Announcement

Collapse
No announcement yet.

Help needed with SSL Cert config for Autodiscover and Activesync

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help needed with SSL Cert config for Autodiscover and Activesync

    OK, I'm quite new at creating SSL Certs. I know the easy way would be to purchase a SAN certificate for this, but GoDaddy, my hosting proivder, are doing super cheap standard SSL certs.

    Can I configure this using one standard cert for autodiscover.mydomain.com and a separate one for mail.mydomain.com?

    If I can, and I do this, how do I go through the new cert wizard on Exchange 2010? Do I tick only Autodiscover on one of them and specify the address for this, and then tick the other webservices and specify the mail.mydomain.com address for these services on the other and then make sure only one hostname is listed on each wizard?

    Would this work? Does this even make sense?

    My OWA and Activesync both work fine BTW (albeit with cert errors). I just want to get the Autodiscover sorted and be able to use everything without error.

  • #2
    Re: Help needed with SSL Cert config for Autodiscover and Activesync

    That method doesn't really work. I tried it when Exchange 2007 first came out and it wasn't very successful.

    If you want to use the cheapest kind of SSL certificates then use SRV records for Autodiscover: http://semb.ee/srv

    That way you can have just the single name certificate.

    Just configure Exchange with the same name and a split DNS:
    http://semb.ee/hostnames

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Help needed with SSL Cert config for Autodiscover and Activesync

      Originally posted by Sembee View Post
      That method doesn't really work. I tried it when Exchange 2007 first came out and it wasn't very successful.

      If you want to use the cheapest kind of SSL certificates then use SRV records for Autodiscover: http://semb.ee/srv

      That way you can have just the single name certificate.

      Just configure Exchange with the same name and a split DNS:
      http://semb.ee/hostnames

      Simon.
      We just did the same thing. We host email for our SaaS customers and to save on the cost of a SAN/UC SSL certificate we purchased a "single name" SSL certificate and we use SRV records in our customer DNS to facilitate Autodiscover.

      Comment


      • #4
        Re: Help needed with SSL Cert config for Autodiscover and Activesync

        I did try SRV records originally but wasn't having much luck. I will try again after I read through the links provided.

        Many thanks!

        Comment


        • #5
          Re: Help needed with SSL Cert config for Autodiscover and Activesync

          Just had a thought....

          If I change my setup so that autodiscover points at mail.mydomain.com instead of autodiscover.mydomain.com/autodiscover/autodiscover.xml do I need to do this on PS:

          Set-ClientAccessServer -Identity SRV-EXCH01 -AutoDiscoverServiceInternalUri mail.mydomain.com

          ??

          Had to remove the https from mail.mydomain.com as the site wouldn't allow my post.

          Cheers guys.

          Comment


          • #6
            Re: Help needed with SSL Cert config for Autodiscover and Activesync

            You will need to this one;

            Set-ClientAccessServer -Identity SRV-EXCH01 -AutoDiscoverServiceInternalUri https://mail.mydomain.com/Autodiscover/Autodiscover.xml

            Also, worth you first reviewing the existing setting using this;

            Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri

            Note: The above are carried out via Exchange Management Shell (EMS) and not PS.
            Last edited by Virtual; 22nd May 2013, 11:09.

            Comment


            • #7
              Re: Help needed with SSL Cert config for Autodiscover and Activesync

              Sorry, I did mean EMS

              I didn't think it would need the /Autodiscover/Autodiscover.xml part. I thought that because it was being redirected to mail.mydomain.com, it wouldn't look for that part of the path.

              Comment


              • #8
                Re: Help needed with SSL Cert config for Autodiscover and Activesync

                It still needs to find Autodiscover.xml in the Autodiscover virtual directory. What you've done is told it what server to find it at.

                Have another read of this article:

                http://support.microsoft.com/kb/940881

                Comment


                • #9
                  Re: Help needed with SSL Cert config for Autodiscover and Activesync

                  Ah that makes sense, thank you.

                  Amazing that I can pass a Microsoft exam on this stuff, but then when it comes to real world implementation I find myself forgetting half of it!

                  Comment


                  • #10
                    Re: Help needed with SSL Cert config for Autodiscover and Activesync

                    You're not the only one.

                    For your re-assurance, if you also run the below, you'll know the current configuration;

                    Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri

                    Comment


                    • #11
                      Re: Help needed with SSL Cert config for Autodiscover and Activesync

                      Originally posted by Virtual View Post
                      You're not the only one.

                      For your re-assurance, if you also run the below, you'll know the current configuration;

                      Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
                      Cheers, I've been using those commands already up to now

                      The Microsoft artivle about setting up an SRV doesn't quite line up with configuring one on GoDaddy.

                      GoDaddy DNS wants me to enter Service, Protocol, Name, Priority, Weight, Port, and Target. I've listed name as autodiscover, which I'm presuming is simply a label to identify the record. I've set the target as mail.mydomain.com, but wasn't sure if the target should just have said mail and nothing else. I have a CNAME pointing mail.mydomain.com at my server.
                      Last edited by Jay Cartay; 22nd May 2013, 17:27.

                      Comment


                      • #12
                        Re: Help needed with SSL Cert config for Autodiscover and Activesync

                        Hmm not working this evening, and the ExRCA says:

                        Attempting to locate SRV record _autodiscover._tcp.mydomain.com in DNS.
                        The Autodiscover SRV record wasn't found in DNS.

                        If I am trying to point the SRV at mail.mydomain.com, won't it fail anyway if the service only tries to find _autodiscover._tcp.mydomain.com?

                        Sorry if that sounds a bit dumb.

                        Comment


                        • #13
                          Re: Help needed with SSL Cert config for Autodiscover and Activesync

                          For your External devices externally to locate Autodiscover, they'll be using pre-configured mechanisms unless it allows you to set another.

                          In your case, of the devices who will be using an SRV record, the naming convention needs to be in line with the SRV record name they will be looking for. You will need to ensure that it redirects them to the Autodiscover service you have published externally, which is the new name you have configured.

                          Comment


                          • #14
                            Re: Help needed with SSL Cert config for Autodiscover and Activesync

                            Originally posted by Virtual View Post
                            For your External devices externally to locate Autodiscover, they'll be using pre-configured mechanisms unless it allows you to set another.

                            In your case, of the devices who will be using an SRV record, the naming convention needs to be in line with the SRV record name they will be looking for. You will need to ensure that it redirects them to the Autodiscover service you have published externally, which is the new name you have configured.
                            I'm not quite sure how I'd know that? If I try to use my phone for Activesync, I can't alter the autodiscover settings.

                            I'm struggling to know what the target should be on the GoDaddy SRV record, as I don't know if I just put mail and it fills the rest, or if I put mail.mydomain.com or if I just put mydomain.com.

                            I've also realised that I may have another issue to complicate things: I am using a dynamic DNS. My mail.mydomain.com points to the dynamic dns hostname. Would this cause complications for an SRV record at all?

                            Comment


                            • #15
                              Re: Help needed with SSL Cert config for Autodiscover and Activesync

                              This is worth a review.

                              http://community.spiceworks.com/topi...covery-on-ipad

                              Just to clarify, some devices are hard coded to use certain ways to find Autodiscover and not all necessarily support SRV records. Some may look for an Autodiscover record and so on.

                              Comment

                              Working...
                              X