SSL certificate needed for autodiscover.domain.com

Status
Not open for further replies.
O

Oliver M

The internal Outlook clients in my company get a SSL error when they open Outlook 2007.
The error says that there is no valid certificate for autodiscover.domain.com

I've tried to add a selfsigned certificate, but it does not work.
So far I've got a valid certificate for mail.domain.com, which is assigned to the IIS service and a selfsigned certificate for MAIL2.internaldomain.com, which is assigned to IMAP, POP, SMTP.
I've tried to add another selfsigned certificate for autodiscover.domain.com, but the error remains. (this certificate is not assigned to any services, I've tried adding it to the IIS service, but that doesn't make any difference)
How can I solve this problem?
 
M

Michel de Rooij

Normally, domain joined clients accept self-signed certs. Also, they locate the services through SCPs in Active Directory rather than using DNS autodiscover.* More info here: http://technet.microsoft.com/en-us/library/bb124251.aspx

I think you haven't assigned the cert to the proper services on the CAS server, after installing it there. Check this walkthrough from Paul:
http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services

Michel de Rooij,
MCITP Ent.Msg 2007+2010| MCTS W2008, Ex2007+2010 Conf, OCS2007 Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL
I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij
 
O

Oliver M

Hello, the clients are not connected to a domain.

The SAN of the valid certificate does not contain autodiscover.domain.com

The selfsigned certificate for the IMAP/POP/SMTP services works fine.
Is it possible to assign 2 certificates to the same (IIS) service?

But I still don't understand why the clients receive a SSL error. The autodiscover internal and external url points to mail.domain.com and not to autodiscover.domain.com. Also the autodiscover virtual directory does not require SSL.
 
A

Anand Sunka

Hi ,

When you apply the Cert in IIS, iiS binds only one Cert @ a time, I don't think we can assign 2 certs in IIS

Cert which u r using it shud have valid SAN names like,

SAN - one for internal name like internal.domain.com
SAN - one for external name like external.domain.com
SAN - one for autodiscover name like autodiscover.domain.com

Add the cert on Client PC's(" which u r facing issues) trusted store by doing MMC.

Regards
Anand S
 
M

Michel de Rooij

Since you're clients are non-domain joined, they face the same situation as external clients, e.g. certificates need to be valid. Self-signed certs will result in security warnings.

You have two options:
Get a UC certificate with the proper host names as SANs through a 3rd party certificate authority, e.g. http://support.microsoft.com/kb/929395 Export the certificate and chain and import them in the certificate store of each client More info here http://technet.microsoft.com/en-us/library/dd351044.aspxMichel de Rooij,
MCITP Ent.Msg 2007+2010| MCTS W2008, Ex2007+2010 Conf, OCS2007 Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL
I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij
 
B

Brian Day MCITP

For what its worth I believe Outlook 2010 stops trusting all self-signed certs, which to me is better anyways.Microsoft Premier Field Engineer, Exchange
MCSA 2000/2003, CCNA
MCITP: Enterprise Messaging Administrator 2010
Former Microsoft MVP, Exchange Server
My posts are provided "AS IS" with no guarantees, no warranties, and they confer no rights.
 
A

AndyD_ [MVP]

Yes, Outlook 2010 will complain about the Exchange self-signed cert. Communicator will as well.
 
B

Brian Day MCITP

Yup, it was just an informational point becuase what might be able to be made to work today will suddenly not work when an upgrade to OLK2010 happens.Microsoft Premier Field Engineer, Exchange
MCSA 2000/2003, CCNA
MCITP: Enterprise Messaging Administrator 2010
Former Microsoft MVP, Exchange Server
My posts are provided "AS IS" with no guarantees, no warranties, and they confer no rights.
 
O

Oliver M

Thanks for the help so far.

I was just wondering: isn't it possible to have the Outlook clients connect to mail.domain.com instead of autodiscover.domain.com ?
There are serveral autodiscover settings you can change and none of them point to autodiscover.domain.com, so why does it try to connect to this url ?
 
M

Michel de Rooij

The whole point of autodiscover is that you don't need to configure clients and Outlook knows where to look for certain information (e.g. Free/Busy). For that purpose it uses autodiscover fqdn, which leads to a location (CAS server) where the client can download an XML with all the information for the logged in user, e.g. the mailbox server hosting the mailbox of the user.

Of course you can override settings by manual configuration or through PRF files, but by default Outlook will try to use autodiscover.

If you want to have a look at what's happening under the hood, CTRL+Right-click Outlook systray icon > Test E-Mail Autoconfiguration or give this a shot (Outlook not required):
http://eightwone.com/2010/08/15/standalone-autodiscover-test/

Michel de Rooij,
MCITP Ent.Msg 2007+2010| MCTS W2008, Ex2007+2010 Conf, OCS2007 Conf | MCSE+Msg2k3 | MCSE+Inet2k3 | Prince2 Fnd | ITIL
I blog on http://eightwone.wordpress.com/ and tweet on http://twitter.com/mderooij
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
T Outlook 2007 SSL selfsigned certificate how to stop security popup everytime? Using Outlook 10
S Exchange 2010 SSL Certificate pending request Exchange Server Administration 5
M Startcom SSL certificate not working for Exchange 2010 Activesync Exchange Server Administration 3
K CAS array SSL cert -RPC cas certificate warning Exchange Server Administration 3
M Unreliable ssl certificate Using Outlook 1
J SSL Certificate for OWA/EAS Exchange Server Administration 13
A Exchange Autodiscover SSL issue Exchange Server Administration 7
B OWA 2010 without SSL Exchange Server Administration 7
G 'The Server does not support a SSL conncetion' Mail client with Exchange 2010 Exchange Server Administration 9
L Update for Microsoft Office Outlook 2007 (KB2412171) - Breaks SSL IMAP server connections in Outlook Using Outlook 6
O No SSL-IMAP connection Outlook <-> Exchange 2010 after latest client updates? Using Outlook 3
R Sending e-mail Outlook 2003(SMTP) using SSL and port 587 Using Outlook 4
R FQDN of Exchange CAS servers not in SSL cert Exchange Server Administration 2
A Outlook anywhere SSL trust problem Using Outlook 2
S How to set public SSL cert for Activesync? Exchange Server Administration 3
C Domain Name Registration and SSL Cert in Exchange 2010 Exchange Server Administration 3
D Is SSL required? Exchange Server Administration 3
C SSL hostname mismatch Exchange Server Administration 2
T Exchange 2007 to 2010 transition, SSL transfer question/problem. Exchange Server Administration 3
S Exchange and no ssl Exchange Server Administration 1
D 403 Error in IIS when accessing a non-SSL page Using Outlook 2
B How many SSL Certs needed for co-existence w/ Exchange 2010 & 2003... Exchange Server Administration 9
K More SSL cert in Client Access Server Exchange Server Administration 2
K SSL cert in Cilent Access Server Exchange Server Administration 6
I Publishing Exchange 2010 without SSL on TMG 2010 Exchange Server Administration 5
M Exchange 2010 not working with BlackBerry - using SSL Exchange Server Administration 2
B Cannot connect with Outlook 2003/Exchange user through Checkpoint SSL-VPN. Using Outlook 4
D Outlook anywhere SSL trust problem Exchange Server Administration 10
H Outlook 2019 Certificate error Using Outlook 2
J Is it no longer possible to suppress Outlook 2019 Invalid Certificate name mismatch security alert via Registry? Using Outlook 1
C 2016 Outlook Certificate Problems Outlook VBA and Custom Forms 3
M 3rd Party Certificate now Security Alert Exchange Server Administration 2
D Multiple mailboxes, 1 certificate. How to prevent message "Invalid Certificate" Using Outlook 0
D Outlook and certificate nightmare Using Outlook 0
HenWin Outlook 2007 and Comcast certificate error Using Outlook 1
Diane Poremsky The security certificate is not from a trusted certifying authority New Slipstick.com Articles 0
R S/MIME certificate and Exchange delegates Exchange Server Administration 0
A Exchange 2003 Outlook 2010 64 Bit- AutoDiscover Connection Err - Certificate Exchange Server Administration 9
F Outlook 2007 Certificate Error for OpenMail.cc Provider Using Outlook 10
S Outlook 2010 and certificate problems Using Outlook 9
A OWA Certificate Expired Issue Using Outlook 1
A Exchange 2010 CAS Failover from Internet Facing site to Non-Internet Facing Site - Certificate Issue Exchange Server Administration 3
J "The server you are connected to is using a security certificate that cannot be verified" Using Outlook 2
J Exchange 2010 migration Certificate Question Exchange Server Administration 4
R Outlook Certificate Error Using Outlook 9
S OWA in Exchange 20120 not working after installing a new certificate and applying SP1 Exchange Server Administration 1
D 2 domain name in one exchange server do i need new certificate Exchange Server Administration 3
S Invalid Certificate Message Using Outlook 2
S Outlook 2007 POP The serveryou are connected to using a security certificate that cannot be verified Using Outlook 5
M Outlook 2003 & msstd:FQDN of RPC Proxy Server & GPO $ wildcard certificate Using Outlook 2
Similar threads


















































Top