No announcement yet.

Autodiscover, Out of Office and Wildcard SSL

  • Filter
  • Time
  • Show
Clear All
new posts

  • Autodiscover, Out of Office and Wildcard SSL


    Our Exchange 2010 server uses a wildcard SSL certificate

    The exchange server has CAS, Hub Transport and Mailbox roles.

    The exchange server is installed on a resource domain

    The mailboxes are Linked Mailboxes, with LinkedMasterAccount set to their windows logon account within a trusted domain

    Outlook clients have been manually configured, pointing to the mail server via internal FQDN:


    When trying to get into Out of Office settings in Outlook, the following error is displayed:
    "Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later"


    Everything seems to point to Autodiscover not being set up correctly and OOF relying on this service.

    This sounded right, seeing as I hadn't done any work on Autodiscover and all client workstations were configured manually.

    Changes made:

    I've now set up an A record on our public DNS to try and get Autodiscover and OOF working.

    A record: -> public IP address for Exchange server

    I set up an A record on our internal DNS: -> internal IP address for Exchange Server


    Test exchange connectivity says Autodiscover is OK

    Out of Office error remains unchanged.

    All client PC's are throwing an SSL security alert because mailserver.mail.local has a security certificate which does not match the name on certificate.

    I'm out of my depth on this and have a lot of people angry at me
    Last edited by David!; 19th April 2011, 02:06. Reason: more info

  • #2
    Re: Autodiscover, Out of Office and Wildcard SSL

    Why configure the clients manually when you can use autodiscover? Are the Outlook clients 2003 and lower? As Outlook 2007 and 2010 both support autodiscover.

    That said the issue your experiencing is because you don't have the correct names in your SAN certificate. (Assuming you are using a SAN certificate) The same name that clients connect to (CAS Server) should be the same name in the certificate for the autodiscover entry. IE if your wildcard is * then the service connection point for Outlook clients should be This would work because you are using a wildcard but does have some security constraints.


    • #3
      Re: Autodiscover, Out of Office and Wildcard SSL

      The issue is there are 500 clients and they are all already manually configured to use mailserver.mail.local rather than
      The majority of them are using Outlook XP or 2003.

      They've been through hell during this migration so I can't interrupt them to switch where their outlook profiles point.

      Autodiscover would have been good, but I was the wrong person to choose for this project, self-trained and no time to finish researching the implementation before commencing the migration to meet deadline.

      It was a migration involving 3 forests with seperate orgs, domains and exchange versions, all merging to one resource domain.

      I don't have a SAN certificate, I have a standard wildcard certificate.

      I don't think there's a way for me to change the remote outlook profiles to point to rather than mailsever.mail.local

      The worst of it (and the reason for this post) ..
      I put time into getting Autodiscovery working solely to get Out of Office working, but OOF still does not work and now I have certificate warnings and authentication prompts across the country.

      I have temporarily removed the DNS entries for autodiscovery to alleviate the calls coming in to support regarding the certificate error.

      Taking the above into account, does anyone have any advice?
      It seems I've driven this project into a dark corner and I can't back out of it..


      • #4
        Re: Autodiscover, Out of Office and Wildcard SSL

        For Exchange 2010 to work correctly you need a SAN certificate for all the subject alternative names. Autodiscover, webmail etc. That said you're between a rock and a hard place here. You either need a certificate with the name mailsever.mail.local in, or you change the clients to point to the right address or modify your SCP. The problem with modifying the SCP retrospectively is you may break other functionality. Buy a new SAN cert with the correct name.
        Last edited by scurlaruntings; 19th April 2011, 09:15.


        • #5
          Re: Autodiscover, Out of Office and Wildcard SSL

          There are a number of different solutions for scripting a change to the server name that show up on Google - the Outlook Resource Kit, VBScript, PRF files. Maybe give some of those a test on one computer to see if you can successfully switch it onto the FQDN.


          • #6
            Re: Autodiscover, Out of Office and Wildcard SSL

            OK, I'm buying a SAN certificate to get past the cert errors so I can troubleshoot Out of Office, which I need working before tomorrow afternoon as Easter Break commences.