Autodiscover, Out of Office and Wildcard SSL

Home Forums Messaging Software Exchange 2007 / 2010 / 2013 Autodiscover, Out of Office and Wildcard SSL

This topic contains 5 replies, has 3 voices, and was last updated by  Roi12 7 years, 7 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts

  • Anonymous
    #154284

    Background:

    Our Exchange 2010 server uses a wildcard SSL certificate
    *.PublicDomain.com

    The exchange server has CAS, Hub Transport and Mailbox roles.

    The exchange server is installed on a resource domain
    mailserver.mail.local

    The mailboxes are Linked Mailboxes, with LinkedMasterAccount set to their windows logon account within a trusted domain
    LogonDomainSome.Guy

    Outlook clients have been manually configured, pointing to the mail server via internal FQDN:
    mailserver.mail.local

    Issue:

    When trying to get into Out of Office settings in Outlook, the following error is displayed:
    “Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later”

    Troubleshooting:

    Everything seems to point to Autodiscover not being set up correctly and OOF relying on this service.

    This sounded right, seeing as I hadn’t done any work on Autodiscover and all client workstations were configured manually.

    Changes made:

    I’ve now set up an A record on our public DNS to try and get Autodiscover and OOF working.

    A record:
    autodiscover.publicdomain.com -> public IP address for Exchange server

    I set up an A record on our internal DNS:
    autodiscover.publicdomain.com -> internal IP address for Exchange Server

    Result:

    Test exchange connectivity says Autodiscover is OK

    Out of Office error remains unchanged.

    All client PC’s are throwing an SSL security alert because mailserver.mail.local has a security certificate which does not match the name on certificate.
    (*.publicdomain.com)

    I’m out of my depth on this and have a lot of people angry at me

    #325012

    Re: Autodiscover, Out of Office and Wildcard SSL

    Why configure the clients manually when you can use autodiscover? Are the Outlook clients 2003 and lower? As Outlook 2007 and 2010 both support autodiscover.

    That said the issue your experiencing is because you don’t have the correct names in your SAN certificate. (Assuming you are using a SAN certificate) The same name that clients connect to (CAS Server) should be the same name in the certificate for the autodiscover entry. IE if your wildcard is *.publicdomain.com then the service connection point for Outlook clients should be server.publicdomain.com. This would work because you are using a wildcard but does have some security constraints.


    Roi12
    Member
    #381165

    Re: Autodiscover, Out of Office and Wildcard SSL

    The issue is there are 500 clients and they are all already manually configured to use mailserver.mail.local rather than mail.publicdomain.com
    The majority of them are using Outlook XP or 2003.

    They’ve been through hell during this migration so I can’t interrupt them to switch where their outlook profiles point.

    Autodiscover would have been good, but I was the wrong person to choose for this project, self-trained and no time to finish researching the implementation before commencing the migration to meet deadline.

    It was a migration involving 3 forests with seperate orgs, domains and exchange versions, all merging to one resource domain.

    Anyway..
    I don’t have a SAN certificate, I have a standard wildcard certificate.

    I don’t think there’s a way for me to change the remote outlook profiles to point to mail.publicdomain.com rather than mailsever.mail.local

    The worst of it (and the reason for this post) ..
    I put time into getting Autodiscovery working solely to get Out of Office working, but OOF still does not work and now I have certificate warnings and authentication prompts across the country.

    I have temporarily removed the DNS entries for autodiscovery to alleviate the calls coming in to support regarding the certificate error.

    Taking the above into account, does anyone have any advice?
    It seems I’ve driven this project into a dark corner and I can’t back out of it..

    #325014

    Re: Autodiscover, Out of Office and Wildcard SSL

    For Exchange 2010 to work correctly you need a SAN certificate for all the subject alternative names. Autodiscover, webmail etc. That said you’re between a rock and a hard place here. You either need a certificate with the name mailsever.mail.local in, or you change the clients to point to the right address or modify your SCP. The problem with modifying the SCP retrospectively is you may break other functionality. Buy a new SAN cert with the correct name.


    beddo
    Member
    #362502

    Re: Autodiscover, Out of Office and Wildcard SSL

    There are a number of different solutions for scripting a change to the server name that show up on Google – the Outlook Resource Kit, VBScript, PRF files. Maybe give some of those a test on one computer to see if you can successfully switch it onto the FQDN.


    Roi12
    Member
    #381166

    Re: Autodiscover, Out of Office and Wildcard SSL

    OK, I’m buying a SAN certificate to get past the cert errors so I can troubleshoot Out of Office, which I need working before tomorrow afternoon as Easter Break commences.

    :sad:

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.