Exchange Autodiscover SSL issue

Status
Not open for further replies.
A

archibaldicus

Situation:

- Internal AD domain corp.domain.com with Exchange 2010 installed.

- OWA access: URL webmail.domain.com works fine with a valid SSL certificate for *.domain.com

- When outlook clients connect internally, they are presented with a certificate warning, saying that the host does not match the certificate. This is because the client access server presents itself as server.corp.domain.com, which doesn"t match the *.domain.com certificate.

Question:

How do we solve the ssl error for outlook clients on the LAN, taking into account that:

- We want to use the Autodiscover service;

- We do not want to change the OWA URL;

- We do not want to change the SSL certificate.

Do we setup a separate internal Autodiscover website with another valid certificate for *.corp.domain.com for the internal Outlook clients? If yes, can we create our own internal CA for the certificate?

Regards,

Stijn
 
S

Steve Goodman

Hiya,

Is there any reason why you don't want to change the cert to a subject alternative name certificate? This is the easiest fix to your problems and wildcard certificates aren't recommended.

Are there any issues stopping you creating a DNS entry like " server.domain.com" and then changing the InternalURL for EWS, OAB, which is what's probably tripping up your Outlook clients.

Steve

Steve Goodman
Check out my Blog for more Exchange info or find me on Twitter
 
A

archibaldicus

Hello,

Thanks for your reply. The DNS entry for server.domain.com already exists and works, but when you configure an outlook client, it automatically turns it into server.corp.domain.com and generates the SSL security warning. I must add that we actually have 2 AD's setup. One for domain.com as root domain, and the one we setup exchange in, i.e. corp.domain.com.

Regards,

Stijn
 
S

Steve Goodman

Hiya,

If you use the following commands:

get-oabvirtualdirectory

and

get-webservicesdirectory

Do you see the server.corp.domain.com listed for each?

Steve

Steve Goodman
Check out my Blog for more Exchange info or find me on Twitter
 
A

archibaldicus

Hi,

Both commands give the server.corp.domain.com as output.

On the certificate reply, I assume we should generate a certificate using the EMC and fill out all URLs (server.corp.domain.com for internal, webmail.domain.com, etc) and send that to Verisign or Godaddy or whatever?

Regards,
Stijn
 
S

Steve Goodman

Hiya,

OK, that output is what I expected. Those two URLs are used by Outlook to set Out of Office and download the Offline Address Book amongst other things. If you're getting the cert errors during usage of Outlook (and mail delivery into and out of Outlook works), then these are the likely culprit.

You could change the InternalURL to server.domain.com use the Set-OABVirtualDirectory and Set-WebServicesDirectory commands - however as it's your production environment and I'm not sure about your exact setup, you need to have understand what this is doing and if possible test it out first. If you make the changes server-side, you will need to get an Outlook client to update it's settings; it should do this automatically, but you can force this by choosing the " Repair" option in the Email Accounts settings panel in Outlook.

Regarding a SAN/UCC certificate, you are quite right about generating it using the EMC. You may want to have a think about if any other hostnames may be needed - the generation wizard will give you some pointers. Obvious ones are if you use another address/server name for Outlook Anywhere and of course autodiscover.corp.domain.com, autodiscover.domain.com.

Steve

Steve Goodman
Check out my Blog for more Exchange info or find me on Twitter
 
A

archibaldicus

Hello,

I pointed the OABVirtualDirectory and WebServicesDirectory to server.domain.com. The SSL errors seemed to have dissappeared until all of a sudden, I got it again. They appear a lot less frequently now, so I was wondering if Outlook is using an SSL connection for something else as well?

We will also try to get a proper SAN certificate that will cover all *.corp.domain.com and *.domain.com hostnames.

Regards,

Stijn
 
S

Steve Goodman

Hiya,

That sounds like when auto discovery is periodically running on the Outlook Client

You may want to also update the SCP record (that's the record in Active Directory that tells domain joined clients where to find AutoDiscover) to amtch that sever.domain.com value, or (preferably) if you have it configured in your internal DNS, autodiscover.domain.com - e.g.

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://server.domain.com/Autodiscover/Autodiscover.xml

or

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://autodiscover.domain.com/Autodiscover/Autodiscover.xml

Hope this helps and have a good holiday season!

Steve

Steve Goodman
Check out my Blog for more Exchange info or find me on Twitter
 
Status
Not open for further replies.
Top