fair enough.

What do i need to do for option 2 though. will give that a go and see how i get on?
0
 
Simon Butler (Sembee)ConsultantCommented:
Follow the instructions from Microsoft here: http://semb.ee/srv

Remember it is EXTERNAL DNS you need to make the changes on.

The quicker Microsoft release Accompli for themselves the better, as that does actually work (Accompli is an ActiveSync client for iOS and Android which Microsoft bought earlier this month).

Simon.
0
 
Jasvindar SinghCommented:
As you have Single name certificate Issued to "hostedex.domain.com" the best option for autodiscover to work for single domain or multiple domain is to create SRV record.

For Eg. In Public DNS - Under domain1.com => Create SRV record

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: hostedex.domain.com  (Value in your certificate)

In Public DNS - Under domain2.com => Create same SRV record and so on.

Supporting Article => http://support.microsoft.com/kb/940881
0
 
timb551Author Commented:
Have added the srv record but still doesnt seem to be setting up without throwing up an SSL error.
0
 
Simon Butler (Sembee)ConsultantCommented:
Have you checked that

Autodiscover.example.com

does NOT resolve somewhere it shouldn't do?

Furthermore,

https://example.com/Autodiscover/Autodiscover.xml 

should also not work.

Once a trusted certificate is in place, the most common cause of problems is web hosts getting in the way, with wildcards in the domain, or using Autodiscover with their own control panels.

Simon.
0
 
timb551Author Commented:
I have checked for wildcards and is does resolve to the correct ip.
0
 
Simon Butler (Sembee)ConsultantCommented:
Does the URL that I posted above work?

Simon.
0
 
timb551Author Commented:
It brings up a username and password box
0
 
Simon Butler (Sembee)ConsultantCommented:
If the root of your domain does not resolve to your Exchange server, then that is probably the cause of your problems. If you can cancel the authentication box, then look at the SSL certificate being presented I expect it isn't yours.

If that is the case, then you need to speak to your web host and get them to turn off Autodiscover on your domain. First line support will say it cannot be done (really means - we have no idea what you are on about), so you will have to be persistent.

Simon.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now