Article ID: 128975, created on Jun 20, 2016, last review on Jun 20, 2016

  • Applies to:
  • Operations Automation

Symptoms

SSK warning is shown during Autodiscover operations when setting up mailbox via Outlook.

Cause

Certificate mismatch happens when Autodiscover site is accessed by Outlook client. Autodiscover should not have certificate due to the following reasons:

Autodiscover redirect site shares the same IP as Default Web Site which causes preferred Autodiscovery method (https) to succeed, bypassing Autodiscover redirect site and going straight to Autodiscover virtual directory on Default Web Site via https, and that is not the intended method according to Hosted Exchange 2013 Deployment Guide. The correct way is to have Outlook accessing Autodiscover redirect site only via http and proper redirect to Autodiscover virtual directory on Default Web Site via http.

Resolution

  1. Use separate IP for Autodiscover - it will be configured on Autodiscover redirect site and will only have HTTP and no HTTPS, so SSL error will not come up

  2. Autodiscover site should have different name (not exchange.provider.tld) because exchange.provider.tld is resolved to the IP address used by OWA and other services

Separate SSL certificate for Autodiscover.customerdomain.tld is not needed because it works in the following way:

  1. Client checks Autodiscover on standard HTTPS URLs like https://<customer-domain>/Autodiscover/Autodiscover.xml and https://Autodiscover.<customer-domain>/Autodiscover/Autodiscover.xml. This will not work because no connection can be established on port 443.

  2. Client checks Autodiscover redirect on HTTP URL: http://Autodiscover.<customer-domain>/Autodiscover/Autodiscover.xml.

  3. Autodiscover redirect site handles this request and redirect client to the Exchange Autodiscover virtual directory on Default Web Site: https://exchange.<provider-domain>/Autodiscover/Autodiscover.xml.

  4. Client contacts Autodiscover on URL returned by Autodiscover redirect.
  5. Exchage Autodiscover return result to client.

As a result how it should work:

  1. IP address used for OWA and other Exchange protocol services should be redirected by load balancer to the default site on CAS serves and should allow https

  2. IP address used for Autodiscover should be redirected by load balancer to Autodiscover redirect site and should not allow connections on port 443

Please refer to Hosted Exchange Deployment Guide for additional details.

Search Words

Exchange autodiscover SSL

Outlook 2013 unable to resolve name

sertificate autodiscovery

Autodiscover

exchange 2013 autodiscover

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF