2

Outlook 365 finds the account through autodiscover without any problems, but warns about "Target Principle name is incorrect" (CN=eposthub.de), when adding an account like anything@nabil-redmann.de

As I understand, the newest Outlook versions supports SAN-Certificates (alternate domain names).

My setup contains:

  1. Windows Server 2008 R2 w/ IIS 7.5
  2. hMailServer (IMAP, SMTP)

  3. SSL-SAN-Certificate

    1. CN=eposthub.de.
    2. DNS-Name=smtp.nabil-redmann.de
    3. DNS-Name=imap.nabil-redmann.de
    4. DNS-Name=autodiscover.nabil-redmann.de

  4. https://autodiscover.nabil-redmann.de/autodiscover/autodiscover.xml

My ideas to a solution:

Q1: What can I do, to make the alternating domain names to be looked up (without having to touch the client system)?

Q1.2: ... with touching the client system?

Q2: Is there an Autodiscover.xml tag to make it accept a principal name?

Q3: What else did I miss?

from testconnectivity.microsoft.com, only 1 warning:

Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.

Additional Details

The Microsoft Connectivity Analyzer can only validate the certificate chain using the 
Root Certificate Update functionality from Windows Update. Your certificate may not 
be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

what does that mean?

BananaAcid
  • 121
  • 4
  • 2
    windows server 2007, cool, a new os... please specify if exchange 2007 you mean – yagmoth555 Jun 21 '16 at 19:43
  • I think you'll need to add at least one SAN to your cert along with DNS that has a host name of some kind before the domain name (i.e., I don't think you can use just the domain name as an autodiscover host name). For example, you may have to add a DNS entry for autodiscover.eposthub.de and add that as a SAN on the UC cert. Also this is a great tool for troubleshooting Autodiscover and ActiveSync: https://testconnectivity.microsoft.com/ – Todd Wilcox Jun 21 '16 at 20:42
  • sorry, fixed that stupid mistake about the windows version. @Todd Wilcox: if you check the cert out on the https url and look in what the browser says ('DNS-Name' is a SAN entry as i believe) - it works with all listed domains, in the browser at least. And testconnectivity is not really complaining. – BananaAcid Jun 22 '16 at 03:51

0 Answers0