From: United Kingdom
First off, I just want to say thanks to all you folks out there for writing all those wonderful life saving articles. A special thanks to Tom for his insight and hard work.
Most of the time I have just been lurking around soaking up a lot of knowledge here. This time I'd like to share some frustration regarding Exchange 2007.
These days, when when wildcards certs are getting so cheap, around $500 for a 3 -year GoDaddy cert (seems that I cannot bind to UM service), I cannot understand that Exchange 2007 documents do not more clearly sepecify all prereqs needed to make this work. They even state in an article that your almost "home free" if using one. Of course I ended up struggling with the Autodiscover service not working with Outlook's wizard. If it wasn't for Lewinski's : Set-OutlookProvider -identity EXPR -CertPrincipalName msstd:*.mydomain.com. I would probably still be banging my head against the wall. :)
I do still have some problems:
1 TS running WS 2003 x86 with outlook 2007 SP1 installed works flawlessly, even when user hitting the repair profile (A refresh to autodiscover service is made reading the latest info) A GPO is set telling outlook not to invoke the new profile wizard but to read user's email form AD, all perfect.
1 TS running WS 2008 x64 with the exact same setup, join to the same domain, Outlook 2007 SP1. On this server the wizard aborts on the last stage claiming it cannot connect to exchange, presenting the dialog to enter Exchange server name and an appropiate user name, Exchange FQDN server name is there together with the =SMTP:email@example.com. Hitting check name gives the same error. If entering the DC/GC name in server field I do get names underlined when hitting check name, but after that still no connect. Checking the autodiscover diagnostic log, everything looks fine: Configuration was generated for firstname.lastname@example.org.
I would appreciate it, if anyone can shed some light on this
Regarding the KCD auth. I think I've got it working. In addition to Jason Jones comprehensive list the clue is: Make sure the ISA server's computer object in AD has been delegated -> Trust this computer for delegation to specified services only -> use any authentication protocol > service:http computer:yourCAS.fqdn.com
I forgot to mention that I have an equal namespace internally/externally with a split DNS.
Regards Henning S°ilen Senior Consultant Norway
Just had chance to retest this with a recent customer deployment and I can confirm that the 'Set-OutlookProvider -identity EXPR -CertPrincipalName msstd:*.mydomain.com' command does in fact fix the issues I have seen with using the Outlook 2007 account setup wizard - hurrah!
I think that I missed the IIS restart step on the CAS servers last time I was testing, but I added this step this time around.
Thankyou very much for this addtional Exchange setting, as it makes the entire solution completely seamless and I can now use the same solution for customers who use indidivual or wildcard certs on ISA for the autodiscovery listener.
I plan to update my blog with a new addendum to the old article to specifically cover the different steps needed when using a wildcard cert on ISA. I will also add the other elements you mentioned in your blog comments.
The nice thing is that I now fully understand why this addtional Exchange setting is necessary and it all falls into place...