Sunday, January 1, 2012

The Autodiscover service, How it is being configured & The name of the security certificate is invalid or does not match the name of the site…

I recently run into issue where AutodiscoverVirtualDirectory internalUrl was set to specific URL in a good fate by trying to configure & troubleshoot Autodiscover service.
Everything you need to know is here in this white paper……..
Now not to be confused the , if you run below cmdlet you will see the default is empty and there is no need to mess with these URL’s as they do not apply , configuring Autodiscover Service.
Get-AutodiscoverVirtualDirectory | fl *url*
image
For whatever reason you have if you want to fill these in this is what you would do
  • Set-AutodiscoverVirtualDirectory  -InternalUrl
  • Note just change the –InternalURL to –ExternalUrl to set the external one.
Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web site)' -internalUrl 'https://autodiscover.SMTP25.gov/autodiscover/autodiscover.xml'
Okay what ever reason you did have and set these and did understand these are not the correct URL , here how you can set them back to normal $Null
Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web site)' -internalUrl ($null)
*Note change the –IntenalUrl to –ExternalUrl
image
What you want to configure is this one
Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
* Note as you can see the second server mail2 is showing up on the availability services URL which will cause problems if the certificate installed on the CAS server wont have this common name. Some people does not want to expose internal names to outside by publishing within the Certificate some people wont care. IMO this does not create any security risk at all but many places I worked with use common name in the certificate. This is why ( Split DNS scenarios) you  would set two A record in DNS and point to each CAS server ( assuming you have two) so that you would not see certificate name mismatch error.
image
Okay now hot to set the Autodiscover Service, I recommend reading the white paper first and getting good understanding how it works.
In a very common scenario this would be sample configuration……
  • You are running in split DNS model ( split DNS means , your internal name space matches your external name space) in my Lab I do have split DNS and my internal name space is telnet25.org my external DNS name space is also telnet25.org
  • You do have valid certificate , in this certificate you do have your common name, in my example I used mail.telnet25.org, and this is included into your certificate.
  • You have installed the certificate correctly on your CAS server or servers
  • You Set CAS array and did configure DNS to perform round robin , you most likely configured something like this RpcClientAccessServer=outlook.mycompany.com
  • You read and understood how SCP works
image
Okay here are the samples showing how to configure the basic
Modify the Autodiscover URL in the Service Connection Point
Set-ClientAccessServer -Identity CAS01 -AutodiscoverServiceInternalUri https://webmail.smtp25.org/autodiscover/autodiscover.xml
*Note make sure fallowing is configured based on your scenario
***

Modify the InternalUrl attribute of the EWS
Set-WebServicesVirtualDirectory -Identity "CAS01\EWS (Default Web Site)" –InternalUrl
https://webmail.smtp25.org/ews/exchange.asmx
***
Modify the InternalUrl attribute for Web-based Offline Address Book distribution
Set-OABVirtualDirectory -Identity "CAS01\oab (Default Web Site)" -InternalUrl https://webmail.smtp25.org/oab
Respectfully,
Oz Casey, Dedeal
( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog )http://telnet25.spaces.live.com/ (Blog)http://telnet25.wordpress.com/ (Blog)


1 comment:

Anonymous said...

I've been trying to solve this issue for ages now, reading through dozens of posts with no success. Finally i found your blog and you had at least one command that wasn't seen anywhere else, and that was the $null command. I'm not hundred percent sure that that did the trick since i made a couple of changes but i'm about 95% sure that it was just that. So i just want to thank you for your superb post! Thanks and have a happy new year!
//Sebastian