Link to home
Start Free TrialLog in
Avatar of BlueGoose
BlueGooseFlag for United States of America

asked on

Requesting a UCC in Exchange 2010...what should I add?

I have a 2003 and 2010 Exchange Server in my org.  Nothing but test mailboxes on the Exchange 2010 box.

I bought and installed a SSL from GoDaddy for Active Sync and OWA on the 2010 box and they work fine.  Issue I am having is if I open a mailbox internally that is currently on 2010 Server box I get a Security Alert that states "The name on the security certificate is invalid or does not match the name of the site"   I understand why I am getting that message as the internal url is not on the certificate that IIS is using.  

So I need to get a UCC that contains both the name of the internal URL and the external URL correct?  And if I understand correctly the external facing URL needs to be the common name on the cert correct?

Anyways, creating the cert within Exchange 2010 is pretty straight forward until I get to one particular area where I need to choose Autodiscover.  Autodiscover used on the INTRANET is grayed out but Autodiscover used on the INTERNET is not.   In the Autodiscover URL to use box, all of the domains that I have listed on the Exchange Server as accepted domains are listed.  About 22 email domains in total, all legit email domains we use.

Now my big question is do I NEED to keep all of these domains in the there?  In a demo video I saw, the walk-through said I should just have in there my external url...such as   Is this correct??  Should the internal url be in there as well?  I'm not clear exactly on what fields should be in this box.

On the next page, Certificate of Domains it lists for all of the accepted domains and also the internal and external urls with the external url being the common name in bold.

If I could get some assistance in what I need for the autodiscover fields that would be great

Avatar of Shack-Daddy
Flag of United States of America image

For autodiscover you only need the external URL. Internal autodiscover is handled differently, and doesn't use DNS lookups to get the Autodiscover URL.
FYI, here's what I'd do. First, you don't need to worry about most of those domain names, unless any of those domain names is likely to be used in a user's email address. If you really have 22 different names that might be used in a user's email address, then you are also going to want to use SRV records in each domain's public DNS, all of which point to the single name that you chose to put in the cert. And that A-record will point to your server's IP address.

So these are the critical ones:

Common name: (whatever users will use when they use OWA)
Avatar of BlueGoose


Thank you for the info however just a little confused on the autodiscover part.....

We only have one 2010 Exchange Server (SP1)

CAS, Hub Transport etc are all located on one server.  No unified messaging or edge.

 Our external url lets just say is a host record under on our domain would it be safe to say that on the certificate I should be able to put and have it work?

We usually setup mailboxes manually as well

And yes we do use maybe out of those 22 domains, 7 or 8 of them that use the "domain name" in their email address.

As you can see I am a bit confused on autodiscover
Are your internal and external domain names the same? Your comment about "on our domain controller" seems to imply that's the case. Since that will make a difference, let me know, and I'll tell you how I'd set things up depending on your answer.
I'm sorry I was not more, they are not the same.

For example, external url is (this is url we also use for owa and active sync and working fine)

Internal url is same name as Exchange server  for example

as far as dc's we have about about 5, did not mean to imply just one.

further example as far as additional domains (of the 22)

and so on

Hope I'm not being too confusing
Avatar of Shack-Daddy
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ok that seems pretty clear!  I will give it a go in the morning when I get into the office
Oopps one last question..I do have a 2003 Exchange Server in the mix that will be around for a little I need to add it's name to the cert?  It will eventually go away but not within a year probably.  So we will have mailboxes on both servers for a bit of time.
No, you shouldn't need to add that server's name, since that server should already have a self-signed cert that is good internally, but it wouldn't hurt if you added that server's internal FQDN to the certificate and installed a copy of the cert on that server. But you'd need to make sure that you properly exported and imported the cert in order for it to work. Probably easiest to not mess with it. I assume that the new server is handling all the internet-side interaction with OWA, ActiveSync and mail receiving, right?
Ok good to know, I did not put it on there.  

We have Active Sync, OWA and mail receiving working on both servers at the moment.  Different addresses for owa and active sync on each server.  As I move each mailbox over if that user has a need for active sync I will make the changes to their mobile device at that time.

As far as mail delivery I have one of our email domains pointed at the new server even though the mailboxes are on the 2003 server and mail flow is going ok.

I installed the UCC cert and the security warning is gone.  Thanks!  I just need to figure out why Out of Office for the exchange 2010 mail servers is not working and also add those SRV records to get autodiscover to work
Could you run this command and post the results? We may be able to help you sort out the OOF thing.

get-webservicesvirtualdirectory | fl *url
Here you go

InternalNLBBypassUrl :
InternalUrl          :
ExternalUrl          :

If you do this, OOF may work:

get-webservicesvirtualdirectory | set-webservicesvirtualdirectory -internalURL https://widget/EWS/Exchange.asmx

This would change the URL so that it didn't reference (which I don't think is on your cert, right?). Instead it would reference it by the internal server name which IS on your cert.

Alternately we could do this:

get-webservicesvirtualdirectory | set-webservicesvirtualdirectory -internalURL

But this would assume that your internal clients are able to resolve to the internal IP of the server and not the external IP. You could tweak DNS to allow this, but you'd probably need a little guidance.
InternalNLBBypassUrl :
InternalUrl          :
ExternalUrl          :

My bad on that one....the internal url I had posted was wrong, I had an extra .com in is on my cert........
Users get the "Your out of office settings cannot be displayed because the server is currently unavailable" message.

BUT with OWA it works?
On an Outlook client with Outlook 2007 or higher running, hold down Control and right-click the Outlook icon in the systray. It should pop up a menu and you can choose Test Email Autoconfiguration from the list. Uncheck the two GuessSmart boxes and then just click Test. Could you report back whether it is successful, and if so, what URL gets returned for the OOF?

Clients don't have any trouble reaching, right?
They can connect fine internally.

Hmmmmm  ...autodiscover not working at all...I think a lot if not all of it is because I don't have a record yet on the domain server?

wondering if something go goobered up somewhere as it was working before,

with it not working at all, is it cert related or something else?

Sorry this is sort of going off course isnt it
Actually autodiscover internally should not have anything to do with what "autodiscover" is on the cert should it?
Hmmm...spinning my wheels here trying to figure this out....on internal autodiscover does it use the cert?
This is what I get when I run get-autodiscovervirtualdirectory

[PS] C:\Windows\system32>get-autodiscovervirtualdirectory

Name                                    Server                                  InternalUrl
----                                    ------                                  -----------
Autodiscover (Default Web Site)         WIDGET

Blank url?

Not sure if this helps

To add one more piece of info and not sure it IIS anon is the only authentication enabled
What do you get for these:

get-autodiscovervirtualdirectory | fl *url
get-clientaccessserver | fl *uri
[PS] C:\Windows\system32>get-autodiscovervirtualdirectory | fl *url

InternalUrl :
ExternalUrl :

[PS] C:\Windows\system32>get-clientaccessserver | fl *url

[PS] C:\Windows\system32>

Blank in both?

The second one you didn't do right. You changed my "typo" and put "url" at the end instead of "uri". Do that one again.

But the critical thing is to give your server an external Autodiscover address:

get-autodiscovervirtualdirectory | set-autodiscovervirtualdirectory -externalurl
[PS] C:\Windows\system32>get-clientaccessserver | fl *uri

AutoDiscoverServiceInternalUri :

ok I added the external url so when I run the get-autodiscovervirtualdirectory | fl *url command i see it now for the external url but internal is still blank
Ok, let's do this for the internal:

get-autodiscovervirtualdirectory | set-autodiscovervirtualdirectory -internalurl

Then do an IISRESET and test to see whether the issue is resolved.

If not, look at this article, particularly at step 2 and let me know what results you get when you paste that URL into a web browser:
Well didn't it is a case of my autodiscover not working at all I'm afraid.....when I do the connection test it comes back all as failed xml file at all.   Hmmmm...I know at one point it was working because I was getting results with mailboxes on the 2010 server
So you don't get anything when you paste into a browser?

That's the URL that the Outlook testing tool tells you for OOF, right?
I don't get a url for OOF because autodiscover does not run correctly.  It fails on all tries so I never get the info that you get under the first tab when you run the autodiscover test.

I pasted the above url in but just get a canned message : This XML file does not appear to have any style information associated with it. The document tree is shown below.

And then a ton of stuff that looks to be just canned xml (if that makes sense)

Autodiscover did work at one point (the test) because I know what you are talking about.  For internal autodiscover the cert or dns should not matter right as it is all internal?  fwiw I can setupmail boxes automaticaly just by putting in the email address but maybe not even related

I'm wondering what stopped the autodiscover from working internally?
Ok, you probably need to rebuild your virtual directories. When you are in the Exchange Management Console, if you go down into Server -> Client Access, you should see an Action item on the right that will allow you to rebuild the virtual directories. It's pretty automated, so it shouldn't be hard. Let's do that and then test again.
Ok will do that in the I correct in assuming that the cert and dns entry should NOT effect internal autodiscover
which virtual directory am I resetting?  So far I just have done the auto discover one and re-ran the above commands to set my internal and external url's
Hey autodiscover and oof are now working!
Good, so basically one of those two vdirs had some corruption, and rebuilding them resolved it.
Very knowledgeable expert, would not hesitate to follow any of his Exchange advice