Exchange 2016 Autodiscovery

I setup the external autodiscovery for a domain as follow
A   remote.test.com
Cname  autodiscover   remote.test.com
TXT    remote          test.com

When I try to setup an Outlook profile from outside the organisation everything works except I'm getting a certificate error because the name does not match on the certificate.
The certificate it's a comodo cert and it's under remote.test.com for because outlook it try to find autodiscover.test.com instead of remote.test.com it gives me that certificate error and if I click OK then it come with a user name as user@test.com and ask for the password but that does not work eider till I change the user name from user@test.com to user only.
Then it all work fine.
I wan to mention that internal the exchange server autodiscovery for both internal and external are set to https://remote.test.com but I did not set the CNAME yet on the internal DNS
I will do this soon. I'm just getting the Exchange ready for a new domain.
Is there a easy way to fix both the cert error that I'm getting and find a way that eider it can authenticate by the email adress instead of user name or get the user name by default.
For me those changes it's no problem but for 50 remote users I would like them to be able to just type their email and password and click next
LVL 2
infedonetworkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
Is it an Exchange server installed by you or just an Exchanged services subscribed from Microsoft cloud?
0
infedonetworkAuthor Commented:
On premises exchange install by me
0
bbaoIT ConsultantCommented:
during the installation of Exchange Server, each Exchange Server creates it’s own SCP(Service connection point) which you can see in Active Directory Sites and Services. Please double check if you are done so.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

infedonetworkAuthor Commented:
Where exactly do I have to look on the Active Directory Sites and Services for the SCP
0
infedonetworkAuthor Commented:
Those are the two problems:
I need to make the discovery.domain.com look like remote.domain.com when Outlook search for.
Also that will be nice if the authentication can be done with the email as the user name instead of having to change the email to domain\user

cert
username
0
timgreen7077Exchange EngineerCommented:
For the cert error, you will need to the the name autodiscover.test.com added. When using autodiscover externally it looks for autodiscover.domain.com, so you may have to contact your external CA and ask them if they can reissue the cert and have the autodiscover name added. if the user principal name was the actual email address then you would be able to user the email address as the sign in, but its most likely the AD user principle name isn't the actual email address so that is why you have to change it to domain\user.

Once you get the new cert you will have import it into Exchange again.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
infedonetworkAuthor Commented:
So if I ping from outside remote.domain.com it reply with the IP external IP
If I ping autodiscover.domain.com it reply as remote.domain.com
So when Outlook look for autodiscover.domain.com his getting remote.domain.com and that match the certificate name.
Where is he getting the autodiscover from if the DNS translate to remote?
For the user the Alias or the user name is same as the email. Example John Doe is the name and the user name and alias is jdoe and the email is jdoe@domain.com
Should not that work?
0
timgreen7077Exchange EngineerCommented:
internally outlook will use the SCP which maybe remote.test.com, but externally for autoconfig to work it looks for autodiscover.domain.com. if it fails to find it it fails so you need to add autodiscover.domain.com to the cert or you can manually configure outlook to connect without autodiscover.

If the domain name is test.com
the username or alias is jdoe
they should be able to sign in using jdoe@test.com, but if the domain name is test.com but the email domain is testing.com then  the upn is still jdoe@test.com, the upn is not the email address jdoe@testing.com so they may fail to login unless the change to domain\username or the upn
0
infedonetworkAuthor Commented:
Domain is test.com
For External DNS I create a Cname for autodiscover to go to remote.test.com
like you can see bellow when I ping autodiscover.domain.com it reply as remote.domain.com and remote is on the cerificate.
Why Outlook does not see the name remote when it looks for autodiscover?
And for the user yes the external domain is domain.com and internal is k2x.local so internal domain is diferent than the external domain but each user has an email as the jdoe@domain.com and jdoe@k2x.local
Could that be because it looks at the jdoe@k2x.local instead of the jdoe@domain.com?
Is there anything that I can change so it authenticate with jdoes@domain.com instead
0
infedonetworkAuthor Commented:
Sorry I forgot the pic

ping
0
timgreen7077Exchange EngineerCommented:
In regards to autodiscover go to the site exrca.com and test outlook connectivity with autodiscover. Tell me the result.

In regards to domain yes authentication is done on the actual domain UPN and not an email address, it just happens that some email addresses and company domains are the same and works but that is not how your domain is setup. have the user connect domain\username.
0
infedonetworkAuthor Commented:
test
0
timgreen7077Exchange EngineerCommented:
You will notice that the autodiscover test failed. You will need to add the autodiscover name to your cert. a CName doesn't remove the necessity of have the name space match the cert. Your cert should have 2 name spaces.

remote.test.com
autodiscover.test.com

That autodiscover Cname is just an alias for the actual DNS name and in your case its remote.test.com, and that doesn't negate the need for a autodiscover DNS name.
0
infedonetworkAuthor Commented:
So I did the 3 domain certificate and I add remote autodiscover and mail
I test all 3 fine. Now it's all fine except  https://domain.com:443/Autodiscover/Autodiscover.xml does not work
It say page can't be display. Before it was Ok with the single domain certificate. What do I miss. I'm sure there is a command I have to run on Exchange but I can't remember what
0
infedonetworkAuthor Commented:
Port 443 is open because I can go to https://remote.domain.com/owa and I bind the certificate to SMTP, POP, LDAP and IIS
0
timgreen7077Exchange EngineerCommented:
that is correct. the one that will work is autodiscover.domain.com. It attempts both but as long as 1 works you are good.
0
timgreen7077Exchange EngineerCommented:
This always fails on me also when testing with exrca.com which is fine, but it would work on your internal network.
https://remote.test.com:443/Autodiscover/Autodiscover.xml
0
timgreen7077Exchange EngineerCommented:
you should be good to go now.
0
infedonetworkAuthor Commented:
The autodiscover work but now when I try to setup an email from outside the domain it will find the network and it will ask teh password for user@domain.com then i change that to domain\user and it find it then it say The action can not be complete it. The conection to Microsoft Exchange is unavailable. Outlook must be online. I have the feeling is trying to get to https://remote.domain.com and that's not working.

test
0
infedonetworkAuthor Commented:
Sorry, Wrong pic

fp
0
timgreen7077Exchange EngineerCommented:
Run the following in Exchange Shell and let me know the results. I wonder if your virtual directory may be misconfigured. Just curios.

$Server = "ExchangeServer"
Get-OWAVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ECPVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-OABVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ActiveSyncVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-WebServicesVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-MapiVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

and

Get-ClientAccessService -Identity "Exchange Server" | fl AutodiscoverServiceInternalURI

Whats the name space you are using for Exchange.
0
infedonetworkAuthor Commented:
InternalUrl                   ExternalUrl
-----------                   -----------
https://exchange.domain.local/owa


[PS] C:\Windows\system32>Get-ECPVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                   ExternalUrl
-----------                   -----------
https://exchange.domain.local/ecp


[PS] C:\Windows\system32>Get-OABVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                   ExternalUrl
-----------                   -----------
https://exchange.domain.local/OAB


[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                                           ExternalUrl
-----------                                           -----------
https://exchange.domain.local/Microsoft-Server-ActiveSync


[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                                 ExternalUrl
-----------                                 -----------
https://exchange.domain.local/EWS/Exchange.asmx


[PS] C:\Windows\system32>Get-MapiVirtualDirectory -Server $Server | ft InternalURL, ExternalURL

InternalUrl                    ExternalUrl
-----------                    -----------
https://domain.local/mapi
0
timgreen7077Exchange EngineerCommented:
Are the internal and external URLs the same?
Is the exchange.domain.local, is the the actual exchange server name?
It's recommended not to use server names in the name space, so I would change that to something like mail.domain.com, but be sure its the name space on your cert.
0
timgreen7077Exchange EngineerCommented:
See below link to assist you with properly setting up your client name space. Exchange.domain.local isnt recommended because your server names generally aren't on you cert. See link

https://practical365.com/exchange-server/exchange-server-2016-client-access-namespace-configuration/
0
infedonetworkAuthor Commented:
exchange is the internal name of the exchange server only domain.local has been change on the post
I want both internal and external to be remote.domain.com instead of exchange.domain.local
0
timgreen7077Exchange EngineerCommented:
that is correct. use the article in the link to help you set it up correctly. remote.domain.com is fine but use the article to assist you with setting it up.
0
timgreen7077Exchange EngineerCommented:
User no longer replied after last suggestion which should have solved his final issue. Closing request assigning points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.