MsExchange Blog Spot Telnet25

January 2, 2012

The Autodiscover service, How it is being configured & The name of the security certificate is invalid or does not match the name of the site…

Filed under: General — telnet25 @ 3:33 am

I recently run into issue where AutodiscoverVirtualDirectory internalUrl was set to specific URL in a good fate by trying to configure & troubleshoot Autodiscover service.

Everything you need to know is here in this white paper……..

Now not to be confused the , if you run below cmdlet you will see the default is empty and there is no need to mess with these URL’s as they do not apply , configuring Autodiscover Service.

Get-AutodiscoverVirtualDirectory | fl *url*

image

For whatever reason you have if you want to fill these in this is what you would do

  • Set-AutodiscoverVirtualDirectory  -InternalUrl
  • Note just change the –InternalURL to –ExternalUrl to set the external one.
Set-AutodiscoverVirtualDirectory -Identity ‘autodiscover (default Web site)’ -internalUrl ‘https://autodiscover.mcc.gov/autodiscover/autodiscover.xml’

Okay what ever reason you did have and set these and did understand these are not the correct URL , here how you can set them back to normal $Null

Set-AutodiscoverVirtualDirectory -Identity ‘autodiscover (default Web site)’ -internalUrl ($null)

*Note change the –IntenalUrl to –ExternalUrl

image

What you want to configure is this one

Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri

* Note as you can see the second server mail2 is showing up on the availability services URL which will cause problems if the certificate installed on the CAS server wont have this common name. Some people does not want to expose internal names to outside by publishing within the Certificate some people wont care. IMO this does not create any security risk at all but many places I worked with use common name in the certificate. This is why ( Split DNS scenarios) you  would set two A record in DNS and point to each CAS server ( assuming you have two) so that you would not see certificate name mismatch error.

image

Okay now hot to set the Autodiscover Service, I recommend reading the white paper first and getting good understanding how it works.

In a very common scenario this would be sample configuration……

  • You are running in split DNS model ( split DNS means , your internal name space matches your external name space) in my Lab I do have split DNS and my internal name space is telnet25.org my external DNS name space is also telnet25.org
  • You do have valid certificate , in this certificate you do have your common name, in my example I used mail.telnet25.org, and this is included into your certificate.
  • You have installed the certificate correctly on your CAS server or servers
  • You Set CAS array and did configure DNS to perform round robin , you most likely configured something like this RpcClientAccessServer=outlook.mycompany.com
  • You read and understood how SCP works

image

Okay here are the samples showing how to configure the basic

Modify the Autodiscover URL in the Service Connection Point

Set-ClientAccessServer -Identity CAS01 -AutodiscoverServiceInternalUri https://webmail.smtp25.org/autodiscover/autodiscover.xml

*Note make sure fallowing is configured based on your scenario

***

Modify the InternalUrl attribute of the EWS
Set-WebServicesVirtualDirectory -Identity "CAS01\EWS (Default Web Site)" –InternalUrl
https://webmail.smtp25.org/ews/exchange.asmx

***

Modify the InternalUrl attribute for Web-based Offline Address Book distribution
Set-OABVirtualDirectory -Identity "CAS01\oab (Default Web Site)" -InternalUrl https://webmail.smtp25.org/oab

Respectfully,
Oz Casey, Dedeal
( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog )
http://telnet25.spaces.live.com/ (Blog)
https://telnet25.wordpress.com/ (Blog)

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: