Exchange 2007 or 2010 SSL issue over HTTPS for non-domain clients

Exchange 2007 or 2010 SSL issue over HTTPS for non-domain clientsI recently came across a client who wasn’t happy with the Outlook Web Interface while accessing their e-mail from home and wanted to access it from Outlook as if they was in the office – not a problem at all with Exchange over HTTPS, right?

 

In this particular case an SSL was purchased for mail.clients-domain-name.tld which is fine but for AutoDiscovery it insists on using SSL and either clients-domain-name.tld OR autodsicover.clients-domain-name.tld to pull the AutoDiscover XML file from. But of course no SSL exists for these two records (at least for me) so Outlook would pop up a dialog like so:

which I’m sure you would admit is extremely annoying every time you open Outlook. Anyhow, what we need to do is tell Outlook to use mail.clients-domain-name.tld for AutoDiscovery instead but you can’t do this natively in Outlook as it’s hard-coded. There are a few options which include purchasing a separate SSL for autodiscover.clients-domain-name.tld, purchasing a wildchar SSL (*.clients-domain-name.tld), setting up SRV records or using XML files on the clients machine.

In my case purchasing new SSL certificates wasn’t viable do to cost implications. To use SRV records, create one with the service endpoint as _autodiscoverProtocol the TCP Port as 443 and the host as mail.clients-domain-name.tld – this is the easiest option and the one with the lowest foot print but this wasn’t do-able for me as the clients domain host (1and1) didn’t support SRV records, great!

NOTE

I should probably point out that SRV records are only supported in Outlook2007.

The later option, using XML files, is the method I used and it works really well;

  1. Open Outlook and click “yes” to the certificate warning
  2. Hold down CTRL, right click on the Outlook system-tray icon and select “Test E-Mail AutoConfiguration…“, enter your e-mail address and password and wait for it to complete. Once completed copy all of what’s in the “XML” tab into Notepad
  3. Save the file in \Program Files\Microsoft Office\Office12\OutlookAutoDiscover and give it the name of CLIENTS-DOMAIN-NAME.TLD.XML – make sure you upper case the domain name
  4. Open REGEDIT, browse to HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover
    1. Add a new DWORD key called PreferLocalXML and give it a value of 1
    2. Add a new STRING key called clients-domain-name.tld (note lower case) and a value of the location to the above XML file C:\PROGRA~1\MICROS~2\Office12\OUTLOO~1\CLIENTS-DOMAIN-NAME.TLD.XML
  5. Close Outlook and then re-open it, the certificate warning should of disappeared!

Obviously the XML solution could be come problematic and hard to deploy if you have a quite a few machines not on the domain and wanting to use Exchange over HTTPS – I would highly recommend using the SRV records as above.

Share

No related posts.

2 Responses to “Exchange 2007 or 2010 SSL issue over HTTPS for non-domain clients”

  1. Davo  on March 20th, 2010

    Hey, thanks for this brilliant article… It will work a treat! I use heart internet and they now support SRV records. They have a brilliant white label hosting package too..

    I am using the SRV record and all seems correct according to https://www.testexchangeconnectivity.com/

    However, I still get the autodiscover.domainname.com certificate error. Can you suggest anything?

    Thanks
    David

    Reply

    • Paul Price  on March 20th, 2010

      Hi David. Personally, I haven’t tested the SRV method my self but it’s well documented here; http://support.microsoft.com/kb/940881

      One thing I did forget to mention in my post was for SRV records to work you need Outlook 2007+ – If you have 2007+ have you tried a DNS flush?

      Regards, Paul.

      Reply


Leave a Reply