none
Certificate warning outlook 2013 autodiscovery URL RRS feed

  • Question

  • Hi

    We have two domains;

    unsworthcl .com

    uglog . com

    We purchased and installed a certificate for mail.unsworthcl.com on the exchange server.

    The issue is that our primary email accounts are using uglog . com. For autodiscovery to work we added DNS records for uglog . com to our exchange. Autodiscovery now works . See post here

    The problem is that clients are being prompted on outlook 2013 startup of certificate miss match, as the url for autodiscovery is autodiscovery. uglog . com and the certificate installed on the server is mail.unsworthcl.com

    is it possible to add a second certificate to the exchange server for autodiscovery . uglog . com, without disturbing the current certificate (mail.unsworthcl.com) that  is working just fine. Or is that another way to resolve this?

    thanks

    Wednesday, September 17, 2014 10:23 AM

Answers

  • Hi,

    What I would do is add a Subject Alternative Name (SAN) to the current certificate, for the DNS name autodiscover.your.domain.

    The autodiscover site is a virtual directory, so I don't think you can change certificate binding just for autodiscovery.
    You should be able to update the certificate from your certificate provider, and just update it in your IIS when you receive the new Certificate.

    /Pouria

    • Edited by P.molavi Wednesday, September 17, 2014 10:30 AM
    • Marked as answer by uklogistics Thursday, September 18, 2014 7:46 AM
    Wednesday, September 17, 2014 10:29 AM
  • Hi,

    You will have to add autodiscover.uglog.com to your certificate as a SAN and install the certificate and configure a redirection for autodiscover for the second domain (unsworthcl .com) and add mail.unsworthcl.com as a SAN if you use it.
    http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/using-autodiscover-large-numbers-accepted-domains-part1.html

    Follow the steps below to issue the certificate..

    1. Run this command from EMS to generate CSR. You can see the CSR named "newcsr.txt" in C:\CSR folder. add required SANs. You can use this link to get help with command, . http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f

    New-ExchangeCertificate -GenerateRequest -Path "C:\CSR\mail-domain-com.csr" -KeySize 2048 -SubjectName "c=US, s=INDIANA, I=Testcity, o=Northwind Traders, ou=IT, cn=mail.domain.com" -Domainname autodiscover.domain.com, mail2.domain.com -PrivateKeyExportable $True)

    2. Reissue the certificate from your CA using the new CSR . Download the certificate from CA when reissue is complete.

    3. Assign services using the command below. Make sure you have selected the new certificate. You will see the thumbprints by typing "Get-Exchangecertificate". 

     Enable-ExchangeCertificate -Services IMAP, IIS, SMTP -thumbprint 896B74B25F7EBF330C93E56DA2A76CFC6A7

    See below site for examples for enabling services on exchange 2007 and 2010

    http://social.technet.microsoft.com/wiki/contents/articles/26721.oof-autodiscover-and-outlook-certificate-issues.aspx

    4.Delete the old one certificate from EMS use this command 

    Remove-ExchangeCertificate -Thumbprint <old cert thumprint>

    You can see the the certificate thumprints using Get-ExchangeCertificate command

    Please use this to configure your autodiscover, EWS, OAB URLs
    http://social.technet.microsoft.com/wiki/contents/articles/26721.oof-autodiscover-and-outlook-certificate-issues.aspx


    Thanks, MAS
    Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by MAS- Wednesday, September 17, 2014 11:25 AM
    • Marked as answer by uklogistics Thursday, September 18, 2014 7:45 AM
    Wednesday, September 17, 2014 11:22 AM
  • This is because self signed certificate is binded with SMTP. You can continue and enable SMTP on your 3rd party certificate.  After that make sure SMTP enabled on your certificate by running 
    Get-Exchangecertificate


    Thanks, MAS
    Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Marked as answer by uklogistics Thursday, September 18, 2014 7:45 AM
    Wednesday, September 17, 2014 3:46 PM

All replies

  • Hi,

    What I would do is add a Subject Alternative Name (SAN) to the current certificate, for the DNS name autodiscover.your.domain.

    The autodiscover site is a virtual directory, so I don't think you can change certificate binding just for autodiscovery.
    You should be able to update the certificate from your certificate provider, and just update it in your IIS when you receive the new Certificate.

    /Pouria

    • Edited by P.molavi Wednesday, September 17, 2014 10:30 AM
    • Marked as answer by uklogistics Thursday, September 18, 2014 7:46 AM
    Wednesday, September 17, 2014 10:29 AM
  • Hi,

    You will have to add autodiscover.uglog.com to your certificate as a SAN and install the certificate and configure a redirection for autodiscover for the second domain (unsworthcl .com) and add mail.unsworthcl.com as a SAN if you use it.
    http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/using-autodiscover-large-numbers-accepted-domains-part1.html

    Follow the steps below to issue the certificate..

    1. Run this command from EMS to generate CSR. You can see the CSR named "newcsr.txt" in C:\CSR folder. add required SANs. You can use this link to get help with command, . http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f

    New-ExchangeCertificate -GenerateRequest -Path "C:\CSR\mail-domain-com.csr" -KeySize 2048 -SubjectName "c=US, s=INDIANA, I=Testcity, o=Northwind Traders, ou=IT, cn=mail.domain.com" -Domainname autodiscover.domain.com, mail2.domain.com -PrivateKeyExportable $True)

    2. Reissue the certificate from your CA using the new CSR . Download the certificate from CA when reissue is complete.

    3. Assign services using the command below. Make sure you have selected the new certificate. You will see the thumbprints by typing "Get-Exchangecertificate". 

     Enable-ExchangeCertificate -Services IMAP, IIS, SMTP -thumbprint 896B74B25F7EBF330C93E56DA2A76CFC6A7

    See below site for examples for enabling services on exchange 2007 and 2010

    http://social.technet.microsoft.com/wiki/contents/articles/26721.oof-autodiscover-and-outlook-certificate-issues.aspx

    4.Delete the old one certificate from EMS use this command 

    Remove-ExchangeCertificate -Thumbprint <old cert thumprint>

    You can see the the certificate thumprints using Get-ExchangeCertificate command

    Please use this to configure your autodiscover, EWS, OAB URLs
    http://social.technet.microsoft.com/wiki/contents/articles/26721.oof-autodiscover-and-outlook-certificate-issues.aspx


    Thanks, MAS
    Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by MAS- Wednesday, September 17, 2014 11:25 AM
    • Marked as answer by uklogistics Thursday, September 18, 2014 7:45 AM
    Wednesday, September 17, 2014 11:22 AM
  • hi 

    I'm getting these errors when enabling the new certificate

    Enable-ExchangeCertificate -Thumbprint **************************cb4 -Services "SMTP, IMAP, IIS"

    WARNING: This certificate will not be used for external TLS connections with an
     FQDN of 'UNSWORTH-SRV01.unsworthcl.com' because the self-signed certificate
    with thumbprint '*****************************A02' takes precedence.
    The following connectors match that FQDN: Default UNSWORTH-SRV01, Internal
    Relay, Voicemail Pro.
    WARNING: This certificate will not be used for external TLS connections with an
     FQDN of 'mail.unsworthcl.com' because the CA-signed certificate with
    thumbprint '*****************************34EC' takes precedence. The
    following connectors match that FQDN: Windows SBS Internet Receive
    UNSWORTH-SRV01.

    please help

    Wednesday, September 17, 2014 3:33 PM
  • This is because self signed certificate is binded with SMTP. You can continue and enable SMTP on your 3rd party certificate.  After that make sure SMTP enabled on your certificate by running 
    Get-Exchangecertificate


    Thanks, MAS
    Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Marked as answer by uklogistics Thursday, September 18, 2014 7:45 AM
    Wednesday, September 17, 2014 3:46 PM
  • had to purchase a Standard Multiple Domain (UCC) SSL certificate with up to 5 domains as Pouria
    suggestion.

    Then added the common domain mail.unsworth.com and SAN autodiscover uglog.com to the new
    SSL certificate.

    Beofre purchasing new SSL cert had to revoke with old SSL certificate with supplier.

    I then followed the steps from MAS , restarted the information store and everything
    seems ok now. no more certificate mismatch errors from outlook clients.

     Only thing I would mention is that when I navigate to Network > Connectivity from the SBS console it shows web server certificate as Unknown

    Do i need to do anything here?

    Thursday, September 18, 2014 8:01 AM