MM&M UG UK

(Nathan - you might want to move the last few mails of this thread somewhere else now we're into AutoDiscover)

Wes, interesting setup, and I'm guessing you might be doing this because your clients aren't domain joined?

Because here's the way it works - for a domain joined client first.

1. The client queries AD for a ServiceConnectionPoint - each CAS registers one when it first gets installed, together with the URL it makes the autodiscover service available on. Default is the FQDN of the server. It also registers the AD site it is in. When you change the InternalURL you are changing the location the SCP points to. Changing site membership (ad) does not update the SCP.

2. The SCP returns a URL - the client connects, and ignores cert name mismatches, becasue the url came from AD and is trusted. (Look at the log tab in test email autoconfiguration - you will see it says it found url x.y.z via SCP)

3. Set up like this - It just works.

Having the InternalURL on the CAS's set correctly is key for domain joined clients. If you want to play around with AD sites (Outlook gets all the results back from the SCP and puts those in it's own AD site to the top) then look at the keywords attribute on the SCP. The SCP for each cas is in the config partition, exchange, servers, protocols (missed out lots of detail there - if you don't know what the paths are you probably shouldn't be playing with adsiedit.. )

Non domain joined clients don't use SCP - they do the sequence of url's you describe. But what you can do is issue a cert with a subject alternative name that matches the internalurl - then no cert mismatch issues, and no redirection required.

I'm going to write an article for ehlo on this in a couple of months detailing exactly how it works.

Greg

Hi Greg,

So in summary, for joined domain clients (which is tha fact in my Citrix based hosting env) you do not need the autodiscover record in your DNS, because the SCP is returned from AD.

For a non domain client, the autodiscover service tries the URLs as discussed. How does the client constructs the domainpart of the URL ? Is this determined by the PC properties (domain membership) or the user properties (UPN) or non of the above ? I guess for my scenario the autodiscover service is not needed externally, since I have only the requirement that customers use Outlook and in fact I have totally no control of the PC they working with or the Windows Users name they have. I do not even want to care about those =)

BR,

Ronald

You do not need an autodiscover A record for internal clients to work properly. They query AD for the SCP and use that URL - they won't fail over to DNS if they can't find it.

For a non domain client the bit after the user's @ is used for the domain name part. Which can be a challenge, you need to add an autodiscover A record to that zone.

I have filed a change request with the Outlook product group to ask them to also try a url constructed from the FQDN used for Outlook Anywhere as well, but no idea if that will be taken up.

Greg

hi greg, actually i had it set up the way you suggest originally (we also are a hosted citrix environment, so our citrix server are domain members).  however outlook 2007 DOES throw a cert mismatch error (at least in my farm it does) -- which is why I switched to pointing everything to a single url -- i find it simpler this way as well instead of worrying about multiple urls.

Greg T [MSFT]:

For a non domain client the bit after the user's @ is used for the domain name part. Which can be a challenge, you need to add an autodiscover A record to that zone.

For non domain clients it uses the domain name part of the user... Sounds a bit contradictionairy or not ? For me the autodiscover service is of no use, since we promote that every PC with Outlook 2007 (in other domains without Exchange or workgroup setups) can make use of our service.

Something completely else, I have a hosted setup running now with Exchange 2003 and to add disclaimers for different cusomters I used the transport event sinks. I wrote a piece of code that checked with an on arrival event the sender user name, from there it got the part after the @ to determine which customer sended it and from there I could add a disclaimer to the message. I wrote it in such a way, that it used a litte import file to add as a disclaimer. Of course the customers could edit their own disclaimers and any modification worked right away. Is there a way this can be done in Exchange 2007 ? I saw a little piece of cmdlet for it, but this was just adding a plain and simple line.

All ideas welcome =)

 

Quoting myself =)...

Topski:

Something completely else, I have a hosted setup running now with Exchange 2003 and to add disclaimers for different cusomters I used the transport event sinks. I wrote a piece of code that checked with an on arrival event the sender user name, from there it got the part after the @ to determine which customer sended it and from there I could add a disclaimer to the message. I wrote it in such a way, that it used a litte import file to add as a disclaimer. Of course the customers could edit their own disclaimers and any modification worked right away. Is there a way this can be done in Exchange 2007 ? I saw a little piece of cmdlet for it, but this was just adding a plain and simple line.

You can bind all kind of actions on the ex2k3 event sinks, simply by linking a VBS script to an event. This is very flexible, you can take customer actions on all kind of events and even based on content of messages etc. How is this embedded in ex2k7 ?

"For non domain clients it uses the domain name part of the user..." - let me re-phrase that to - "For non domain clients it uses the domain name part of the users email address ...  for example, greg@company.com - it searches autodiscover.company.com then company.com/autodiscover, and so on.

Every pc in the world, domain or workgroup joined can use Outlook 2007 and AutoDiscover. If you a hoster and when you create their domain, create an A record for autodiscover in that zone pointing to your http autodiscover site then it works, no scripts, no user config, just the users email address and password. They get one redirect warning and then they are done. Profile configured.

Back to Wes's post about it not working in a Citrix environment - I'll check into that for you Wes, it should work - but before I do, can you confirm you are using RTM Exchange and Outlook - only reason I ask, is the code for ignoring cert mistmatches came late in the dev cycle.

And back to Ronald, disclaimers - E2007 Transport Rules will do what you need. A simple GUI, users from @xyz.com get the following, users from @abc.com get another. Easy - check out the online help for 2007, or just look in the Org Settings, Transport Rules section of the GUI and try to create one. Unless I've misunderstood what you are trying to achieve I think it might work.

Greg

Greg T [MSFT]:

"For non domain clients it uses the domain name part of the user..." - let me re-phrase that to - "For non domain clients it uses the domain name part of the users email address ...  for example, greg@company.com - it searches autodiscover.company.com then company.com/autodiscover, and so on.

Every pc in the world, domain or workgroup joined can use Outlook 2007 and AutoDiscover. If you a hoster and when you create their domain, create an A record for autodiscover in that zone pointing to your http autodiscover site then it works, no scripts, no user config, just the users email address and password. They get one redirect warning and then they are done. Profile configured.

Hmm, maybe I am missing something, but how knows Outlook what your email address is when your profile is not even configured ? As far as I can understand the only thing Outlook can possibly know about is your Windows account and your PC name (when I have a PC installed from scratch).

I will have a look at the Transpor rules, can you also fire VBS scripts in there ?

Cheerz ! and thanks for all comments

Hi Wes,

I am still struggling with the OAB stuff. How is the OAB filled ? Do you need to include an address list (is it empty otherwise) ? Problem is that I cannot hide the address lists itself. I tried with ADSIEdit to remove the authenticated users and rights per customer (like we did for the GAL). But I get Bookmark is not valid on the lists the user is not allowed to see and it sees of course the correct address list where the user is a member from. I checked for a list objet right orso, but could not find it.

How did you manage ?

BR,

Ronald

basically, you need to create an address list that is analogous to each GAL that you have, and set permissions on them the same way you do with the GALs.  then you need to create an OAB for each address list, and add that address list to its OAB (and on each OAB uncheck the box to use the default GAL if you haven't already).  Then using adsiedit, set the permissions on each OAB the way you did for the GALs and ALs.

also, using adsiedit, i removed all permissions for authenticated users from the All Address Lists containers -- this prevents one hosted group from seeing the ALs for other hosted groups in the drop down list.

When you start Outlook 2007 and are not domain joined, it will ask for your email address and password. That's what it uses to search for autodiscover information.

Greg

wlazara:

also, using adsiedit, i removed all permissions for authenticated users from the All Address Lists containers -- this prevents one hosted group from seeing the ALs for other hosted groups in the drop down list.

Right, this container is not very usefull anyway. Got it working. BTW, can you create your own address list in the root container ?

Greg T [MSFT]:

When you start Outlook 2007 and are not domain joined, it will ask for your email address and password. That's what it uses to search for autodiscover information.

Greg

Thanks, explains it all.

Another thing I am not sure about, in Ex2k3 I use a Virtual SMTP server for each inbound email domain. On my ISA box I run a SMTP service (IIS) and based on the domain, the messages are forwarded to a vSMTP server specific for that domain. With MetaEdit I set the default domain of the vSMTP server to the specific SMTP domain it is responsible for.

The benefits are that when a message cannot be delivered (ie recipient unknown) the sender gets an NDR with the SMTP domain belonging to the specific customer. For every customer I also created a 'postmaster' mailbox (could be a public folder), where for instance copies of NDRs are delivered. So also in this respect, the customer has a complete transparent experience of a local Email system.

How can this be done in Ex2k7 ?

Hi Nathan or Greg or Wes,

Any of you still watching this thread ??

BR,

Ronald