I've setup the exchange 07 CAS and OWA worked perfectly but couldn't get the https connection working from within outlook. I figured out that if my external server name is mymail.mydomain.com then in the mutually auth box in outlook I put msstd:internalname.domain.com it works. However when doing the autodiscover it fills in the server as mymail.mydomain.com bu then also fills in msstd:mymail.mydomain.com. How do I change what settings autodiscover sends to clients so that it works?

Let me try to be more clear... when you configure outlook 2007 you can put in proxy settings for Outlook anywhere. The first is: Use this URL to connect to my proxy server for exchange. and in there I put in https://external.fqdn.com then below that is Use ssl and mutally authenticate field and in there I put msstd:internalname.domain.com My problem is that when autodiscover sets this up in the mutually authenticate field it puts the external.fqdn.com name in there. So 1. How can I change autodiscover to use the value that works OR 2. how can i make the external name work for https instead of the internal. I did create a multiple subject cert with all applicable names in it.

anyone?

Hi, I have not seen a way to change the fields that the autodiscovery generates for the mutual auth field. It might be possible but I would think it may be easier to work out why the mutual auth doesn't work with the external.domain.com configuration. If you are using a split DNS for the domain name can you configure the internal DNS server to resolve the external.domain.com to the IP of your Client Access Server and resolve externally to the other IP address for your ISA server or whatever. Can you find any additional information on the failure using the Outlook 2007client to test the autoconfiguration? You may also have to check the order of the domain names in the Exchange certificate request. I am assuming you have replaced the self-signed certificates with a certificate from an internal CA using the Subject Alternative Name (SAN) field. I have read about issues if the first domain name in the SAN list does not match your domain name in the Common name (CN) field. Have you also tried changing the authentication methods between basic and NTLM? More info on Availability here: http://www.exchangeninjas.com/AvailabilityServiceFAQ Cheers, Rhys

Thanks for the reply, lots of good info. Let me respond to each question best I can... Yes I have split DNS and yes you were right at first this was a problem the internal couldn't resolve the external name correctly. I've fixed that and still have the problem. The problem when I use the external name in the mutual auth field is that is keeps prompting for the username/pass even after entering it over and over. How can I get any additional info on why it keeps prompting for username/pass when the ext name is in the mutual auth field? Are there logs or traces I can turn on? Yes i did the SAN thing with an internal CA, I'll need to look at the order... what should the order be? internal.fqdn, netbios name, external.fqdn, autodiscover, etc? I have tried changing auth methods but basic didn't help and need to use NTLM anyway so...

RhysW wrote: You may also have to check the order of the domain names in the Exchange certificate request. I am assuming you have replaced the self-signed certificates with a certificate from an internal CA using the Subject Alternative Name (SAN) field. I have read about issues if the first domain name in the SAN list does not match your domain name in the Common name (CN) field. ok here is how my cert is setup... let assume my internal mail server name is gordo.sales.corp1.com. externally I call it mymail.corp1.com. the cert currently iscn=gordo.sales.corp1.com and then the san's are listed as follows: gordo, gordo.sales.corp1.com, mymail.corp1.com, autodiscover.corp1.com so should I change the cn to mymail.corp1.com and then in the list have that first followed by the rest? or leave the cn alone and just change the san order?

well I changed the cert cn to mymail.corp1.com and then the SAN's to mymail.corp1.com followed by the internal names and then autodiscover. now it works. Thanks a bunch!

Good to hear it resolved the issue. Just out of curiosity did you find any references to why to use the server netbios name in the SAN field. I have done this the last few times when installing the certs in Exchange 2007 and I am pretty sure that I have read that one of the functions such as Outlook 2007 connecting to the availability services connects using as HTTPS connection to the servers Netbios name. When a colleague asked me why use the Netbios name I could not findand justificationsto use it though. Cheers, Rhys

Hmm, it was in the technet article I read for how to create the SAN cert. I don't think its needed except so users on the internal lan can get to http://NETBIOSNAME/owa at least that was the impression I was under. I didn't see anything that said it had to be there though.