One of the more annoying side effects of migrating my mailbox to Exchange 2010 has been the nagging of Outlook 2007’s Autodiscovery feature. Now, every time I start Outlook I get hit with a certificate error for autodiscover.domain.com. Now, autodiscover.domain.com is a CNAME to mail.domain.com, which is the OWA URL for the CAS. The SSL certificate is valid – but it’s valid for mail.domain.com. I could buy a SSL certificate from GoDaddy for $12.99 (an insanely great price, btw) for “autodiscover” but that would also require using another IP address on the CAS (since you can can only bind one SSL certificate to an IP:port pair), and that seems like a waste of an IP address.
I found a possible solution in KB 940726. Basically you use this cmdlet to change the Autodiscover URI for internal clients:
Set-ClientAccessServer –AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
You’d replace mail.contoso.com with the external URL of your OWA server (in my case, mail.domain.com). I’ve made the changes but I think I need to wait for AD propagation. Hopefully this will resolve it, because I don’t want to move everyone’s mailboxes over until this thing is “perfect,” whatever that means.
Edit: I also needed to add a SRV record so Outlook would know what host to check for autodiscovery when outside the domain.
Edit 2:: Also need to install a hotfix or be running Outlook 2007 SP1 or later for the SRV functionality.
Edit 3: It occurs to me that a simpler fix for this issue may be simply to delete the DNS record for autodiscover entirely. That way, when Outlook attempts to open the SSL connection to autodiscover.domain.com, it gets a NXDOMAIN error (should) silently skip it. Unfortunately we have wildcard DNS active for our domain.
Other useful resources:
- MS Exchange Team blog post comparing the various autodiscover schemes.
- Set-ClientAccessServer.
- Test Exchange Connectivity
- Setting Autodiscover URL via DNS SRV record
- Autodiscover whitepaper.
- Example Autodiscover BIND record – _autodiscover._tcp.domain.com. SRV 0 0 443 webmail.domain.com.
- Debug Autodiscover by right-clicking the Outlook icon in the system tray while holding down Ctrl
- Verifying SRV records exist with nslookup
- What version of Outlook am I running? You need SP1 or later for the SRV hack.
- Hotfix for Outlook 2007 (pre-SP1) to use SRV records for autodiscovery