Server name EXCHANGE: is Domain controller for (domainname.local), DNS server and Exchange 2013 

Has UCC CA cert successfully installed for (exchange.domainname.com)

External Outlook connections, Web Outlook and autodiscover work fine.

local DNS points autodiscover.domain.com & exchange.domainname.com to internal IP

I have used the above configuration many time for Exch2010/Outlook 2010 and it works great.

PROBLEM: Outlook 2013 clients on a local domain member autoconfigure (through autodiscover) but report a certificate error that the names do not match. When I force the acceptance for the cert error the outlook13 account setups with an exchange server of "BIG LONG GUID"@domainname.com which cannot resolve and outlook fails.

Please help..

 

Hi,
Do you have the name exchange.domainname.local in your certificate?

If not, the check that the setting for Internalhostname is the same as the externalhostname configured for Outlook Anywhere.

Example:

Get-OutlookAnywhere | ft Internalhostname,externalhostname

Note: Nothing wrong with the BIG LONG GUID"@domainname.com. That is the GUID for the mailbox database the mailbox is stored in.

The big long GUID is actually normal. Exchange 2013 uses a routing address to locate the appropriate server now instead of server names. That said, you'll want to enter a SRV record in your domain.local DNS Forward Lookup Zone to point Autodiscover on that domain to autodiscover.domain.com. Autodiscover uses the local domain DNS too attempt connections to Autodiscover. So you need to ensure that your internal domain is capable of handling it. To do that, clear any A records for Autodiscover in your domain.local FLZ in DNS. Then right click the FLZ, click Other New Records. Select Service Location (SRV). Enter _autodiscover as the Service, _tcp as the Protocal, 443 for the Port, and autodiscover.domain.com as the Host offering this service. Hit OK. That should get rid of the Certificate Error for you. Let us know if that fixes the problem for you. If not, let us know as well. Also make sure you can access OWA with the account you're using to set up Outlook with. The mailbox might have issues.

Edit to add: I just did some testing on my network, and it looks like Exchange 2013 will enforce Certificate Validity on autodiscover clients now. Since you're configuring internal clients, autodiscover will default to using your domain.local address as the SMTP name for client machines. If you configure Outlook Anywhere to use SSL, this will prevent you from connecting to Outlook. Adding the Autodiscover SRV record will allow you to fix this problem.

• Edited by acbrown2010 Thursday, December 20, 2012 6:12 PM
• Marked as answer by Power Computers Thursday, December 20, 2012 6:36 PM

I was able to add the .local SAN to the SSL cert. And adding the SRV records allowed Outlook to autodiscover. Although a certificate name-mismatch error popped up, Outlook now opens and runs fine without any cert warnings. I'm guessing that because the proxy url matches the cert, Outlook is happy once running.

On another issue, OWA works fine internally and externally. But the REMOTE CONNECTIVITY ANALYZER fails (causing mobile devices not to connect) at phase FAILED TO SEND OPTIONS COMMAND TO SERVER with these details:

Testing of the OPTIONS command failed Any ideas?

For information, I just added a post on my blog about this. If you'd like to read it, it's available here: http://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/

• Marked as answer by Sharon.ShenMicrosoft contingent staff, Moderator Friday, December 28, 2012 7:53 AM

Hi acbrown2010,

I think Power Computers ment the Mailbox_Exchange_guid@domain.com placed on the servername under account settings.

Instead a servername placed under account settings we get the mailboxes Exchange guid ?!?

Every time I try to test E-mail Autoconfiguration after Outlook start I get certificate error ?!?

If you take a look at the Connection Status you will see that Outlook is connected to the Exchange server, but under Server Name you will still see the mailbox Exchange_Guid@domain.com.

WHY ?

Won't we always gonna get certificate warning/error when Outlook connects ?

I looked all over the web and couldn't find any detailed info.

The entry there isn't what the SSL certificate is talking about. That GUID server name is entered by Autodiscover, and the SSL certificate error is because you are attempting to access the Autodiscover service using a server name that is not listed on the SSL certificate, like autodiscover.company.local. If you read my blog above it gives more detail, but basically Autodiscover attempts to find autodiscover information at a number of different locations. It first looks for autodiscover.company.com, then just company.com, then it looks for SRV records. If it finds autodiscover info at any of those locations it communicates with the server using the name it finds and gives you that error message. The long GUID has nothing to do with this process.

Hi , 

I have recently installed the exchnage 2013 as follow 

one CAS and Two mail box DAG

so I was facing similier issue outlook clients were not able not see the CAS 

so here are the magic solution :

1-created SRV recored for autodiscover same as  acbrown2010 done above in his reply

2-created A record for autodiscover and the IP same as CAS IP

3-created an internal Certificate in CAS server "create a new certificate request " and include all names such CAS , MB's , Autodiscover this step to avoid the warning message during outlook setup because self sign certificates in ex2013 not helping

after that I have tested the outlook and was working fine NO GUID and NO certificates warning 

Hi Sultan,

We have also installed 2 Exchange 2013 SP1 in DAG configuration to co-exist with Exchange 2007. Everything went smoothly with the installation and configuration but our problem is outlook not connect to the Exchange in internal it will have an error  The action cannot be completed. The connection to Microsoft Exchange is unavailable.Outlook must be online to complete this action. But the strange thing is when connecting over VPN and configure manually Outlook users can connect.

Below are some details;

Mail2.company.com(10.1.100.10) - Exchange 2007 server SP3

Mail3.company.com(10.1.100.20) and Mail4.company.com(10.1.100.30) - Exchange 2013 server SP1

Created 2 A record in DNS Mail5.company.com with the IP address of Mail3 and Mail4 - for the DNS Round robin.

Client can ping Mail5 successfully and OWA is working fine with the address of Mail5.company.com. The 2 Exchange 2013 SP1 in DAG configuration(Failover Cluster) are working OK, if Mail3 is down Mail4 will take over.

Outlook Anywhere for Exchange 2007 SP3 - Mail2.company.com

Outlook Anywhere for Exchange 2013 SP1 - Mail5.company.com

Client email address - user1@technical.com

                                  -User1@accounting.com

We don't want client of Exchange 2007 to be affected and then we can migrate to Exchange 2013.

Your help is very much appreciated, Awaiting for your reply...