Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Exchange 2010 CAS/HUB SSL Proper Configuration

Posted on 2010-09-09
51
Medium Priority
?
844 Views
Last Modified: 2012-06-27
Hi All,

Just got done installing Exchange 2010 in Windows 2003 and Exchange 2003 Domain.

Tested mail flow, owa, and mailbox moves and all is ok...Though I ran into one issue.

When connecting outlook 2007/2010 locally to a test mailbox on the Exchange 2010 server, I get prompted with the SSL Cert error message about non-matching CN for "Exchgate.company.local"...I get this about 2-3 times in a span of a few minutes and after clicking "Yes,"  I can resumme functionality but sending/receiving emails is intermintent and often i have click send/receive to get/send emails...I'm almost 90% sure it has to do with the SSL config for exchange 2010.


Current setup:

CAS/HUB Role on Server:  ExchGateway.company.local (192.x.x.7)
I have internal DNS configured for the above in split DNS config:  Email.Comapny.com (OWA), AutoDiscover.Company.Com, and Outlook.Company.com (For Outlook Anywhere), all pointing to ==> (192.x.x.7)
SSL UCC Cert was applied on Exchange 2010 for the above X.company.com CNs.

So when i point outlook to either of the above 3 server names for Exchange server and click "Check Name", it changes to "ExchGateway.company.local" which i imagine correct since it's the CAS/HUB server.

So what did I do wrong or didn't do?

So I'm pretty sure i need to do something via Exchange Powershell...Help!!!
0
Comment
Question by:jetli87
  • 19
  • 16
  • 16
51 Comments
 
LVL 32

Accepted Solution

by:
endital1097 earned 1600 total points
ID: 33642821
my favorite...
get the domain names on your certificate
Get-ExchangeCertificate | where { $_.Services.ToString().Contains("IIS") -eq $true } | ft Cert*

get the urls used by exchange web services
Get-WebServicesVirtualDirectory | fl *URL

get the autodiscover url
get-ClientAccessServer | fl *URI

your certificate domain names should cover all fqdn values you see, otherwise you need to update settings
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33642903
endital's got it.... I think.

PS: did you buy a UCC/SAN Cert and add the 4 names

mail.domain.com
autodiscover.domain.com
mailservername.domain.local
mailservername

Also - please output the results of jim's cmdlets from above.
0
 
LVL 1

Author Comment

by:jetli87
ID: 33642909
Hi All,

Yes i did buy a UCC Cert.

Actually i found this link and i'm testing and it seemed to have solved the issue:

http://support.microsoft.com/kb/940726
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 
LVL 32

Expert Comment

by:endital1097
ID: 33642913
remember with 2010 your client always connects to the CAS server so this is expected behavior
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33642915
that's what endital was aiming for

Please post back if you face any issues.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33642920
Still, please post back the output of the cmdlets, so that we can verify if everything is in order.

http:#33642821
0
 
LVL 1

Author Comment

by:jetli87
ID: 33642936
Below is the output after using the commands in the MS KB to set URLs.
[PS] C:\Windows\system32>Get-ExchangeCertificate | where { $_.Services.ToString().Contains("IIS") -eq $true } | ft Cert*


CertificateDomains                                          CertificateRequest
------------------                                          ------------------
{Email.company.com, www.Email.company...


[PS] C:\Windows\system32>get-webservicesvirtualdirectory | fl *url


InternalNLBBypassUrl : https://email.company.com/ews/exchange.asmx
InternalUrl          : https://email.company.com/ews/exchange.asmx
ExternalUrl          : https://email.company.com/ews/exchange.asmx



[PS] C:\Windows\system32>get-clientaccessSErver | fl *uri


AutoDiscoverServiceInternalUri : https://email.company.com/autodiscover/autodiscover.xml

Open in new window

0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 1600 total points
ID: 33642949
one more, sorry
get-outlookanywhere | fl external*

those provided all look good
this one is going to be .local
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33642955
I hope you have an internal DNS entry for email.company.com > pointing to local IP of your exchange server ?
0
 
LVL 1

Author Comment

by:jetli87
ID: 33642969
endital,

the return is below
ExternalHostname : outlook.company.com

Open in new window

0
 
LVL 1

Author Comment

by:jetli87
ID: 33642973
sunnyc,

yes, internal DNS for email.company.com ==> 192.x.x.7 (CAS/HUB Exchange Server)

External:  email.company.com ==> 74.x.x.x ==> 192.x.x.7
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33642975
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33642981
run the following to have it match your cert
set-outlookanywhere -externalhostname email.company.com

you'll may need to update your outlook profile
0
 
LVL 1

Author Comment

by:jetli87
ID: 33642983
I'm using outlook.company.com for outlookanywhere.

I have external DNS:  outlook.company.com ==> 74.x.x.x ==> 192.x.x.7
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33642986
Thats good @ internal dns

your settings are ok for autodiscover / SCP's and UCC/SAN's
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33642992
does outlook.company.com appear on the certificate domain names
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 1600 total points
ID: 33642994
you may want to also run the folllowing for verification
get-oabvirtualdirectory | fl *URL
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33642995
If you have external DNS for outlook.company.com - then everything looks ok.

Are you using that for RPC/HTTPS or do you have another DNS for autodiscover.company.com

Time to test

Test for Outlook Anywhere / Autodiscover here
Test it using SSL.

www.testexchangeconnectivity.com/

0
 
LVL 1

Author Comment

by:jetli87
ID: 33642998
endital,

yes...my UCC Cert has:

email.company.com
outlook.company.com
autodiscover.company.com
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33643001
I think you have got it covered, only missing piece was the SCP.

Please run the tests and let us know the result. It should pass for both.
Use a non administrator account for tests.
0
 
LVL 1

Author Comment

by:jetli87
ID: 33643012
thanks...I used the test and everything worked well accept for outlook anywhere.

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33643021
can you copy paste the error for RPC/HTTPS (OLK anywhere)
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33643022
i believe you need to run
set-outlookprovider EXPR -CertPrincipalName outlook.company.com
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33643032
yep
0
 
LVL 1

Author Comment

by:jetli87
ID: 33643033
Command set and re-ran test.

It failed on the last step per below.
SSL mutual authentication with the RPC proxy server is being tested. 
  Verification of mutual authentication failed. 

Open in new window

0
 
LVL 1

Author Comment

by:jetli87
ID: 33643052
here's the error message

note: per MS article, on the second run i did command as such:

set-outlookprovider EXPR -CerPrincipalName "msstd:outlook.company.com"

error below:
 Additional Details 
  The mutual authentication string was not in the expected format. The string provided was outlook.starpointproperties.com. 

Open in new window

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33643055
set-outlookprovider EXPR -CerPrincipalName outlook.company.com -server $null
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33643061
set-outlookprovider EXPR -CertPrincipalName outlook.company.com -server $null

--
0
 
LVL 1

Author Comment

by:jetli87
ID: 33643063
tried that command but got this:

WARNING: The command completed successfully but no settings of 'EXPR' have been modified.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33643065
i think we have this backwards
outlook anywhere is configured with outlook.company.com but the cert name is email.company.com

set-outlookprovider EXPR -CertPrincipalName email.company.com -server $null

0
 
LVL 1

Author Comment

by:jetli87
ID: 33643066
and re-did test and same failure on the last step about authentication string in wrong format.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33643069
i should say subject name for the cert is email.company.com
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33643072
I think the UCC has these 3 from the post here
email.company.com
outlook.company.com
autodiscover.company.com

http:#33642998
0
 
LVL 1

Author Comment

by:jetli87
ID: 33643073
hmmm tried that and and did test, but it's still showing error for outlook.company.com, not email.company.com

and btw, I have cert setup for both names.
0
 
LVL 1

Author Comment

by:jetli87
ID: 33643074
do i need to restart a service to refresh the settings?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33643097
what do you have for authentication methods for outlook anywhere
get-outlookanywhere | iis*
0
 
LVL 28

Assisted Solution

by:sunnyc7
sunnyc7 earned 400 total points
ID: 33643098
in your outlook anywhere test -
can you click on manually specify proxy server settings

and enter RPC proxy server as outlook.company.com
and specify local fqdn of exchange server (.local)

Select NTLM
run the test.

thanks


--
PS: I am off for the night. All yours jim.
0
 
LVL 1

Author Comment

by:jetli87
ID: 33643101
IISAuthenticationMethods : {Basic}
0
 
LVL 28

Assisted Solution

by:sunnyc7
sunnyc7 earned 400 total points
ID: 33643110
IIS has to be NTLM

Can you test for Basic from the manual settings above ? Lets see if that works.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33643117
i thought you were calling it a night :)
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 1600 total points
ID: 33643126
set-OutlookAnywhere -IISAuthenticationMethods Basic,Ntlm
0
 
LVL 1

Author Comment

by:jetli87
ID: 33643129
running manual testing:

note on first test it mention email.company.com not matching so i re-ran the below command:

set-outlookprovider EXPR -CertPrincipalName:"msstd:email.company.com" -server $null

and test completed successfully.

So what do i need to change?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33643140
the iisauthentication methods

you can also remove the outlook provider settings from earlier
0
 
LVL 1

Author Comment

by:jetli87
ID: 33643142
tried

set-OutlookAnywhere -IISAuthenticationMethods Basic,Ntlm

but requested for identity which i assume is the server

so i re-ran

set-OutlookAnywhere -identity exchgateway.company.local -IISAuthenticationMethods Basic,Ntlm

but got error stating that it could not be found on dc1.company.local
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33643150
get-outlookanywhere | set-outlookanywhere -IISAuthenticationMethods Basic,Ntlm
0
 
LVL 1

Author Comment

by:jetli87
ID: 33643174
worked this time and re-run RPC/HTTPS test without manual settings and worked too.

So thanks so much for your help and sunnys, but before i can reward points, can you please clarify the below so i can have a better understanding of what I'm doing:

1) When setting up the Exchange services and mapping to SSL Certs, what's the best way to do so?  I followed instructions which had me use EMC ==> New Exchange Cert and specificy SSL Names for whichever services i'm using...What's your recommended method to get this done right the first time around?

2) Why use NTLM authentication versus Basic and where do i setup that up the first time around?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33643191
1. it depends on your environment, namely dns and what your users use for a url
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html

2. you setup NTLM when you enable outlook anywhere. you want to enable both authentication methods for outlook.

you may also want to run
set-outlookprovider expr -certprincipalname $null
you shouldn't need that set with your current cert, and it is best to have this set to null
0
 
LVL 1

Author Comment

by:jetli87
ID: 33650427
Not trying to close...was trying to assign point for answer...have already requested attention.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33650429
hi jetli87
If you received assistance in solving this question, then please mark relevant posts as answer and then close the question.

What you did was close the question - which means the comments here were not helpful.

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33650436
You can assign points and close now - my objection has removed that close request.
0
 
LVL 1

Author Comment

by:jetli87
ID: 33650492
Thanks for your help Endital and Sunncy, but I'm still having issues with Outlook Anywhere.

I posted a new question here:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26465606.html
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question