none
Autodiscover for multiple domains without changing certificate

    Question

  • I have an Exchange 2007 SP1 environment used to host services for multiple mail domains. I have to use autodiscover to setup client Outlook installations (due to OAB, simplicity etc), but I do not want to keep having to update / reinstall my server certificates every time a new domain needs to be added. Is there any way I can achieve this without the Outlook clients receiving Outlook cert security warnings?

    Example....

    My exchange domain is domain1.com and my cert contains entries for autodiscover.domain1.com, webmail.domain1.com etc. etc.
    I now want to host email services for domain2.com and have set a DNS entry for autodiscover.domain2.com as a CNAME to point to autodiscover.domain1.com.
    Autodiscover works fine for Outlook users of domain2.com and they are able to download the Offline Address Book etc etc, but they are prompted at least once each session that the certificate does not contain an entry for autodiscover.domain2.com. I was hoping that the use of a CNAME records to redirect autodiscover.domain2.com over to autodiscover.domain1.com would overcome the issue but it doesn't. Having to update my cert and then reimport into Exchange every time I add a new hosted domain is not a desirable option.

    Many thanks if you can help.

    (EDIT). Just to clarify, I cannot add any HTTP redirects etc to the customers domains, I can only add / modify DNS entries.
    Friday, June 05, 2009 11:24 AM

Answers

  • I've found another solution that has far more benefits than disadvantages. If you remove the autodiscover DNS entry from the clients domain and add an SRV record for _autodiscover._tcp.domain1.com on port 443 it works a treat. No cert errors, no need to change the cert for each customer etc etc.

    The only issue is that many DNS providers do not let you create SRV records. I can live with that!
    • Marked as answer by jwhitley Friday, June 05, 2009 3:59 PM
    Friday, June 05, 2009 3:59 PM

All replies

  • Hi,

    You can do something like that if you get separate public IP address for every new domain what you add to your system. Even in this case it will need more administration than exchanging cetificates.
    The question is what type of certificates are you using? Certificate from a Public CA, own CA, or Self-Signed?

    Regards,
    Zoltán
    http://www.clamagent.org - Free Antivirus for Exchange
    http://www.it-pro.hu
    http://emaildetektiv.hu
    Friday, June 05, 2009 12:47 PM
  • Thanks for the reply Zoltán. I am using a publicly issued UC cerificate (Entrust as root CA). It's not just the hassle of recreating / paying for an amended cert that concerns me, it's the need to remove / reinstall the cert each time a new domain is added. This will likely be several times per week and will mean services are unavailable for all users for at least a short period of time for each change. The cert request / removal / replace process is also open to errors / mistakes and I want to negate this as much as possible.

    Many thanks.
    Friday, June 05, 2009 12:52 PM
  • I've found another solution that has far more benefits than disadvantages. If you remove the autodiscover DNS entry from the clients domain and add an SRV record for _autodiscover._tcp.domain1.com on port 443 it works a treat. No cert errors, no need to change the cert for each customer etc etc.

    The only issue is that many DNS providers do not let you create SRV records. I can live with that!
    • Marked as answer by jwhitley Friday, June 05, 2009 3:59 PM
    Friday, June 05, 2009 3:59 PM
  • Hi JWhitley,

    How is this working for you? Do you jsut create an SRV record for each domain and point it to a valid name on the cert? What clients have you tested this with?

    Thanks


    Celtic

    Monday, February 13, 2012 8:20 PM
  • Hi jwhitley,

    Do u revive redirection message when user try use auto discover from external network cause i did the same solution but user get message that they will redirected  to mail.contoso.com 

    Monday, April 02, 2012 12:40 PM
  • Hi there,

    Just wondering where abouts you add this in DNS? I have the same issue occurring internally, externally seems to work fine as I have done a public cert for that. So you create the srv in the other domains and point that to the primary domain? is that what you are saying?

    thank you

    Monday, July 08, 2013 4:57 AM