Exchange Autodiscover over EWS and MAPI in multi tenancy setup

Question

my setup: Exchange 2016 with multiple domains configured.
My problem:
I configured a http redirect for autodiscover:
autodiscover.example.org redirect to https://autodiscover.foo.org/autodiscover/autodiscover.xml
EWS and Active Sync Clients can connect without problem, but Windows Outlooks (Mapi over HTTP) give me a certificate error (because the redirect webserver has certificate installed).

So my workaround was to create a SRV record:
_autodiscover._tcp.example.org to 0 0 443 autodiscover.foo.org

Now Windows Outlooks (Mapi over HTTP) can access without certificate problems, but EWS and Autodiscover throw a certificate error.

Hoe can I solve this stupidity???

Answer 1

The site which the clients hit for Autodiscover - so Autodiscover.example.com MUST NOT have HTTPS enabled on it. It needs to be a separate site which is using http only. Due to the way that HTTPS is bound, that means a dedicated IP address externally and internally, so that https://autodiscover.example.com/ does not work.

You will not need to have an SRV record.

The SRV record is almost the last method tried by the client, so if the earlier ones work (even incorrectly) you will get an SSL prompt.