Outlook 2007 & Exchange 2010 Autodiscover SSL certificate error annoyance

One of the more annoying side effects of migrating my mailbox to Exchange 2010 has been the nagging of Outlook 2007’s Autodiscovery feature. Now, every time I start Outlook I get hit with a certificate error for autodiscover.domain.com. Now, autodiscover.domain.com is a CNAME to mail.domain.com, which is the OWA URL for the CAS. The SSL certificate is valid – but it’s valid for mail.domain.com. I could buy a SSL certificate from GoDaddy for $12.99 (an insanely great price, btw) for “autodiscover” but that would also require using another IP address on the CAS (since you can can only bind one SSL certificate to an IP:port pair), and that seems like a waste of an IP address.

I found a possible solution in KB 940726. Basically you use this cmdlet to change the Autodiscover URI for internal clients:

Set-ClientAccessServer –AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

You’d replace mail.contoso.com with the external URL of your OWA server (in my case, mail.domain.com). I’ve made the changes but I think I need to wait for AD propagation. Hopefully this will resolve it, because I don’t want to move everyone’s mailboxes over until this thing is “perfect,” whatever that means.

Edit: I also needed to add a SRV record so Outlook would know what host to check for autodiscovery when outside the domain.

Edit 2:: Also need to install a hotfix or be running Outlook 2007 SP1 or later for the SRV functionality.

Edit 3: It occurs to me that a simpler fix for this issue may be simply to delete the DNS record for autodiscover entirely. That way, when Outlook attempts to open the SSL connection to autodiscover.domain.com, it gets a NXDOMAIN error (should) silently skip it. Unfortunately we have wildcard DNS active for our domain.

Other useful resources:

7 Replies to “Outlook 2007 & Exchange 2010 Autodiscover SSL certificate error annoyance”

  1. KB2412171 is a recent Outlook 2007 hotfix that can break autodiscover with new profile creation.

    Remove the patch which arrived Jan 2011.
    “when setting up new Outlook-profiles after installing this update. Instead of pre-populating the E-mail address field with the user`s primary SMTP-address, the user`s UPN was used. This of course caused Autodiscover to fail since the UPN was not an alias on the mailboxes.
    After uninstalling the latest Outlook 2007 update the issue was resolved, and the primary SMTP-address was pre-populated.
    I`ve also experienced the issue with Outlook 2010, removing the latest hotfix package resolved the issue.” – submitted on an office Technet blog

    The affected updates:

    Description of the Outlook 2010 hotfix package: December 14, 2010


    Description of the Office Outlook 2007 update: January 11, 2011


    The Outlook 2007 update are released to Windows Update/WSUS, while the Outlook 2010 hotfix package must be requested afaik.

  2. Wildcard cert is overkill. A UCC Cert from GoDaddy will do fine (Multi-domain, 5 domains). I’ve used it plenty of times and what a lifesaver, especially when migrating from an older Exchange server.

    1. Thanks Chris. I was debating a wildcard cert to replace all the various *.company.com certs we’ve already purchased. It would also enable us to stop using self-signed certs on sites that aren’t important enough currently to justify the cost of a real SSL cert.

  3. Just a note that I have had some issues with clients using wildcard certs when we setup multiple CAS servers handling OWA. In general it seems to go much smoother when we use a UCC cert.

  4. stop buying GMO foods from the supermarkets… stop taking vaccines and flu shots…. the American and European Government are SICK EVIL WAR CRIMINALS who inject toxic chemicals and poisons into our food supply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: