Autodiscover setup for Internal and External Domains

I have an Exchange installation that is giving me issues. The server was migrated from an old SBS system into a standalone exchange server. All exchange services are supported by a single server.

The issue is that when an internal client connects to the server a SSL error occurs, every time. (See Below) 

Any input is appreciated.  

Some other points:

  • The Active Directory is a .local domain while the Email Addresses are .com 
  • A certificate was purchased for the .com domain (OWA Access)
  • The Server is a member of the domain 

 
August 25th, 2015 3:03pm

Do you have split-brain DNS (a.k.a. split DNS)?  If not you should first deploy that, ensuring that autodiscover.domain.com and webmail.domain.com (or whatever name you use) have entries pointed to the internal server address.

Then configure Autodiscover to use an external host name:  Set-ClientAccessServer -AutodiscoverServiceInternalUri

Configure the InternalUrl property in Set-OabVirtualDirectory, Set-WebServicesVirtualDirectory, Set-OwaVirtualDirectory, Set-EcpVirtualDirecory and Set-ActiveSyncVirtualDirectory to use webmail.company.com.

Configure Set-OutookAnywhere -ExternalHostName to webmail.company.com.

Make sure your certificate's CN is webmail.company.com and it has a SAN with autodiscover.company.com.

Free Windows Admin Tool Kit Click here and download it now
August 25th, 2015 3:15pm

Hi,

Please run the following command to check your certificate settings:

Get-ExchangeCertificate | fl

Please make sure your certificate which was purchased for the .com domain is assigned with IIS service. Additionally, please refer to the following KB to change the InternalURL for Exchange services (autodiscover, EWS, OAB etc.):

https://support.microsoft.com/en-us/kb/940726

Regards,

August 26th, 2015 5:26am

Output - Get-ExchangeCertificate | fl 

AccessRules        :
CertificateDomains : {mail.domain.org}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=RapidSSL SHA256 CA - G3, O=GeoTrust Inc., C=US
NotAfter           : 1/3/2016 10:18:19 PM
NotBefore          : 1/1/2015 5:11:23 AM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 015F10
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=mail.domain.org, OU=Domain Control Validated - RapidSSL(R), OU=See
                     www.rapidssl.com/resources/cps (c)15, OU=GT96992114
Thumbprint         : 9EA563C1CCA913ECEE588888842CD7FBEA0AC64

AccessRules        :
CertificateDomains : {*.domain.org, domain.org}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=AlphaSSL CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE
NotAfter           : 12/31/2015 10:01:41 PM
NotBefore          : 12/30/2014 10:01:41 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 112116188DFF7785A1A4088888D9955965E
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=*.domain.org, OU=Domain Control Validated
Thumbprint         : 85C2917186446C8A8888809389552E498580AB1E

AccessRules        :
CertificateDomains : {host, host.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=host
NotAfter           : 12/6/2019 10:27:21 PM
NotBefore          : 12/6/2014 10:27:21 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 705E8888873993B54D8E1A88811EF787
Services           : SMTP
Status             : Valid
Subject            : CN=host
Thumbprint         : 57CF3283B590C888889EB7C41C5CE0C146CBAEC0

AccessRules        :
CertificateDomains : {WMSvc-host}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-host
NotAfter           : 12/3/2024 8:56:05 PM
NotBefore          : 12/6/2014 8:56:05 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 289917968885A7B84B681B0D8C4B9CE9
Services           : None
Status             : Valid
Subject            : CN=WMSvc-host
Thumbprint         : 84A9826D8E4407C6F9B59A65888429FF54433281

AccessRules        :
CertificateDomains : {}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
NotAfter           : 7/20/2019 6:49:20 PM
NotBefore          : 8/15/2014 6:49:20 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 14436242EC3B82A0888B58A5760500D4
Services           : SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate
Thumbprint         : F6A0B02435E535F03936954326A888561A4B5F77

Free Windows Admin Tool Kit Click here and download it now
August 31st, 2015 4:24pm

DNS - There are two listings for this domain the .org and .local both are pointing to the internal server address. I believe that this is what is correcting the problem. The internal address does not match the SSL certificate used (ie: .org)  

URL Config - Does the internal URL have to be pointing to the .local address? 

Currently the URL both internal and external are pointing the the external address of mail.domain.org. I would like the internal clients to use this address because that is how the certificate is setup.  

August 31st, 2015 4:30pm

Hi,

Please assign the IIS service to your certificate which includes mail.domain.org:

Enable-ExchangeCertificate -Thumbprint 9EA563C1CCA913ECEE588888842CD7FBEA0AC64 -Services IMAP,POP,SMTP,IIS

Then restart IIS service by running IISReset from a Command Prompt window.

Regards,

Free Windows Admin Tool Kit Click here and download it now
September 7th, 2015 11:32pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics