The Autodiscover service, How it is being configured & The name of the security certificate is invalid or does not match the name of the site…

I recently run into issue where AutodiscoverVirtualDirectory internalUrl was set to specific URL in a good fate by trying to configure & troubleshoot Autodiscover service.
Everything you need to know is here in this white paper……..

• Understanding the Autodiscover Service
• http://technet.microsoft.com/en-us/library/bb124251.aspx

Now not to be confused the , if you run below cmdlet you will see the default is empty and there is no need to mess with these URL’s as they do not apply , configuring Autodiscover Service.

Get-AutodiscoverVirtualDirectory | fl *url*

For whatever reason you have if you want to fill these in this is what you would do

• Set-AutodiscoverVirtualDirectory  -InternalUrl
• Note just change the –InternalURL to –ExternalUrl to set the external one.

Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web site)' -internalUrl 'https://autodiscover.SMTP25.gov/autodiscover/autodiscover.xml'

Okay what ever reason you did have and set these and did understand these are not the correct URL , here how you can set them back to normal $Null

Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web site)' -internalUrl ($null)

*Note change the –IntenalUrl to –ExternalUrl

What you want to configure is this one

Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri

* Note as you can see the second server mail2 is showing up on the availability services URL which will cause problems if the certificate installed on the CAS server wont have this common name. Some people does not want to expose internal names to outside by publishing within the Certificate some people wont care. IMO this does not create any security risk at all but many places I worked with use common name in the certificate. This is why ( Split DNS scenarios) you  would set two A record in DNS and point to each CAS server ( assuming you have two) so that you would not see certificate name mismatch error.

Okay now hot to set the Autodiscover Service, I recommend reading the white paper first and getting good understanding how it works.
In a very common scenario this would be sample configuration……

• You are running in split DNS model ( split DNS means , your internal name space matches your external name space) in my Lab I do have split DNS and my internal name space is telnet25.org my external DNS name space is also telnet25.org
• You do have valid certificate , in this certificate you do have your common name, in my example I used mail.telnet25.org, and this is included into your certificate.
• You have installed the certificate correctly on your CAS server or servers
• You Set CAS array and did configure DNS to perform round robin , you most likely configured something like this RpcClientAccessServer=outlook.mycompany.com
• You read and understood how SCP works

Okay here are the samples showing how to configure the basic
Modify the Autodiscover URL in the Service Connection Point

Set-ClientAccessServer -Identity CAS01 -AutodiscoverServiceInternalUri https://webmail.smtp25.org/autodiscover/autodiscover.xml

*Note make sure fallowing is configured based on your scenario

• https://webmail.smtp25.org  ( Change this , according to your scenario)
• CAS01  ( Change this , according to your scenario)

***

Modify the InternalUrl attribute of the EWS Set-WebServicesVirtualDirectory -Identity "CAS01\EWS (Default Web Site)" –InternalUrl https://webmail.smtp25.org/ews/exchange.asmx

***

Modify the InternalUrl attribute for Web-based Offline Address Book distribution Set-OABVirtualDirectory -Identity "CAS01\oab (Default Web Site)" -InternalUrl https://webmail.smtp25.org/oab

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +http://smtp25.blogspot.com/ (Blog )http://telnet25.spaces.live.com/ (Blog)http://telnet25.wordpress.com/ (Blog)