Outlook 2007 & Exchange 2010 Autodiscover SSL certificate error annoyance

One of the more annoying side effects of migrating my mailbox to Exchange 2010 has been the nagging of Outlook 2007’s Autodiscovery feature. Now, every time I start Outlook I get hit with a certificate error for autodiscover.domain.com. Now, autodiscover.domain.com is a CNAME to mail.domain.com, which is the OWA URL for the CAS. The SSL certificate is valid – but it’s valid for mail.domain.com. I could buy a SSL certificate from GoDaddy for $12.99 (an insanely great price, btw) for “autodiscover” but that would also require using another IP address on the CAS (since you can can only bind one SSL certificate to an IP:port pair), and that seems like a waste of an IP address.

I found a possible solution in KB 940726. Basically you use this cmdlet to change the Autodiscover URI for internal clients:

Set-ClientAccessServer –AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

You’d replace mail.contoso.com with the external URL of your OWA server (in my case, mail.domain.com). I’ve made the changes but I think I need to wait for AD propagation. Hopefully this will resolve it, because I don’t want to move everyone’s mailboxes over until this thing is “perfect,” whatever that means.

Edit: I also needed to add a SRV record so Outlook would know what host to check for autodiscovery when outside the domain.

Edit 2:: Also need to install a hotfix or be running Outlook 2007 SP1 or later for the SRV functionality.

Edit 3: It occurs to me that a simpler fix for this issue may be simply to delete the DNS record for autodiscover entirely. That way, when Outlook attempts to open the SSL connection to autodiscover.domain.com, it gets a NXDOMAIN error (should) silently skip it. Unfortunately we have wildcard DNS active for our domain.

Other useful resources:

Moved my email directly to Google

For a few years I’ve been funneling my various inboxes directly to my Gmail account. The massive storage, great web UI, and spam filtering made it a no-brainer. I’d basically been relying on a .forward file to do this until a couple of days ago when I signed up with Google Apps for evanhoffman.com, changed the MX records to point to Google, and … all my email still forwards to my Gmail account. But at least Bluehost is out of the loop now. Really, at this point the only reason for me to stay with them is the massive storage quota I have with them for the gallery; but even that doesn’t make much sense with the Picasa web albums stuff. They own Blogger so I assume I could port this whole thing over. Google’s free so I guess I’d save like $100 per year moving everything there, and I mostly only use it for email anyway. I think I’m paying like $8/month… With thin-provisioned disk space they could drop that to like $3/month probably and still make $.

Anyway, tomorrow’s the closing. I should go to bed. Oh, and WaMu is gone – attempting to login to the Wamu online banking redirects me to Chase.com now.