SSK warning is shown during Autodiscover operations when setting up mailbox via Outlook.
Certificate mismatch happens when Autodiscover site is accessed by Outlook client. Autodiscover should not have certificate due to the following reasons:
Autodiscover redirect site shares the same IP as Default Web Site which causes preferred Autodiscovery method (https) to succeed, bypassing Autodiscover redirect site and going straight to Autodiscover virtual directory on Default Web Site via
https, and that is not the intended method according to Hosted Exchange 2013 Deployment Guide. The correct way is to have Outlook accessing Autodiscover redirect site only via
http and proper redirect to Autodiscover virtual directory on Default Web Site via
Use separate IP for Autodiscover - it will be configured on Autodiscover redirect site and will only have HTTP and no HTTPS, so SSL error will not come up
- Autodiscover site should have different name (not exchange.provider.tld) because exchange.provider.tld is resolved to the IP address used by OWA and other services
Separate SSL certificate for
Autodiscover.customerdomain.tld is not needed because it works in the following way:
Client checks Autodiscover on standard HTTPS URLs like
https://Autodiscover.<customer-domain>/Autodiscover/Autodiscover.xml. This will not work because no connection can be established on port 443.
Client checks Autodiscover redirect on HTTP URL:
Autodiscover redirect site handles this request and redirect client to the Exchange Autodiscover virtual directory on Default Web Site:
- Client contacts Autodiscover on URL returned by Autodiscover redirect.
- Exchage Autodiscover return result to client.
As a result how it should work:
IP address used for OWA and other Exchange protocol services should be redirected by load balancer to the default site on CAS serves and should allow https
- IP address used for Autodiscover should be redirected by load balancer to Autodiscover redirect site and should not allow connections on port 443
Please refer to Hosted Exchange Deployment Guide for additional details.