Exchange 2007 or 2010 SSL issue over HTTPS for non-domain clients
I recently came across a client who wasn’t happy with the Outlook Web Interface while accessing their e-mail from home and wanted to access it from Outlook as if they was in the office – not a problem at all with Exchange over HTTPS, right?
In this particular case an SSL was purchased for mail.clients-domain-name.tld which is fine but for AutoDiscovery it insists on using SSL and either clients-domain-name.tld OR autodsicover.clients-domain-name.tld to pull the AutoDiscover XML file from. But of course no SSL exists for these two records (at least for me) so Outlook would pop up a dialog like so:
which I’m sure you would admit is extremely annoying every time you open Outlook. Anyhow, what we need to do is tell Outlook to use mail.clients-domain-name.tld for AutoDiscovery instead but you can’t do this natively in Outlook as it’s hard-coded. There are a few options which include purchasing a separate SSL for autodiscover.clients-domain-name.tld, purchasing a wildchar SSL (*.clients-domain-name.tld), setting up SRV records or using XML files on the clients machine.
In my case purchasing new SSL certificates wasn’t viable do to cost implications. To use SRV records, create one with the service endpoint as _autodiscoverProtocol the TCP Port as 443 and the host as mail.clients-domain-name.tld – this is the easiest option and the one with the lowest foot print but this wasn’t do-able for me as the clients domain host (1and1) didn’t support SRV records, great!
The later option, using XML files, is the method I used and it works really well;
- Open Outlook and click “yes” to the certificate warning
- Hold down CTRL, right click on the Outlook system-tray icon and select “Test E-Mail AutoConfiguration…“, enter your e-mail address and password and wait for it to complete. Once completed copy all of what’s in the “XML” tab into Notepad
- Save the file in \Program Files\Microsoft Office\Office12\OutlookAutoDiscover and give it the name of CLIENTS-DOMAIN-NAME.TLD.XML – make sure you upper case the domain name
- Open REGEDIT, browse to HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover
- Add a new DWORD key called PreferLocalXML and give it a value of 1
- Add a new STRING key called clients-domain-name.tld (note lower case) and a value of the location to the above XML file C:\PROGRA~1\MICROS~2\Office12\OUTLOO~1\CLIENTS-DOMAIN-NAME.TLD.XML
- Close Outlook and then re-open it, the certificate warning should of disappeared!
Obviously the XML solution could be come problematic and hard to deploy if you have a quite a few machines not on the domain and wanting to use Exchange over HTTPS – I would highly recommend using the SRV records as above.
No related posts.