jetli87
asked on
Exchange 2010 CAS/HUB SSL Proper Configuration
Hi All,
Just got done installing Exchange 2010 in Windows 2003 and Exchange 2003 Domain.
Tested mail flow, owa, and mailbox moves and all is ok...Though I ran into one issue.
When connecting outlook 2007/2010 locally to a test mailbox on the Exchange 2010 server, I get prompted with the SSL Cert error message about non-matching CN for "Exchgate.company.local"..
Current setup:
CAS/HUB Role on Server: ExchGateway.company.local (192.x.x.7)
I have internal DNS configured for the above in split DNS config: Email.Comapny.com (OWA), AutoDiscover.Company.Com, and Outlook.Company.com (For Outlook Anywhere), all pointing to ==> (192.x.x.7)
SSL UCC Cert was applied on Exchange 2010 for the above X.company.com CNs.
So when i point outlook to either of the above 3 server names for Exchange server and click "Check Name", it changes to "ExchGateway.company.local
So what did I do wrong or didn't do?
So I'm pretty sure i need to do something via Exchange Powershell...Help!!!
Just got done installing Exchange 2010 in Windows 2003 and Exchange 2003 Domain.
Tested mail flow, owa, and mailbox moves and all is ok...Though I ran into one issue.
When connecting outlook 2007/2010 locally to a test mailbox on the Exchange 2010 server, I get prompted with the SSL Cert error message about non-matching CN for "Exchgate.company.local"..
Current setup:
CAS/HUB Role on Server: ExchGateway.company.local (192.x.x.7)
I have internal DNS configured for the above in split DNS config: Email.Comapny.com (OWA), AutoDiscover.Company.Com, and Outlook.Company.com (For Outlook Anywhere), all pointing to ==> (192.x.x.7)
SSL UCC Cert was applied on Exchange 2010 for the above X.company.com CNs.
So when i point outlook to either of the above 3 server names for Exchange server and click "Check Name", it changes to "ExchGateway.company.local
So what did I do wrong or didn't do?
So I'm pretty sure i need to do something via Exchange Powershell...Help!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi All,
Yes i did buy a UCC Cert.
Actually i found this link and i'm testing and it seemed to have solved the issue:
http://support.microsoft.com/kb/940726
Yes i did buy a UCC Cert.
Actually i found this link and i'm testing and it seemed to have solved the issue:
http://support.microsoft.com/kb/940726
remember with 2010 your client always connects to the CAS server so this is expected behavior
that's what endital was aiming for
Please post back if you face any issues.
Please post back if you face any issues.
Still, please post back the output of the cmdlets, so that we can verify if everything is in order.
http:#33642821
http:#33642821
ASKER
Below is the output after using the commands in the MS KB to set URLs.
[PS] C:\Windows\system32>Get-ExchangeCertificate | where { $_.Services.ToString().Contains("IIS") -eq $true } | ft Cert*
CertificateDomains CertificateRequest
------------------ ------------------
{Email.company.com, www.Email.company...
[PS] C:\Windows\system32>get-webservicesvirtualdirectory | fl *url
InternalNLBBypassUrl : https://email.company.com/ews/exchange.asmx
InternalUrl : https://email.company.com/ews/exchange.asmx
ExternalUrl : https://email.company.com/ews/exchange.asmx
[PS] C:\Windows\system32>get-clientaccessSErver | fl *uri
AutoDiscoverServiceInternalUri : https://email.company.com/autodiscover/autodiscover.xml
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I hope you have an internal DNS entry for email.company.com > pointing to local IP of your exchange server ?
ASKER
endital,
the return is below
the return is below
ExternalHostname : outlook.company.com
ASKER
sunnyc,
yes, internal DNS for email.company.com ==> 192.x.x.7 (CAS/HUB Exchange Server)
External: email.company.com ==> 74.x.x.x ==> 192.x.x.7
yes, internal DNS for email.company.com ==> 192.x.x.7 (CAS/HUB Exchange Server)
External: email.company.com ==> 74.x.x.x ==> 192.x.x.7
do you have a external dns entry for outlook.company.com ?
You can check this guide.
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html
You can check this guide.
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html
run the following to have it match your cert
set-outlookanywhere -externalhostname email.company.com
you'll may need to update your outlook profile
set-outlookanywhere -externalhostname email.company.com
you'll may need to update your outlook profile
ASKER
I'm using outlook.company.com for outlookanywhere.
I have external DNS: outlook.company.com ==> 74.x.x.x ==> 192.x.x.7
I have external DNS: outlook.company.com ==> 74.x.x.x ==> 192.x.x.7
Thats good @ internal dns
your settings are ok for autodiscover / SCP's and UCC/SAN's
your settings are ok for autodiscover / SCP's and UCC/SAN's
does outlook.company.com appear on the certificate domain names
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have external DNS for outlook.company.com - then everything looks ok.
Are you using that for RPC/HTTPS or do you have another DNS for autodiscover.company.com
Time to test
Test for Outlook Anywhere / Autodiscover here
Test it using SSL.
www.testexchangeconnectivity.com/
Are you using that for RPC/HTTPS or do you have another DNS for autodiscover.company.com
Time to test
Test for Outlook Anywhere / Autodiscover here
Test it using SSL.
www.testexchangeconnectivity.com/
ASKER
endital,
yes...my UCC Cert has:
email.company.com
outlook.company.com
autodiscover.company.com
yes...my UCC Cert has:
email.company.com
outlook.company.com
autodiscover.company.com
I think you have got it covered, only missing piece was the SCP.
Please run the tests and let us know the result. It should pass for both.
Use a non administrator account for tests.
Please run the tests and let us know the result. It should pass for both.
Use a non administrator account for tests.
ASKER
thanks...I used the test and everything worked well accept for outlook anywhere.
can you copy paste the error for RPC/HTTPS (OLK anywhere)
i believe you need to run
set-outlookprovider EXPR -CertPrincipalName outlook.company.com
set-outlookprovider EXPR -CertPrincipalName outlook.company.com
yep
ASKER
Command set and re-ran test.
It failed on the last step per below.
It failed on the last step per below.
SSL mutual authentication with the RPC proxy server is being tested.
Verification of mutual authentication failed. ASKER
here's the error message
note: per MS article, on the second run i did command as such:
set-outlookprovider EXPR -CerPrincipalName "msstd:outlook.company.com
error below:
note: per MS article, on the second run i did command as such:
set-outlookprovider EXPR -CerPrincipalName "msstd:outlook.company.com
error below:
Additional Details
The mutual authentication string was not in the expected format. The string provided was outlook.starpointproperties.com.
set-outlookprovider EXPR -CerPrincipalName outlook.company.com -server $null
set-outlookprovider EXPR -CertPrincipalName outlook.company.com -server $null
--
--
ASKER
tried that command but got this:
WARNING: The command completed successfully but no settings of 'EXPR' have been modified.
WARNING: The command completed successfully but no settings of 'EXPR' have been modified.
i think we have this backwards
outlook anywhere is configured with outlook.company.com but the cert name is email.company.com
set-outlookprovider EXPR -CertPrincipalName email.company.com -server $null
outlook anywhere is configured with outlook.company.com but the cert name is email.company.com
set-outlookprovider EXPR -CertPrincipalName email.company.com -server $null
ASKER
and re-did test and same failure on the last step about authentication string in wrong format.
i should say subject name for the cert is email.company.com
I think the UCC has these 3 from the post here
email.company.com
outlook.company.com
autodiscover.company.com
http:#33642998
email.company.com
outlook.company.com
autodiscover.company.com
http:#33642998
ASKER
hmmm tried that and and did test, but it's still showing error for outlook.company.com, not email.company.com
and btw, I have cert setup for both names.
and btw, I have cert setup for both names.
ASKER
do i need to restart a service to refresh the settings?
what do you have for authentication methods for outlook anywhere
get-outlookanywhere | iis*
get-outlookanywhere | iis*
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
IISAuthenticationMethods : {Basic}
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i thought you were calling it a night :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
running manual testing:
note on first test it mention email.company.com not matching so i re-ran the below command:
set-outlookprovider EXPR -CertPrincipalName:"msstd:
and test completed successfully.
So what do i need to change?
note on first test it mention email.company.com not matching so i re-ran the below command:
set-outlookprovider EXPR -CertPrincipalName:"msstd:
and test completed successfully.
So what do i need to change?
the iisauthentication methods
you can also remove the outlook provider settings from earlier
you can also remove the outlook provider settings from earlier
ASKER
tried
set-OutlookAnywhere -IISAuthenticationMethods Basic,Ntlm
but requested for identity which i assume is the server
so i re-ran
set-OutlookAnywhere -identity exchgateway.company.local -IISAuthenticationMethods Basic,Ntlm
but got error stating that it could not be found on dc1.company.local
set-OutlookAnywhere -IISAuthenticationMethods Basic,Ntlm
but requested for identity which i assume is the server
so i re-ran
set-OutlookAnywhere -identity exchgateway.company.local -IISAuthenticationMethods Basic,Ntlm
but got error stating that it could not be found on dc1.company.local
get-outlookanywhere | set-outlookanywhere -IISAuthenticationMethods Basic,Ntlm
ASKER
worked this time and re-run RPC/HTTPS test without manual settings and worked too.
So thanks so much for your help and sunnys, but before i can reward points, can you please clarify the below so i can have a better understanding of what I'm doing:
1) When setting up the Exchange services and mapping to SSL Certs, what's the best way to do so? I followed instructions which had me use EMC ==> New Exchange Cert and specificy SSL Names for whichever services i'm using...What's your recommended method to get this done right the first time around?
2) Why use NTLM authentication versus Basic and where do i setup that up the first time around?
So thanks so much for your help and sunnys, but before i can reward points, can you please clarify the below so i can have a better understanding of what I'm doing:
1) When setting up the Exchange services and mapping to SSL Certs, what's the best way to do so? I followed instructions which had me use EMC ==> New Exchange Cert and specificy SSL Names for whichever services i'm using...What's your recommended method to get this done right the first time around?
2) Why use NTLM authentication versus Basic and where do i setup that up the first time around?
1. it depends on your environment, namely dns and what your users use for a url
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html
2. you setup NTLM when you enable outlook anywhere. you want to enable both authentication methods for outlook.
you may also want to run
set-outlookprovider expr -certprincipalname $null
you shouldn't need that set with your current cert, and it is best to have this set to null
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html
2. you setup NTLM when you enable outlook anywhere. you want to enable both authentication methods for outlook.
you may also want to run
set-outlookprovider expr -certprincipalname $null
you shouldn't need that set with your current cert, and it is best to have this set to null
ASKER
Not trying to close...was trying to assign point for answer...have already requested attention.
hi jetli87
If you received assistance in solving this question, then please mark relevant posts as answer and then close the question.
What you did was close the question - which means the comments here were not helpful.
If you received assistance in solving this question, then please mark relevant posts as answer and then close the question.
What you did was close the question - which means the comments here were not helpful.
You can assign points and close now - my objection has removed that close request.
ASKER
Thanks for your help Endital and Sunncy, but I'm still having issues with Outlook Anywhere.
I posted a new question here:
https://www.experts-exchange.com/questions/26465606/Exchange-2010-Outlook-Anywhere-not-working.html
I posted a new question here:
https://www.experts-exchange.com/questions/26465606/Exchange-2010-Outlook-Anywhere-not-working.html
PS: did you buy a UCC/SAN Cert and add the 4 names
mail.domain.com
autodiscover.domain.com
mailservername.domain.loca
mailservername
Also - please output the results of jim's cmdlets from above.