Symptoms

SSK warning is shown during Autodiscover operations when setting up mailbox via Outlook.

Cause

Certificate mismatch happens when Autodiscover site is accessed by Outlook client. Autodiscover should not have certificate due to the following reasons:

Autodiscover redirect site shares the same IP as Default Web Site which causes preferred Autodiscovery method (https) to succeed, bypassing Autodiscover redirect site and going straight to Autodiscover virtual directory on Default Web Site via https, and that is not the intended method according to Hosted Exchange 2013 Deployment Guide. The correct way is to have Outlook accessing Autodiscover redirect site only via http and proper redirect to Autodiscover virtual directory on Default Web Site via http.

Resolution

  1. Use separate IP for Autodiscover - it will be configured on Autodiscover redirect site and will only have HTTP and no HTTPS, so SSL error will not come up

  2. Autodiscover site should have different name (not exchange.provider.tld) because exchange.provider.tld is resolved to the IP address used by OWA and other services

Separate SSL certificate for Autodiscover.customerdomain.tld is not needed because it works in the following way:

  1. Client checks Autodiscover on standard HTTPS URLs like https://<customer-domain>/Autodiscover/Autodiscover.xml and https://Autodiscover.<customer-domain>/Autodiscover/Autodiscover.xml. This will not work because no connection can be established on port 443.

  2. Client checks Autodiscover redirect on HTTP URL: http://Autodiscover.<customer-domain>/Autodiscover/Autodiscover.xml.

  3. Autodiscover redirect site handles this request and redirect client to the Exchange Autodiscover virtual directory on Default Web Site: https://exchange.<provider-domain>/Autodiscover/Autodiscover.xml.

  4. Client contacts Autodiscover on URL returned by Autodiscover redirect.
  5. Exchage Autodiscover return result to client.

As a result how it should work:

  1. IP address used for OWA and other Exchange protocol services should be redirected by load balancer to the default site on CAS serves and should allow https

  2. IP address used for Autodiscover should be redirected by load balancer to Autodiscover redirect site and should not allow connections on port 443

Please refer to Hosted Exchange Deployment Guide for additional details.

Internal content