Wednesday, October 29, 2008

More on Autodiscover, for Windows Mobile and Gotchas with Certificates

A previous post introduced and explained how Autodiscover works in SBS 2008.  Today I want to dive a little deeper into the gotchas to be weary of when using self-issued certificates, and talk about what you need to do with Windows Mobile to make this work as well

Self-Issued Certificates

First of all, make sure you understand the self-issued certificate, and how that differs from a Trusted certificate for web traffic.  If you can swing it, with today’s SSL prices for a simple SSL cert, it’s far worth the money to get a trusted certificate than fight with your free self-issued certificate.

If you must use the Self-Issued certificate, any domain joined client computers or laptops will automatically get the self-issued certificate through Group Policy.  Any remote or non-domain joined computers will not get the certificate automatically, and you will need to manually install the root certificate on these computers. SBS 2008 provides a great tool to do this automatically (This tool is not designed for the iPhone).

To make sure Outlook Anywhere, or Autodiscover function correctly, you must install the self-issued root certificate on the client, or install a trusted certificate on the server in order for you to successfully configure Outlook Anywhere using the Autodiscover feature.

Windows Mobile

Windows mobile falls into much the same pitfalls as Outlook with a self-issued certificate.  Remember, the certificate is used to verify the identity of the server to the client computer or mobile device, much like your driver’s license validates you are who you say you are when getting on a plane.  If your server is configured to use a self-issued certificate, the device will refuse to talk to the server, because the SSL chain is not trusted.

To recap here:

  1. Purchase and Install a Trusted Certificate on the server before setting up Outlook Anywhere, or any Windows Mobile/iPhone type devices, OR
  2. Install the self-issued root certificate on remote clients, or Windows Mobile devices before you continue with connecting the PC or Device to the server