One of the more annoying side effects of migrating my mailbox to Exchange 2010 has been the nagging of Outlook 2007’s Autodiscovery feature. Now, every time I start Outlook I get hit with a certificate error for autodiscover.domain.com. Now, autodiscover.domain.com is a CNAME to mail.domain.com, which is the OWA URL for the CAS. The SSL certificate is valid – but it’s valid for mail.domain.com. I could buy a SSL certificate from GoDaddy for $12.99 (an insanely great price, btw) for “autodiscover” but that would also require using another IP address on the CAS (since you can can only bind one SSL certificate to an IP:port pair), and that seems like a waste of an IP address.
I found a possible solution in KB 940726. Basically you use this cmdlet to change the Autodiscover URI for internal clients:
Set-ClientAccessServer –AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
You’d replace mail.contoso.com with the external URL of your OWA server (in my case, mail.domain.com). I’ve made the changes but I think I need to wait for AD propagation. Hopefully this will resolve it, because I don’t want to move everyone’s mailboxes over until this thing is “perfect,” whatever that means.
Edit: I also needed to add a SRV record so Outlook would know what host to check for autodiscovery when outside the domain.
Edit 2:: Also need to install a hotfix or be running Outlook 2007 SP1 or later for the SRV functionality.
Edit 3: It occurs to me that a simpler fix for this issue may be simply to delete the DNS record for autodiscover entirely. That way, when Outlook attempts to open the SSL connection to autodiscover.domain.com, it gets a NXDOMAIN error (should) silently skip it. Unfortunately we have wildcard DNS active for our domain.
Other useful resources:
- MS Exchange Team blog post comparing the various autodiscover schemes.
- Set-ClientAccessServer.
- Test Exchange Connectivity
- Setting Autodiscover URL via DNS SRV record
- Autodiscover whitepaper.
- Example Autodiscover BIND record – _autodiscover._tcp.domain.com. SRV 0 0 443 webmail.domain.com.
- Debug Autodiscover by right-clicking the Outlook icon in the system tray while holding down Ctrl
- Verifying SRV records exist with nslookup
- What version of Outlook am I running? You need SP1 or later for the SRV hack.
- Hotfix for Outlook 2007 (pre-SP1) to use SRV records for autodiscovery
Evan Hoffman's Blog 
I think it may just be easier to pay the $200/year for a wildcard SSL certificate from GoDaddy. This is getting to be a real pain.
KB2412171 is a recent Outlook 2007 hotfix that can break autodiscover with new profile creation.
Remove the patch which arrived Jan 2011.
“when setting up new Outlook-profiles after installing this update. Instead of pre-populating the E-mail address field with the user`s primary SMTP-address, the user`s UPN was used. This of course caused Autodiscover to fail since the UPN was not an alias on the mailboxes.
After uninstalling the latest Outlook 2007 update the issue was resolved, and the primary SMTP-address was pre-populated.
I`ve also experienced the issue with Outlook 2010, removing the latest hotfix package resolved the issue.” – submitted on an office Technet blog
The affected updates:
Description of the Outlook 2010 hotfix package: December 14, 2010
support.microsoft.com/…/2459115
Description of the Office Outlook 2007 update: January 11, 2011
support.microsoft.com/…/2412171
The Outlook 2007 update are released to Windows Update/WSUS, while the Outlook 2010 hotfix package must be requested afaik.
Thanks Jeff – this may clear up my more recent problem with autodiscover ( http://www.evanhoffman.com/evan/?p=1101 )
Wildcard cert is overkill. A UCC Cert from GoDaddy will do fine (Multi-domain, 5 domains). I’ve used it plenty of times and what a lifesaver, especially when migrating from an older Exchange server.
Thanks Chris. I was debating a wildcard cert to replace all the various *.company.com certs we’ve already purchased. It would also enable us to stop using self-signed certs on sites that aren’t important enough currently to justify the cost of a real SSL cert.
Just a note that I have had some issues with clients using wildcard certs when we setup multiple CAS servers handling OWA. In general it seems to go much smoother when we use a UCC cert.
stop buying GMO foods from the supermarkets… stop taking vaccines and flu shots…. the American and European Government are SICK EVIL WAR CRIMINALS who inject toxic chemicals and poisons into our food supply