Exchange 2003 - Outlook 2007 clients autodiscover error

P

pdx

I have an Exchange 2003 Sp2 server. We have a mix of Outlook clients

including 21 using Outlook 2007. Today a wildcard cert had to be setup in our

external DNS (unrelated to Exchange) and now two of the Outlook 2007 clients

are receiving Security Alerts about autodiscover.<mydomain>.com and the name

on the certificate being invalid or does not match the name of the site.

I understand that an Outlook 2007 client will still attempt to connect to

autodiscover.<mydomain>.com and that the addition of the wildcard cert now

allowed that url to resolve to a site (although a wrong one).

My questions are:

1) Why are only 2 out of 21 Outlook 2007 clients receiving the Alert? I

haven't found anything unique about the two re: system restarts, etc.

2) How do I keep the wildcard cert and get rid of the alert? I'd guess that

I can set up an autodiscover.<mydomain>.com DNS entry but I'm unclear whether

it would be external or internal DNS and what I would point the

autodiscover.<mydomain>.com record to?

Thanks
 
E

Ed Crowley [MVP]

1) Maybe 19 are lucky. Or maybe they have installed your root certificate.

2) You should have autodiscover.<mydomain>.com in DNS, yes. But that won't

fix the problem. You should have a SAN certificate from a trusted authority

with all the usual Exchange names.

Ed Crowley MVP

"There are seldom good technological solutions to behavioral problems."

> .

"pdx" <pdx> wrote in message

news:4E5155B8-286A-4092-88DE-6C7920BB56FE@microsoft.com...
> I have an Exchange 2003 Sp2 server. We have a mix of Outlook clients
> including 21 using Outlook 2007. Today a wildcard cert had to be setup in
> our
> external DNS (unrelated to Exchange) and now two of the Outlook 2007
> clients
> are receiving Security Alerts about autodiscover.<mydomain>.com and the
> name
> on the certificate being invalid or does not match the name of the site.
> I understand that an Outlook 2007 client will still attempt to connect to
> autodiscover.<mydomain>.com and that the addition of the wildcard cert now
> allowed that url to resolve to a site (although a wrong one).

> My questions are:
> 1) Why are only 2 out of 21 Outlook 2007 clients receiving the Alert? I
> haven't found anything unique about the two re: system restarts, etc.
> 2) How do I keep the wildcard cert and get rid of the alert? I'd guess
> that
> I can set up an autodiscover.<mydomain>.com DNS entry but I'm unclear
> whether
> it would be external or internal DNS and what I would point the
> autodiscover.<mydomain>.com record to?

> Thanks
 
P

pdx

Why do I need a SAN certificate with Exchange 2003?

All the clients have the root certificate, this issue is that with the

addition of the wildcard entry to external DNS, the Outlook 2007 clients now

resolve autodiscover.<mydomain>.com to a (wrong) address where before they

didn't due to no wildcard entry in DNS. So the reason why no all Outlook

clients aren't receiving the error remains unknown since they all now can

resolve autodiscover.<mydomain>.com to a (wrong) address.

I believe a DNS entry will fix my problem. I know a local host file entry

pointing autodiscover.<mydomain>.com to the loopback address solves the

problem but that obviously doesn't scale well.

Since posting this, I have seen mention that an external DNS entry pointing

autodiscover.<mydomain>.com to 127.0.0.2 will work as well.

"Ed Crowley [MVP]" wrote:


> 1) Maybe 19 are lucky. Or maybe they have installed your root certificate.
> 2) You should have autodiscover.<mydomain>.com in DNS, yes. But that won't
> fix the problem. You should have a SAN certificate from a trusted authority
> with all the usual Exchange names.
> > Ed Crowley MVP
> "There are seldom good technological solutions to behavioral problems."
> ..

> "pdx" <pdx> wrote in message
> news:4E5155B8-286A-4092-88DE-6C7920BB56FE@microsoft.com...
> >I have an Exchange 2003 Sp2 server. We have a mix of Outlook clients
> > including 21 using Outlook 2007. Today a wildcard cert had to be setup in
> > our
> > external DNS (unrelated to Exchange) and now two of the Outlook 2007
> > clients
> > are receiving Security Alerts about autodiscover.<mydomain>.com and the
> > name
> > on the certificate being invalid or does not match the name of the site.
> > I understand that an Outlook 2007 client will still attempt to connect to
> > autodiscover.<mydomain>.com and that the addition of the wildcard cert now
> > allowed that url to resolve to a site (although a wrong one).
> > My questions are:
> > 1) Why are only 2 out of 21 Outlook 2007 clients receiving the Alert? I
> > haven't found anything unique about the two re: system restarts, etc.
> > 2) How do I keep the wildcard cert and get rid of the alert? I'd guess
> > that
> > I can set up an autodiscover.<mydomain>.com DNS entry but I'm unclear
> > whether
> > it would be external or internal DNS and what I would point the
> > autodiscover.<mydomain>.com record to?
> > Thanks


>
 
E

Ed Crowley [MVP]

I confused the Exchange 2003 with the Outlook 2007, sorry.

Outlook users should check the box to configure their profiles manually and

skip autoconfigure completely.

Ed Crowley MVP

"There are seldom good technological solutions to behavioral problems."

> .

"pdx" <pdx> wrote in message

news:43E4517C-CBD7-42CE-BDFD-8DEEEE60F65D@microsoft.com...
> Why do I need a SAN certificate with Exchange 2003?

> All the clients have the root certificate, this issue is that with the
> addition of the wildcard entry to external DNS, the Outlook 2007 clients
> now
> resolve autodiscover.<mydomain>.com to a (wrong) address where before they
> didn't due to no wildcard entry in DNS. So the reason why no all Outlook
> clients aren't receiving the error remains unknown since they all now can
> resolve autodiscover.<mydomain>.com to a (wrong) address.

> I believe a DNS entry will fix my problem. I know a local host file entry
> pointing autodiscover.<mydomain>.com to the loopback address solves the
> problem but that obviously doesn't scale well.
> Since posting this, I have seen mention that an external DNS entry
> pointing
> autodiscover.<mydomain>.com to 127.0.0.2 will work as well.

> "Ed Crowley [MVP]" wrote:
>
> > 1) Maybe 19 are lucky. Or maybe they have installed your root
> > certificate.
> > 2) You should have autodiscover.<mydomain>.com in DNS, yes. But that
> > won't
> > fix the problem. You should have a SAN certificate from a trusted
> > authority
> > with all the usual Exchange names.
> > > > Ed Crowley MVP
> > "There are seldom good technological solutions to behavioral problems."
> > ..
>

>> "pdx" <pdx> wrote in message
> > news:4E5155B8-286A-4092-88DE-6C7920BB56FE@microsoft.com...
> > >I have an Exchange 2003 Sp2 server. We have a mix of Outlook clients
> > > including 21 using Outlook 2007. Today a wildcard cert had to be setup
> > > in
> > > our
> > > external DNS (unrelated to Exchange) and now two of the Outlook 2007
> > > clients
> > > are receiving Security Alerts about autodiscover.<mydomain>.com and the
> > > name
> > > on the certificate being invalid or does not match the name of the
> > > site.
> > > I understand that an Outlook 2007 client will still attempt to connect
> > > to
> > > autodiscover.<mydomain>.com and that the addition of the wildcard cert
> > > now
> > > allowed that url to resolve to a site (although a wrong one).
> >> > My questions are:
> > > 1) Why are only 2 out of 21 Outlook 2007 clients receiving the Alert? I
> > > haven't found anything unique about the two re: system restarts, etc.
> > > 2) How do I keep the wildcard cert and get rid of the alert? I'd guess
> > > that
> > > I can set up an autodiscover.<mydomain>.com DNS entry but I'm unclear
> > > whether
> > > it would be external or internal DNS and what I would point the
> > > autodiscover.<mydomain>.com record to?
> >> > Thanks

>

>>
 
Top