Solved

Autodiscover issues with single ssl and multiple email domains

Posted on 2014-12-19
12
83 Views
Last Modified: 2015-03-30
Hi

I have an exchange 2013 server for only external users connecting via exchange active sync.

External name: hostedex.domain.com

I have an ssl on that domain and exchange is all setup and telnet in and out test work fine for mail flow.

The server will have quite a few different domains setup on it for email.

Users will not have access to all of the domains.

I want to try and setup autodiscover so they can setup their email accounts themselves but at the moment when i try to setup an email account such as

test@domain1.com the autodiscover is moaning that the ssl is for test@domain.com.

I have created a cname on domain1.com to point to the autodiscover address on domain.com but still no luck.

Can this be done without having to have an ssl cert for each domain we have on the server?

thanks
0
Comment
Question by:timb551
  • 6
  • 5
12 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40509079
You cannot use a CNAME, because that is just a DNS entry, it doesn't change what the client tries to connect to.
If you want to use a single certificate then you have two (well technically three)

1. Autodiscover redirect method. This uses a non-HTTPS web site (needs to be separate from the main site, different IP address etc) to direct the clients to the SSL secured Autodiscover site.
2. SRV records. For SRV records to work correctly you must ensure that there are NO wildcards in the domain, so that Autodiscover.example.com does NOT resolve.

The third method is no Autodiscover support at all.
As you have said this is just for ActiveSync, this is a viable option. Not only because you can avoid it with mobile devices, but also because there is usually a very high failure rate in my experience with mobile devices and Autodiscover. Android it is very hit and miss, depending on the vendor and OS version. Apple a bit better. Blackberry OS 10 and Windows Phone usually work correctly.

Therefore whatever you do, you will need to have manual instructions.

Simon.
0
 

Author Comment

by:timb551
ID: 40509184
Thanks

Why does option 2 involve manual instructions?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40509251
You need to have manual instructions for the reasons I have given - Autodiscover more often than not does not work on mobile devices.

Simon.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:timb551
ID: 40509267
ah fair enough.

What do i need to do for option 2 though. will give that a go and see how i get on?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40509472
Follow the instructions from Microsoft here: http://semb.ee/srv

Remember it is EXTERNAL DNS you need to make the changes on.

The quicker Microsoft release Accompli for themselves the better, as that does actually work (Accompli is an ActiveSync client for iOS and Android which Microsoft bought earlier this month).

Simon.
0
 
LVL 2

Accepted Solution

by:
Jasvindar Singh earned 500 total points
ID: 40510927
As you have Single name certificate Issued to "hostedex.domain.com" the best option for autodiscover to work for single domain or multiple domain is to create SRV record.

For Eg. In Public DNS - Under domain1.com => Create SRV record

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: hostedex.domain.com  (Value in your certificate)

In Public DNS - Under domain2.com => Create same SRV record and so on.

Supporting Article => http://support.microsoft.com/kb/940881
0
 

Author Comment

by:timb551
ID: 40543962
Have added the srv record but still doesnt seem to be setting up without throwing up an SSL error.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40544093
Have you checked that

Autodiscover.example.com

does NOT resolve somewhere it shouldn't do?

Furthermore,

https://example.com/Autodiscover/Autodiscover.xml 

should also not work.

Once a trusted certificate is in place, the most common cause of problems is web hosts getting in the way, with wildcards in the domain, or using Autodiscover with their own control panels.

Simon.
0
 

Author Comment

by:timb551
ID: 40635938
I have checked for wildcards and is does resolve to the correct ip.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40637047
Does the URL that I posted above work?

Simon.
0
 

Author Comment

by:timb551
ID: 40639243
It brings up a username and password box
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40639713
If the root of your domain does not resolve to your Exchange server, then that is probably the cause of your problems. If you can cancel the authentication box, then look at the SSL certificate being presented I expect it isn't yours.

If that is the case, then you need to speak to your web host and get them to turn off Autodiscover on your domain. First line support will say it cannot be done (really means - we have no idea what you are on about), so you will have to be persistent.

Simon.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now