Disable SSL on Autodiscovery

[Stevehewitt]

Hi All,

Our internal domain is different to our external domain name, however we have a wildcard SSL for our external domain to secure our websites.

I have applied this SSL to our Exchange 2007 machine on the basis that people will be using OWA. However, when we try to use autodiscovery in Outlook 2007 my users get prompted saying that the SSL isn't valid (which it isn't as the name on the SSL is our external DNS domain name, and the user is using the internal DNS namespace when using autodiscovery)

Anyone know how I can disable SSL on Autodiscovery. (And ideally set it to use just Windows Authentication and remove clear text so prevent any packet sniffing?)

FYI - we won't be using AutoDiscovery from a remote location so SSL isn't a requirement.

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Zelandakh]

ok, here are somethings to check as it should bypass that.

1. DNS. Do you have a DNS entry called "autodiscover"? Does that point to your CAS box with the correct IP address?
2. IIS. Do you have a virtual directory on the CAS called autodiscover? In that folder should be 5 files, one of which is autodiscover.xml.
3. AD. Next you need to check if autodiscovery has been enabled in AD. Do this with powershell:
get-OutlookProviderConfig –id exch–server
If you do not get the right response or get no response, set it:
set-OutlookProviderConfig –id exch –server:<NETBIOS name of server>

If that does not fix it, run through the SSL certificate creation again and create an internal certificate for the internal domain using your in house certificate server.

 

[Stevehewitt]

Hi Zelandakh

Thanks for the quick reply.

I don't have the entry in DNS - although it seems to work fine anyway - which is bizzare! (I've added a new entry just in case)

Yeah, the IIS setup is fine.

The cmdlet isn't recognised either in PowerShell native or the Exch management console. Very bizzare. (FYI it's the full release of Exch2007 Ent)

I can't just put on a local SSL certificate as I need the valid external one for my OWA users.

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Zelandakh]

If you want to do it in one hit, you'd need a cert auth that supports multiple domains - I know godaddy.net do it. If you've already got an external one pointing as the CAS default IIS, are the internal folks also looking to the same folder of the same box?

 

[Stevehewitt]

Hmm, I got a wildcard SSL from GoDaddy in the first place.

E.G I have a *.externaldomainname.com SSL - that's already on the Exchange CAS for use with OWA etc.

However our external domain (which is on the SSL for OWA) is different to our internal domain (which doesn't match the SSL on the same site)

We only have the one server, so our internal MAPI client and OWA external clients will use the same server and the same IIS site.

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Stevehewitt]

I've given up. Spent a whole day, (around 10 hours) on the bloody thing.

In the end I removed the CAS role, reinstalled and did the following.

Kept the default, including SSL.

Created a new IIS website called 'External'

Created a new OWA and ActiveSync virtual directory under the new IIS site using the relevant cmdlets (New-OWAVirtualDirectory and New-ActiveSyncVirtualDirectory I think)

Added external SSL to the External IIS site. Few config tweaks (e.g. the external/internal URL's etc.)

All done.

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Zelandakh]

Steve - I'm just working on a cool way round this properly if you want to wait a bit. There is an undocumented feature that resolves this problem.

 

[Stevehewitt]

Hi Zelandakh,

Thanks - but it all seems to be working fine now. The default site in IIS is used for internal clients, and I've got a seperate site with appropiate SSL for External clients with the OWA and ActiveSync Virtual Directories setup. (using the New-OWAVirtualDirectory / New-ActiveSyncVirtualDirectory cmdlets)

Nice to know of the cool workaround though! (Would have saved me bloody hours too! )

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Zelandakh]

It was only by following up this thread and a colleague with the same problem that this solution was found.

If you have details of what you did, can you post them in here or more preferably into an FAQ? You aren't the first person to see this.

I know Sembee has blogged about it but it was amazingly complicated and you may have some shortcuts.

 

[Stevehewitt]

Yeah, I'll do a FAQ - Cheers.




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[Stevehewitt]

Sorry for the delay. Forgot that TT has to verify FAQ's now when they're written.

Please see faq1582-6595 for my solution. Based on the Sembee blog but a bit more elaborate.

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson