Exchange 2016 Autodiscovery

I setup the external autodiscovery for a domain as follow
Cname  autodiscover
TXT    remote

When I try to setup an Outlook profile from outside the organisation everything works except I'm getting a certificate error because the name does not match on the certificate.
The certificate it's a comodo cert and it's under for because outlook it try to find instead of it gives me that certificate error and if I click OK then it come with a user name as and ask for the password but that does not work eider till I change the user name from to user only.
Then it all work fine.
I wan to mention that internal the exchange server autodiscovery for both internal and external are set to but I did not set the CNAME yet on the internal DNS
I will do this soon. I'm just getting the Exchange ready for a new domain.
Is there a easy way to fix both the cert error that I'm getting and find a way that eider it can authenticate by the email adress instead of user name or get the user name by default.
For me those changes it's no problem but for 50 remote users I would like them to be able to just type their email and password and click next
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
Is it an Exchange server installed by you or just an Exchanged services subscribed from Microsoft cloud?
infedonetworkAuthor Commented:
On premises exchange install by me
bbaoIT ConsultantCommented:
during the installation of Exchange Server, each Exchange Server creates it’s own SCP(Service connection point) which you can see in Active Directory Sites and Services. Please double check if you are done so.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

infedonetworkAuthor Commented:
Where exactly do I have to look on the Active Directory Sites and Services for the SCP
infedonetworkAuthor Commented:
Those are the two problems:
I need to make the look like when Outlook search for.
Also that will be nice if the authentication can be done with the email as the user name instead of having to change the email to domain\user

timgreen7077Exchange EngineerCommented:
For the cert error, you will need to the the name added. When using autodiscover externally it looks for, so you may have to contact your external CA and ask them if they can reissue the cert and have the autodiscover name added. if the user principal name was the actual email address then you would be able to user the email address as the sign in, but its most likely the AD user principle name isn't the actual email address so that is why you have to change it to domain\user.

Once you get the new cert you will have import it into Exchange again.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
infedonetworkAuthor Commented:
So if I ping from outside it reply with the IP external IP
If I ping it reply as
So when Outlook look for his getting and that match the certificate name.
Where is he getting the autodiscover from if the DNS translate to remote?
For the user the Alias or the user name is same as the email. Example John Doe is the name and the user name and alias is jdoe and the email is
Should not that work?
timgreen7077Exchange EngineerCommented:
internally outlook will use the SCP which maybe, but externally for autoconfig to work it looks for if it fails to find it it fails so you need to add to the cert or you can manually configure outlook to connect without autodiscover.

If the domain name is
the username or alias is jdoe
they should be able to sign in using, but if the domain name is but the email domain is then  the upn is still, the upn is not the email address so they may fail to login unless the change to domain\username or the upn
infedonetworkAuthor Commented:
Domain is
For External DNS I create a Cname for autodiscover to go to
like you can see bellow when I ping it reply as and remote is on the cerificate.
Why Outlook does not see the name remote when it looks for autodiscover?
And for the user yes the external domain is and internal is k2x.local so internal domain is diferent than the external domain but each user has an email as the and jdoe@k2x.local
Could that be because it looks at the jdoe@k2x.local instead of the
Is there anything that I can change so it authenticate with instead
infedonetworkAuthor Commented:
Sorry I forgot the pic

timgreen7077Exchange EngineerCommented:
In regards to autodiscover go to the site and test outlook connectivity with autodiscover. Tell me the result.

In regards to domain yes authentication is done on the actual domain UPN and not an email address, it just happens that some email addresses and company domains are the same and works but that is not how your domain is setup. have the user connect domain\username.
infedonetworkAuthor Commented:
timgreen7077Exchange EngineerCommented:
You will notice that the autodiscover test failed. You will need to add the autodiscover name to your cert. a CName doesn't remove the necessity of have the name space match the cert. Your cert should have 2 name spaces.

That autodiscover Cname is just an alias for the actual DNS name and in your case its, and that doesn't negate the need for a autodiscover DNS name.
infedonetworkAuthor Commented:
So I did the 3 domain certificate and I add remote autodiscover and mail
I test all 3 fine. Now it's all fine except does not work
It say page can't be display. Before it was Ok with the single domain certificate. What do I miss. I'm sure there is a command I have to run on Exchange but I can't remember what
infedonetworkAuthor Commented:
Port 443 is open because I can go to and I bind the certificate to SMTP, POP, LDAP and IIS
timgreen7077Exchange EngineerCommented:
that is correct. the one that will work is It attempts both but as long as 1 works you are good.
timgreen7077Exchange EngineerCommented:
This always fails on me also when testing with which is fine, but it would work on your internal network.
timgreen7077Exchange EngineerCommented:
you should be good to go now.
infedonetworkAuthor Commented:
The autodiscover work but now when I try to setup an email from outside the domain it will find the network and it will ask teh password for then i change that to domain\user and it find it then it say The action can not be complete it. The conection to Microsoft Exchange is unavailable. Outlook must be online. I have the feeling is trying to get to and that's not working.

infedonetworkAuthor Commented:
Sorry, Wrong pic

timgreen7077Exchange EngineerCommented:
Run the following in Exchange Shell and let me know the results. I wonder if your virtual directory may be misconfigured. Just curios.

$Server = "ExchangeServer"
Get-OWAVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ECPVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-OABVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ActiveSyncVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-WebServicesVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-MapiVirtualDirectory -Server $Server | ft InternalURL, ExternalURL


Get-ClientAccessService -Identity "Exchange Server" | fl AutodiscoverServiceInternalURI

Whats the name space you are using for Exchange.
infedonetworkAuthor Commented:
InternalUrl                   ExternalUrl
-----------                   -----------

[PS] C:\Windows\system32>Get-ECPVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                   ExternalUrl
-----------                   -----------

[PS] C:\Windows\system32>Get-OABVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                   ExternalUrl
-----------                   -----------

[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                                           ExternalUrl
-----------                                           -----------

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                                 ExternalUrl
-----------                                 -----------

[PS] C:\Windows\system32>Get-MapiVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                    ExternalUrl
-----------                    -----------
timgreen7077Exchange EngineerCommented:
Are the internal and external URLs the same?
Is the exchange.domain.local, is the the actual exchange server name?
It's recommended not to use server names in the name space, so I would change that to something like, but be sure its the name space on your cert.
timgreen7077Exchange EngineerCommented:
See below link to assist you with properly setting up your client name space. Exchange.domain.local isnt recommended because your server names generally aren't on you cert. See link
infedonetworkAuthor Commented:
exchange is the internal name of the exchange server only domain.local has been change on the post
I want both internal and external to be instead of exchange.domain.local
timgreen7077Exchange EngineerCommented:
that is correct. use the article in the link to help you set it up correctly. is fine but use the article to assist you with setting it up.
timgreen7077Exchange EngineerCommented:
User no longer replied after last suggestion which should have solved his final issue. Closing request assigning points.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.