DNS SRV Records & Exchange

J

joel

Guppy
Microsoft has a recent bug that triggered in XP SP3 and Vista SP1 that interferes with autodiscovery between Outlook 2007 and Exchange 2007. Specifically, the DNS CNAME record redirects the HTTPS request but the certificate (although it is correct) is not accepted. This has hit several of my clients. The domain that I'm focusing on the problem with is mlbrowncpa.com. The workaround I'm told is to remove the autodiscovery.mlbrowncpa.com CNAME record and use a SRV record instead, which would be this (the TTL may differ):

_autodiscover._tcp.mlbrowncpa.com. 86400 IN SRV 0 0 443 exch1.myoutlookonline.com

The only problem is, how can I set these records up through H-Sphere? And until I test one, I'm not sure if the feature that redirects all invalid DNS names to the web server will interfere. If necessary, can that be disabled?

Thanks,
Joel
 
Update: one solution to the problem is to break autodiscover. This only eliminates the SSL certificate errors. This may not be an acceptable solution for everyone impacted by this bug, because without autodiscover manual configuration of the Outlook 2007 client is required in all cases.

Autodiscover can be made unfunctional without an error message occurring by using a DNS A record to map the autodiscover.domain.com name to an address that generally cannot provide HTTPS service, such as 127.0.0.1 (replace "domain.com" with the real external domain name). Outlook will try the address, not get a response, and move on without a certificate error. The internal and external paths for the set-autodiscovervirtualdirectory in the Exchange 2007 Management shell should be set to https://autodiscover.domain.com/autodiscover/autodiscover.xml.

Stephen told me that he is still doing some digging on the question of turning off the DNS mapping of all unregistered names to the web server, which is a requirement that must be met to try and fix the problem.
 
Joel,
One posisble fix may be to go to your hsphere cp and remove the entry that looks like

* in A IPADDRESS

That can fix the resolving of all unspecified subdomains/names

it can have some side affects if you don't see a blank entry of the domain(like if someone typed http://domain.com without www), so just make sure there is a blank entry, but not a * wildcard.

Glad you bumped this as I'd thought about it but not put it together in a post yet :)
 
Stephen,

A support ticket was sufficient to get the DNS SRV record created. I also made sure that I had a www A record created for the website, and I removed the * A record. Outlook 2007 does use the SRV record now to redirect to the correct autodiscover site and accepts the SSL certificate (that was the original problem), and has a one-time dialog asking if you want to allow the redirection (There is a checkbox to stop the dialog from reappearing). Outlook 2007 then auto-configures itself properly from the site and connects to the Exchange server as expected.

So now we have a published way to break autodiscover and not get the bad SSL certificate messages, and we also have a published solution to actually get autodiscover pointed properly using an SRV record.

Thanks for your help, and I hope that this thread may help other people in the same situation.
 
You must log in or register to reply here.
Back
Top