Exchange 2007 Autodiscover and certificates

re: Exchange 2007 Autodiscover and certificates

VOLMan — Wed, 27 Aug 2008 23:04:29 GMT

Right On Alessandro Appiani! AutoDiscover is somebody's crack dream. I have been trying to get it to work correctly on my company's domain before I have to set it up for a customer. I have just gotten all of my Exchange customers on board with using an SSL period. I have 1 or 2 that won't spend the money. Many of my Exchange customers run Small Business Server and Exchange 2003. I can see me trying to explain this dual name SSL to mine and Microsoft's customers. I have never seen so many geeks blogging on one topic. Nobody is getting this one! I did not get why it wasn't working until I got into this blog. Now that I get why it is not working, I have got to say this is the same logic that said, "Let's hide file save as from them!" in Office 2007. Anybody developing these products with any business acumen?

Whether you are new with Exchange like "Jim - Newbie" or have set up and maintained many Exchange Servers, her are my thoughts:

- Many great new features in Exchange 2007
- Most companies I work with don't have separate Exchange Administrators. Breaking user management away from AD & going back to the 5.5 model is more complicated and difficult for me to explain to customers who wear Sys Admin caps when I am not on site.
- Who decided we all were command line freaks and no longer wanted effective GUI management interfaces?
- Like one blogger said, "Stop telling us how way cool Exchange 2007 is" and give us some outstanding straight forward "how to's" on the Knowledge Base.
- Fix this abortion called Autodiscover in Service Pack 2.

re: Exchange 2007 Autodiscover and certificates

James Silliman — Thu, 07 Jun 2007 22:10:49 GMT

Digicert has one for $300 with a 30-day satisfaction. I don't work for them :)

re: Exchange 2007 Autodiscover and certificates

Anonymous Coward — Mon, 28 May 2007 07:53:22 GMT

Who are some service providers that offer Subject Alternative Name certficiates? Thawte won't do it. The 3 that I'm aware of, Geotrust (which only offers 4 names), is 599/year, Entrust (10 names) is 599/year, and Verisign's Managed PKI services (unknown price).

Everything seems extremely costly.

From what I gather I need the following names:

1) autodiscover.domain.com
2) mail.domain.com
3) autodiscover.domain.local
4) cas.domain.local
5) CASnetbiosname??

re: Exchange 2007 Autodiscover and certificates

Alessandro Appiani — Sun, 27 May 2007 18:15:32 GMT

Few comments about "autodiscover" to Exchange Architects and bright minds that did think that:
- autodiscover has a clear higher TCO than previous Exchange versions to publish Exchange Services to the Internet
- autodiscover architecture make Outlook 2003 a best-choice over Outlook 2007 for Outlook Anywhere (and Outlook 2007 is no more in Exchange CAL)
- it's simply unmanageable for a medium company hosting many internet mail domains inside the organization (every domain added requires certificate re-submission & web service reconfiguration)
- it's unbelievable that not implementing autodiscovery method (complex, costly, difficult to manage) make simple, robust & consolidated features of Outlook/Exchange like OOF, Calendaring & Meeting scheduling, ... no more usable from outside the company (eg: Outlook anywhere)
- it's unbelievable that an "autoconfiguration" method like autodiscover in my opinion is and should be, it's required even if Outlook client is already configured. The result is that without autodiscover in place outlook (anywhere) is working at 50%.
- it's unbelievable that "out-of-the-box" e2k7/o2k7 do LESS for the users (outside company) than e2k3/o2k3

Information Technology is always getting more complex, and thinking in a complex way doesn't help to get things working. I doesn't understand why my outlook (anywhere) is able to send and receive mail, but not to synchronize GAL, place a meeting, setting Out-of-office, configuring Voice Mail...

If I'm able to talk to a CAS to access Mailbox, AND Active Directory (for authentication & c.) why shouldn't I get FROM THAT WAY even configuration info for which Autodiscover is required?
Why CAS doesn't do for me the initial simple autodiscovery query getting the XML (in other words proxying autodiscover like it proxies other access request)? It seems so simple to me...someone could answer me?

Thanks!
Alessandro
PS: It seems to me that you (Microsoft people) design a product with no respects for your users, and without historical memory of your products, often reinventing the wheel...am I wrong?

re: Exchange 2007 Autodiscover and certificates

chuck2000 — Fri, 25 May 2007 22:58:47 GMT

In an environment where you have multiple CAS servers in a site how should you approach installing a certificate. Can you just have one regular 3rd party cert for the CAS server that is accessed from the internet for OWA. Not sure how you would force clients to query a certain CAS in a site for outlook 2007 clients for FB. Can you purchase SAN certificates for more then one server and still have overlapping domains.

re: Exchange 2007 Autodiscover and certificates

Jim — Tue, 22 May 2007 05:06:00 GMT

All set.

Thanks

re: Exchange 2007 Autodiscover and certificates

Inspector71 — Sat, 19 May 2007 15:43:36 GMT

I run into this problem after applying a cert from godaddy to my CAS box. I run the cmdlet below and all is well from what I can tell. Both OWA and Outlook 2007 clients connect with no certificate errors.

if you are using a commercial certificate from Verisign or Godaddy to work around it you can use the following CMDLET to update the SCP inside of the AD: Set-WebServicesVirtualDirectory -Identity "EWS*" -ExternalUrl "Https://mail.synergyps.com/EWS/Exchange.asmx" -InternalUrl "Https:// mail.synergyps.com/EWS/Exchange.asmx".- the previous command will update all of the services (OAB,Free/Busy,OOF,GAL) address, but if you are interested in updating the Autodiscovery SCP only you can use the following CMDLET: Set-ClientAccessServer -Identity CASserver1 -AutoDiscoverServiceInternalUri https://mail.synergyps.com this will allow you to use a commercial certificate along with your secure deployment of exchange 2007 and avoid the common errors most of the customers complained from when using AutoDiscovery service

read more here
http://busbar.maktoobblog.com/?post=271192

re: Exchange 2007 Autodiscover and certificates

Matthew Byrd — Thu, 10 May 2007 00:01:56 GMT

Jim:

I just now realized that some of the links were moved from their position in the document to the bottom of the document. Here are the links to the Exchange 2007 Help file information for each of the sections:

Multiple names in one certificate
How to Configure SSL Certificates to Use Multiple Client Access Server Host Names
http://technet.microsoft.com/en-us/library/aa995942.aspx

Method 1: Multiple Certificates
Deployment Considerations for the Autodiscover Service : Using Multiple Sites for Internet Access to the Autodiscover Service
http://technet.microsoft.com/en-us/library/aa997633.aspx

Method 2: Http Referral
Deployment Considerations for the Autodiscover Service : Hosted Environments and the Autodiscover Service
http://technet.microsoft.com/en-us/library/aa997633.aspx

Also I will be posting more direct steps per your request at the following link:
http://www.exchangeninjas.com/cascertificateconfig

BOE:

In response to your question about Exchange and Certs ... You have to run autodiscover with Certificates. We will not allow it to work otherwise. This is to help ensure the security of your users and your data.

Jim:

Is this an internal or External client? Internal clients get their connection point from the SCP and in the log your should see:
Attempting URL https://scp.company.com/autodiscover/autodiscover.xml found through SCP

The Key there is:
Found through SCP

If it is an external client then it will ONLY connect to autodiscover on mydomain.com or autodiscover.mydomain.com ... outlook is Hard Coded to connect using only thoses domains.

Hope this has addressed everyones questions
-Matt

re: Exchange 2007 Autodiscover and certificates

Jim — Sun, 06 May 2007 07:59:09 GMT

Hello,

I tried the wiki script - now for some reason the log from my outlook client shows that it is trying to go to -
Autodiscover to https://mydomain.com/autodiscover/autodiscover.xml starting
It needs to go to https://exchange.mydomain.com/autodiscover/autodiscover.xml - not sure how to fix it to what it was.

re: Exchange 2007 Autodiscover and certificates

boe — Sun, 06 May 2007 07:48:28 GMT

Is it possible to just run the server autodiscover without a cert requirement?