SMBKitchen: Getting more confused

Next up is the certs….

(bear with me this is a work in process)

I am right now confused as to how to set the autodiscover values to get this to work nicely.  Bear with me while I work through this process.


  1. Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.  In my case it’s https://Exchange/ecp
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click New Add Icon.
  4. In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.
  5. Specify a name for this certificate and then click Next.
  6. If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don’t want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.

Click Browse and specify an Exchange 2013 server to store the certificate on. The server you select should be the Internet-facing Exchange 2013 Client Access server.

Click Next.For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example:

  • If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook Web App (when accessed from the Intranet) should show OAB (when accessed from the Internet) and OAB (when accessed from the Intranet) should show
  • If you configured the internal URLs to be, Outlook Web App (when accessed from the Internet) should show and Outlook Web App (when accessed from the Intranet) should show

At this point you pick the external url’s from the listing inside of the Cert wizard… so far so good…

(if you’ve been following along, I’ve switched my domain name to so I can actually have a true domain and purchase an actual SSL cert)

But right here is when I once again scratch my head

The autodiscover url value includes both the internal AND the external URL… which in SBS migrated domains includes .local.  SSL cert vendors are phasing out the ability to include .local in the SSL cert request so I’m not sure how this is going to work with cert vendors?

(right about here the one I’m getting stuck on is the entry that also wants to include autodiscover.internaldomain.local in the SSL cert request)

We know that up at our DNS provider we need to do this:

Remember we went up to our DNS provider and add a SRV record

And we add this to the SRV section

As an aside If you are going to do this over and over again, I highly recommend automating this for the future that’s a script to borrow for the future.

I think I need to do Set-ClientAccessServer -Identity NAMEOFMYEXCHANGESERVER-AutoDiscoverServiceInternalUri

in my case it’s Set-ClientAccessServer -Identity EXCHANGE -AutoDiscoverServiceInternalUri

and if you run this command to see if it worked right…. Get-AutoDiscoverVirtualDirectory

The result is blank for the 2013 version while showcasing your old Exchange 2007 entry (geeze Microsoft can you make this PowerShell stuff more complicated?)

Instead you need to do Get-ClientAccessServer NAMEOFYOUREXCANGESERVER| fl *InternalUri*

In my case

Get-ClientAccessServer EXCHANGE | fl *InternalUri*

Okay I think that worked…

Okay now let’s go back to where I was and see if what I think should be in the cert IS in the cert request.

Hmm still isn’t.  I think this external value shouldn’t be what it is… but instead should be my other value

And I’m not sure if I can just edit that value or what?

And based on this command

My autodiscover is failing.

Remember I’m doing two certs in this process  one will be my RWA the other all my exchange stuff on

 ..okay so I’m going to post in the partner forum as I’m really confused right now as to what (and how) I should set this autodiscover value to be to get it to work right.

Hang loose and bear with me.

2 Thoughts on “SMBKitchen: Getting more confused

  1. Hey Susan

    I’ve been keeping an eye on your progress. Keep it up.

    Have you thought about a single, but multi-name certificate (SAN/UCC)?

    These days I pretty much do two names really. (or whatever you wish to be the primary)

    Then I configure Exchange to basically what is listed here. Not sure how it will work in 2013 though.

    Just means you don’t have to worry about 2 separate certificates and 2 separate expiries/renewals.

  2. Hi Susan,

    I think it’s supposed to be

    Hope that helps,


Post Navigation