3

I am currently running an Exchange 2013 server (15.0 1178.4) with multiple accepted domains and the issue is that i have one SSL certificate installed which is valid but there is only the primary domain with the autodiscover and mail names listed in it.

Therefore I experience Outlook SSL warnings that the autodiscover.domain.tld is not listed in the certificate.

I have already tried multiple things as like using the SRV DNS Record method which looks like that:

_autodiscover._tcp 300 SRV 10 0 443 ex13.primary-domain.tld.
_autodiscover._tcp 300 SRV 0 5 443 ex13.primary-domain.tld.
autodiscover.domain.tld CNAME ex13.primary-domain.tld.

Those records make it possible for Outlook to determine all of the settings but after setting an account up and having it running for a few minutes there is a popup which shows the SSL warning as stated above.

Since I have about 30 domains running on it and I don't really want to get a SAN/MultiDomain Certificate I'd like to know if there is a other solution for that.

Would the Lets Encrypt SAN feature maybe work for such a setup?

techraf
  • 4,163
  • 8
  • 27
  • 44
Kevin
  • 33
  • 1
  • 3

1 Answers1

3

SRV record or HTTP redirect is the way to go here.

For the SRV record, you need to ensure that Autodiscover.example.com does NOT resolve. That will mean checking there is no wildcard in the domain, the A record or CNAME doesn't exist etc. It is certainly possible to run a large number of domains on a single certificate, as long as you are aware of the limitations.

You also need to check the web hosts haven't got Autodiscover enabled, as the first thing Outlook checks is https://example.com/Autodiscover/Autodiscover.xml (ie the root of the domain) which can also get in the way.

HTTP redirect can sometimes be easier to implement. It will require a separate web site which then redirects to the HTTPS version. That is often used where for various reasons the wildcard cannot be removed from the domain.

Sembee
  • 2,854
  • 1
  • 7
  • 11
  • So this would've mean that i need to remove the autodiscover CNAME Record and implement an HTTP redirect system? (since some domains have wildcard A records to a webhost which would've redirect the autodiscover record towards the webserver) – Kevin Nov 05 '16 at 19:22
  • Correct. If you cannot remove the wildcard then HTTP redirect is the best way to go without putting lots of domains on to the SSL certificate. It is designed for this exact scenario. – Sembee Nov 07 '16 at 16:38
  • What are the implications for mobile devices who many not respect/utilize the SRV records? – ewwhite Nov 19 '16 at 10:49
  • Manual setup. Unlike Outlook, Autodiscover is only used for the initial setup with mobile devices. If you aren't using an MDM to do the configuration for you, then manual instructions will be required. The only method that most mobile devices support is A record with associated name on the SSL certificate. However that is down to the mobile device vendor to support - not Microsoft. – Sembee Nov 20 '16 at 15:54