none
Outlook 2007 certificate error. Autodiscover entry doesnt exist. RRS feed

  • Question

  • Hello all.

    When we create new outlook profiles (for example for a new user) always that user is getting an Autodiscover error. You can see in the screenshot below:

    but that entry "Autodiscover.mycompany.com" doesnt exist on my DNS entries.

    If i click on yes, the user can work normally without any problem

    For more information, after click on yes and run the "Outlook test autoconfiguration" everything looks good. Even launching the command: "Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri" on my CAS servers, i get all the correct information.

    How can i modify that so my users get the certificate from the correct DNS entry and that error can dissapear????

    We have Exchange 2007 with Outlook 2007.

    Thanks in advance.

    Wednesday, November 27, 2013 10:55 AM

Answers

  • THanks Rich for the answer.

    After understand all the autodiscover behaviour, i think i should add the entry:

    autodiscover.mydomain1.com (the domain where the clients are)

    within the "subject alternative name" property in the certificate.

    Is that right??

    To do that... i have to create a new certificate.

    • Marked as answer by vitinx Thursday, December 5, 2013 9:06 AM
    Friday, November 29, 2013 10:23 AM

All replies

  • Hi

    You will need internal and external DNS setup for autodiscover to work. You can test exchange connectivity https://testconnectivity.microsoft.com/ and it will tell you where your problem lies.

    Wednesday, November 27, 2013 11:02 AM
  • THanks for the answer :)

    We are in a forest with 3 domains. My user account (xxxx@mydomain.com) belongs to another domain than the exchange server (these are within a domain called "domainforservers"). Of course, the autodiscover is within CAS servers.

    THe tool you provide me i thing is useless because is trying to contact with http:\\mydomain.autodiscover....................... instead of contact with http:\\domainforservers.autodiscover...................

    Am i doing something wrong??

    Any other ideas??

    THanks in advance.

    Wednesday, November 27, 2013 11:21 AM
  • It will always search for mydomain.autodiscover because it is based on your SMTP domain. You should have autodiscover entries for your environment. It will solve other problems also like out of office etc.

    Gurpreet Singh

    Wednesday, November 27, 2013 2:23 PM
  • Have a look at this link:

    http://blogs.technet.com/b/nawar/archive/2010/05/06/autodiscover-and-multiple-domains.aspx


    --- Rich Matheisen MCSE&I, Exchange MVP

    Wednesday, November 27, 2013 10:49 PM
  • Hi,

    There are several different methods to reach the Autodiscover service: SCP > DNS lookup(autodiscover.domain.com) > LocalXML > SRV record. By default, Outlook will try one by one in orders to achieve the Autodiscover service.

    For your Multiple Domains environment, Outlook may attempt more than one methods if it is unable to reach Autodiscover. Please check which method is your succeed one in Test E-mail AutoConfiguration. If you are using the SRV record to find the autodiscover service, the certificate warning may occur when running to the second stage “autodiscover.mycompany.com”. (The URL can be resolved but it is not included in the certificate)

    There is a workaround about this issue. We can use the Autodiscover-related registry data to disable the first 3 methods on Outlook client and force the Outlook to directly access autodiscover by SRV record. The following KB provide some detailed steps:

    http://support.microsoft.com/kb/2212902/en-us

    Here is an article about Multi-Tenant AutoDiscover Service:

    http://social.technet.microsoft.com/wiki/contents/articles/6818.exchange-2010-multi-tenant-autodiscover-service.aspx

    Thanks,


    Winnie Liang
    TechNet Community Support


    Thursday, November 28, 2013 6:20 AM
    Moderator
  • THanks.

    Autodiscover entries are only present within the domain "domainforservers". But in my other 2 domains (mydomain1.com and mydomain2.com) that entry on the DNS records was missing . So i added the following entry within domain1 and domain2:

    autodiscover         type=alias       cas.domainforservers.com

    Is that OK?? Its really needed??

    Thanks

    Thursday, November 28, 2013 10:40 AM
  • Hello again.

    ANother interesting thing i found.

    Within the certificate, in the "subject alternative name" property the entries are the following:

    - cas.domainforservers.com

    - mydomain1.com

    - mydomain2.com

    BUT, SHOULD NOT BE LIKE THE FOLLOWING??????????:

    - autodiscover.domainforservers.com

    - autodiscover.mydomain1.com

    - autodiscover.mydomain2.com

    THanks in advance for all the info you provide me.



    • Edited by vitinx Thursday, November 28, 2013 11:40 AM
    Thursday, November 28, 2013 11:39 AM
  • The client is going to use the domain name of primary SMTP proxy (that usually what the user knows as their e-mail address) to find your autodiscover.

    If that domain's "domainsforservers.com" then it's going to try https://domainforservers.com/autodiscover/autodiscover.xml and http://autodiscover.domainforservers.com/autodiscover/autodiscover.xml

    If the FQDN part of the URL isn't in the certificate bound to the web site you'll get that certificate error carping about mismatched names.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Thursday, November 28, 2013 10:39 PM
  • THanks Rich for the answer.

    After understand all the autodiscover behaviour, i think i should add the entry:

    autodiscover.mydomain1.com (the domain where the clients are)

    within the "subject alternative name" property in the certificate.

    Is that right??

    To do that... i have to create a new certificate.

    • Marked as answer by vitinx Thursday, December 5, 2013 9:06 AM
    Friday, November 29, 2013 10:23 AM
  • That should work.

    --- Rich Matheisen MCSE&I, Exchange MVP

    Saturday, November 30, 2013 2:28 AM
  • THanks for the answer.

    Of course i have to carry out the changes in the following weeks but i think really this is the issue.

    Kindly regards.

    Thursday, December 5, 2013 9:05 AM