We help IT Professionals succeed at work.

Exchange 2010 CAS/HUB SSL Proper Configuration

jetli87
jetli87 asked
on
874 Views
Last Modified: 2012-06-27
Hi All,

Just got done installing Exchange 2010 in Windows 2003 and Exchange 2003 Domain.

Tested mail flow, owa, and mailbox moves and all is ok...Though I ran into one issue.

When connecting outlook 2007/2010 locally to a test mailbox on the Exchange 2010 server, I get prompted with the SSL Cert error message about non-matching CN for "Exchgate.company.local"...I get this about 2-3 times in a span of a few minutes and after clicking "Yes,"  I can resumme functionality but sending/receiving emails is intermintent and often i have click send/receive to get/send emails...I'm almost 90% sure it has to do with the SSL config for exchange 2010.


Current setup:

CAS/HUB Role on Server:  ExchGateway.company.local (192.x.x.7)
I have internal DNS configured for the above in split DNS config:  Email.Comapny.com (OWA), AutoDiscover.Company.Com, and Outlook.Company.com (For Outlook Anywhere), all pointing to ==> (192.x.x.7)
SSL UCC Cert was applied on Exchange 2010 for the above X.company.com CNs.

So when i point outlook to either of the above 3 server names for Exchange server and click "Check Name", it changes to "ExchGateway.company.local" which i imagine correct since it's the CAS/HUB server.

So what did I do wrong or didn't do?

So I'm pretty sure i need to do something via Exchange Powershell...Help!!!
Comment
Watch Question

Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Top Expert 2010

Commented:
endital's got it.... I think.

PS: did you buy a UCC/SAN Cert and add the 4 names

mail.domain.com
autodiscover.domain.com
mailservername.domain.local
mailservername

Also - please output the results of jim's cmdlets from above.

Author

Commented:
Hi All,

Yes i did buy a UCC Cert.

Actually i found this link and i'm testing and it seemed to have solved the issue:

http://support.microsoft.com/kb/940726
remember with 2010 your client always connects to the CAS server so this is expected behavior
Top Expert 2010

Commented:
that's what endital was aiming for

Please post back if you face any issues.
Top Expert 2010

Commented:
Still, please post back the output of the cmdlets, so that we can verify if everything is in order.

http:#33642821

Author

Commented:
Below is the output after using the commands in the MS KB to set URLs.
[PS] C:\Windows\system32>Get-ExchangeCertificate | where { $_.Services.ToString().Contains("IIS") -eq $true } | ft Cert*


CertificateDomains                                          CertificateRequest
------------------                                          ------------------
{Email.company.com, www.Email.company...


[PS] C:\Windows\system32>get-webservicesvirtualdirectory | fl *url


InternalNLBBypassUrl : https://email.company.com/ews/exchange.asmx
InternalUrl          : https://email.company.com/ews/exchange.asmx
ExternalUrl          : https://email.company.com/ews/exchange.asmx



[PS] C:\Windows\system32>get-clientaccessSErver | fl *uri


AutoDiscoverServiceInternalUri : https://email.company.com/autodiscover/autodiscover.xml

Open in new window

Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Top Expert 2010

Commented:
I hope you have an internal DNS entry for email.company.com > pointing to local IP of your exchange server ?

Author

Commented:
endital,

the return is below
ExternalHostname : outlook.company.com

Open in new window

Author

Commented:
sunnyc,

yes, internal DNS for email.company.com ==> 192.x.x.7 (CAS/HUB Exchange Server)

External:  email.company.com ==> 74.x.x.x ==> 192.x.x.7
Top Expert 2010

Commented:
run the following to have it match your cert
set-outlookanywhere -externalhostname email.company.com

you'll may need to update your outlook profile

Author

Commented:
I'm using outlook.company.com for outlookanywhere.

I have external DNS:  outlook.company.com ==> 74.x.x.x ==> 192.x.x.7
Top Expert 2010

Commented:
Thats good @ internal dns

your settings are ok for autodiscover / SCP's and UCC/SAN's
does outlook.company.com appear on the certificate domain names
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Top Expert 2010

Commented:
If you have external DNS for outlook.company.com - then everything looks ok.

Are you using that for RPC/HTTPS or do you have another DNS for autodiscover.company.com

Time to test

Test for Outlook Anywhere / Autodiscover here
Test it using SSL.

www.testexchangeconnectivity.com/

Author

Commented:
endital,

yes...my UCC Cert has:

email.company.com
outlook.company.com
autodiscover.company.com
Top Expert 2010

Commented:
I think you have got it covered, only missing piece was the SCP.

Please run the tests and let us know the result. It should pass for both.
Use a non administrator account for tests.

Author

Commented:
thanks...I used the test and everything worked well accept for outlook anywhere.

Top Expert 2010

Commented:
can you copy paste the error for RPC/HTTPS (OLK anywhere)
i believe you need to run
set-outlookprovider EXPR -CertPrincipalName outlook.company.com
Top Expert 2010

Commented:
yep

Author

Commented:
Command set and re-ran test.

It failed on the last step per below.
SSL mutual authentication with the RPC proxy server is being tested. 
  Verification of mutual authentication failed. 

Open in new window

Author

Commented:
here's the error message

note: per MS article, on the second run i did command as such:

set-outlookprovider EXPR -CerPrincipalName "msstd:outlook.company.com"

error below:
 Additional Details 
  The mutual authentication string was not in the expected format. The string provided was outlook.starpointproperties.com. 

Open in new window

set-outlookprovider EXPR -CerPrincipalName outlook.company.com -server $null
Top Expert 2010

Commented:
set-outlookprovider EXPR -CertPrincipalName outlook.company.com -server $null

--

Author

Commented:
tried that command but got this:

WARNING: The command completed successfully but no settings of 'EXPR' have been modified.
i think we have this backwards
outlook anywhere is configured with outlook.company.com but the cert name is email.company.com

set-outlookprovider EXPR -CertPrincipalName email.company.com -server $null

Author

Commented:
and re-did test and same failure on the last step about authentication string in wrong format.
i should say subject name for the cert is email.company.com
Top Expert 2010

Commented:
I think the UCC has these 3 from the post here
email.company.com
outlook.company.com
autodiscover.company.com

http:#33642998

Author

Commented:
hmmm tried that and and did test, but it's still showing error for outlook.company.com, not email.company.com

and btw, I have cert setup for both names.

Author

Commented:
do i need to restart a service to refresh the settings?
what do you have for authentication methods for outlook anywhere
get-outlookanywhere | iis*
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
IISAuthenticationMethods : {Basic}
Top Expert 2010
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
i thought you were calling it a night :)
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
running manual testing:

note on first test it mention email.company.com not matching so i re-ran the below command:

set-outlookprovider EXPR -CertPrincipalName:"msstd:email.company.com" -server $null

and test completed successfully.

So what do i need to change?
the iisauthentication methods

you can also remove the outlook provider settings from earlier

Author

Commented:
tried

set-OutlookAnywhere -IISAuthenticationMethods Basic,Ntlm

but requested for identity which i assume is the server

so i re-ran

set-OutlookAnywhere -identity exchgateway.company.local -IISAuthenticationMethods Basic,Ntlm

but got error stating that it could not be found on dc1.company.local
get-outlookanywhere | set-outlookanywhere -IISAuthenticationMethods Basic,Ntlm

Author

Commented:
worked this time and re-run RPC/HTTPS test without manual settings and worked too.

So thanks so much for your help and sunnys, but before i can reward points, can you please clarify the below so i can have a better understanding of what I'm doing:

1) When setting up the Exchange services and mapping to SSL Certs, what's the best way to do so?  I followed instructions which had me use EMC ==> New Exchange Cert and specificy SSL Names for whichever services i'm using...What's your recommended method to get this done right the first time around?

2) Why use NTLM authentication versus Basic and where do i setup that up the first time around?
1. it depends on your environment, namely dns and what your users use for a url
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-and-Web-Services-OOF-and-OAB.html

2. you setup NTLM when you enable outlook anywhere. you want to enable both authentication methods for outlook.

you may also want to run
set-outlookprovider expr -certprincipalname $null
you shouldn't need that set with your current cert, and it is best to have this set to null

Author

Commented:
Not trying to close...was trying to assign point for answer...have already requested attention.
Top Expert 2010

Commented:
hi jetli87
If you received assistance in solving this question, then please mark relevant posts as answer and then close the question.

What you did was close the question - which means the comments here were not helpful.

Top Expert 2010

Commented:
You can assign points and close now - my objection has removed that close request.

Author

Commented:
Thanks for your help Endital and Sunncy, but I'm still having issues with Outlook Anywhere.

I posted a new question here:

https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26465606.html

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.