Solved

Exchange 2010 CAS/HUB SSL Proper Configuration

Posted on 2010-09-09
51
835 Views
Last Modified: 2012-06-27
Hi All,

Just got done installing Exchange 2010 in Windows 2003 and Exchange 2003 Domain.

Tested mail flow, owa, and mailbox moves and all is ok...Though I ran into one issue.

When connecting outlook 2007/2010 locally to a test mailbox on the Exchange 2010 server, I get prompted with the SSL Cert error message about non-matching CN for "Exchgate.company.local"...I get this about 2-3 times in a span of a few minutes and after clicking "Yes,"  I can resumme functionality but sending/receiving emails is intermintent and often i have click send/receive to get/send emails...I'm almost 90% sure it has to do with the SSL config for exchange 2010.


Current setup:

CAS/HUB Role on Server:  ExchGateway.company.local (192.x.x.7)
I have internal DNS configured for the above in split DNS config:  Email.Comapny.com (OWA), AutoDiscover.Company.Com, and Outlook.Company.com (For Outlook Anywhere), all pointing to ==> (192.x.x.7)
SSL UCC Cert was applied on Exchange 2010 for the above X.company.com CNs.

So when i point outlook to either of the above 3 server names for Exchange server and click "Check Name", it changes to "ExchGateway.company.local" which i imagine correct since it's the CAS/HUB server.

So what did I do wrong or didn't do?

So I'm pretty sure i need to do something via Exchange Powershell...Help!!!
0
Comment
Question by:jetli87
  • 19
  • 16
  • 16
51 Comments
 
LVL 32

Accepted Solution

by:
endital1097 earned 400 total points
Comment Utility
my favorite...
get the domain names on your certificate
Get-ExchangeCertificate | where { $_.Services.ToString().Contains("IIS") -eq $true } | ft Cert*

get the urls used by exchange web services
Get-WebServicesVirtualDirectory | fl *URL

get the autodiscover url
get-ClientAccessServer | fl *URI

your certificate domain names should cover all fqdn values you see, otherwise you need to update settings
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
endital's got it.... I think.

PS: did you buy a UCC/SAN Cert and add the 4 names

mail.domain.com
autodiscover.domain.com
mailservername.domain.local
mailservername

Also - please output the results of jim's cmdlets from above.
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
Hi All,

Yes i did buy a UCC Cert.

Actually i found this link and i'm testing and it seemed to have solved the issue:

http://support.microsoft.com/kb/940726
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
remember with 2010 your client always connects to the CAS server so this is expected behavior
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
that's what endital was aiming for

Please post back if you face any issues.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Still, please post back the output of the cmdlets, so that we can verify if everything is in order.

http:#33642821
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
Below is the output after using the commands in the MS KB to set URLs.
[PS] C:\Windows\system32>Get-ExchangeCertificate | where { $_.Services.ToString().Contains("IIS") -eq $true } | ft Cert*





CertificateDomains                                          CertificateRequest

------------------                                          ------------------

{Email.company.com, www.Email.company...





[PS] C:\Windows\system32>get-webservicesvirtualdirectory | fl *url





InternalNLBBypassUrl : https://email.company.com/ews/exchange.asmx

InternalUrl          : https://email.company.com/ews/exchange.asmx

ExternalUrl          : https://email.company.com/ews/exchange.asmx







[PS] C:\Windows\system32>get-clientaccessSErver | fl *uri





AutoDiscoverServiceInternalUri : https://email.company.com/autodiscover/autodiscover.xml

Open in new window

0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 400 total points
Comment Utility
one more, sorry
get-outlookanywhere | fl external*

those provided all look good
this one is going to be .local
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
I hope you have an internal DNS entry for email.company.com > pointing to local IP of your exchange server ?
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
endital,

the return is below
ExternalHostname : outlook.company.com

Open in new window

0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
sunnyc,

yes, internal DNS for email.company.com ==> 192.x.x.7 (CAS/HUB Exchange Server)

External:  email.company.com ==> 74.x.x.x ==> 192.x.x.7
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
run the following to have it match your cert
set-outlookanywhere -externalhostname email.company.com

you'll may need to update your outlook profile
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
I'm using outlook.company.com for outlookanywhere.

I have external DNS:  outlook.company.com ==> 74.x.x.x ==> 192.x.x.7
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Thats good @ internal dns

your settings are ok for autodiscover / SCP's and UCC/SAN's
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
does outlook.company.com appear on the certificate domain names
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 400 total points
Comment Utility
you may want to also run the folllowing for verification
get-oabvirtualdirectory | fl *URL
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
If you have external DNS for outlook.company.com - then everything looks ok.

Are you using that for RPC/HTTPS or do you have another DNS for autodiscover.company.com

Time to test

Test for Outlook Anywhere / Autodiscover here
Test it using SSL.

www.testexchangeconnectivity.com/

0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
endital,

yes...my UCC Cert has:

email.company.com
outlook.company.com
autodiscover.company.com
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
I think you have got it covered, only missing piece was the SCP.

Please run the tests and let us know the result. It should pass for both.
Use a non administrator account for tests.
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
thanks...I used the test and everything worked well accept for outlook anywhere.

0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
can you copy paste the error for RPC/HTTPS (OLK anywhere)
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
i believe you need to run
set-outlookprovider EXPR -CertPrincipalName outlook.company.com
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
yep
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
Command set and re-ran test.

It failed on the last step per below.
SSL mutual authentication with the RPC proxy server is being tested. 

  Verification of mutual authentication failed. 

Open in new window

0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 
LVL 1

Author Comment

by:jetli87
Comment Utility
here's the error message

note: per MS article, on the second run i did command as such:

set-outlookprovider EXPR -CerPrincipalName "msstd:outlook.company.com"

error below:
 Additional Details 

  The mutual authentication string was not in the expected format. The string provided was outlook.starpointproperties.com. 

Open in new window

0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
set-outlookprovider EXPR -CerPrincipalName outlook.company.com -server $null
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
set-outlookprovider EXPR -CertPrincipalName outlook.company.com -server $null

--
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
tried that command but got this:

WARNING: The command completed successfully but no settings of 'EXPR' have been modified.
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
i think we have this backwards
outlook anywhere is configured with outlook.company.com but the cert name is email.company.com

set-outlookprovider EXPR -CertPrincipalName email.company.com -server $null

0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
and re-did test and same failure on the last step about authentication string in wrong format.
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
i should say subject name for the cert is email.company.com
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
I think the UCC has these 3 from the post here
email.company.com
outlook.company.com
autodiscover.company.com

http:#33642998
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
hmmm tried that and and did test, but it's still showing error for outlook.company.com, not email.company.com

and btw, I have cert setup for both names.
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
do i need to restart a service to refresh the settings?
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
what do you have for authentication methods for outlook anywhere
get-outlookanywhere | iis*
0
 
LVL 28

Assisted Solution

by:sunnyc7
sunnyc7 earned 100 total points
Comment Utility
in your outlook anywhere test -
can you click on manually specify proxy server settings

and enter RPC proxy server as outlook.company.com
and specify local fqdn of exchange server (.local)

Select NTLM
run the test.

thanks


--
PS: I am off for the night. All yours jim.
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
IISAuthenticationMethods : {Basic}
0
 
LVL 28

Assisted Solution

by:sunnyc7
sunnyc7 earned 100 total points
Comment Utility
IIS has to be NTLM

Can you test for Basic from the manual settings above ? Lets see if that works.
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
i thought you were calling it a night :)
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 400 total points
Comment Utility
set-OutlookAnywhere -IISAuthenticationMethods Basic,Ntlm
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
running manual testing:

note on first test it mention email.company.com not matching so i re-ran the below command:

set-outlookprovider EXPR -CertPrincipalName:"msstd:email.company.com" -server $null

and test completed successfully.

So what do i need to change?
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
the iisauthentication methods

you can also remove the outlook provider settings from earlier
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
tried

set-OutlookAnywhere -IISAuthenticationMethods Basic,Ntlm

but requested for identity which i assume is the server

so i re-ran

set-OutlookAnywhere -identity exchgateway.company.local -IISAuthenticationMethods Basic,Ntlm

but got error stating that it could not be found on dc1.company.local
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
get-outlookanywhere | set-outlookanywhere -IISAuthenticationMethods Basic,Ntlm
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
worked this time and re-run RPC/HTTPS test without manual settings and worked too.

So thanks so much for your help and sunnys, but before i can reward points, can you please clarify the below so i can have a better understanding of what I'm doing:

1) When setting up the Exchange services and mapping to SSL Certs, what's the best way to do so?  I followed instructions which had me use EMC ==> New Exchange Cert and specificy SSL Names for whichever services i'm using...What's your recommended method to get this done right the first time around?

2) Why use NTLM authentication versus Basic and where do i setup that up the first time around?
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
1. it depends on your environment, namely dns and what your users use for a url
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html

2. you setup NTLM when you enable outlook anywhere. you want to enable both authentication methods for outlook.

you may also want to run
set-outlookprovider expr -certprincipalname $null
you shouldn't need that set with your current cert, and it is best to have this set to null
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
Not trying to close...was trying to assign point for answer...have already requested attention.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
hi jetli87
If you received assistance in solving this question, then please mark relevant posts as answer and then close the question.

What you did was close the question - which means the comments here were not helpful.

0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
You can assign points and close now - my objection has removed that close request.
0
 
LVL 1

Author Comment

by:jetli87
Comment Utility
Thanks for your help Endital and Sunncy, but I'm still having issues with Outlook Anywhere.

I posted a new question here:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26465606.html
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
how to add IIS SMTP to handle application/Scanner relays into office 365.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now