HamannWetteren
asked on
Exchange 2010 and wildcard certificate
I have a wildcard certificate with CN = *.company.be
I have the following SAN's in the certificate:
owa.company.be
servername.company.be
autodiscover.company.be
company.be
*.company.be
The external host name voor Outlook Anywhere = owa.company.be
Whenever I try to use HTTP/RPC connection, I get the following error:
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site owa.company.be.
Outlook is unable to connect to the proxy server.
Any ideas ??
I have the following SAN's in the certificate:
owa.company.be
servername.company.be
autodiscover.company.be
company.be
*.company.be
The external host name voor Outlook Anywhere = owa.company.be
Whenever I try to use HTTP/RPC connection, I get the following error:
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site owa.company.be.
Outlook is unable to connect to the proxy server.
Any ideas ??
You need to use a UCC SSL Certificate for Exchange 2010.
ASKER
strange thing is, this has worked for more than 1 year, but since we updated the Exchange server last weekend to Windows 2008 R2 SP1, it fails
And then include at least the following:
owa.company.be
autodiscover.company.be
servername.company.be
After installing the certificate you would be able to use: https://owa.company.be/OWA
owa.company.be
autodiscover.company.be
servername.company.be
After installing the certificate you would be able to use: https://owa.company.be/OWA
Just ensure that your certificate is installed correctly and is also not self signed. Also check to see if your certificate did not expire.
Or rather, are you using a third party certificate as this is recommended.
ASKER
Selfsigned = False
Valid from: 24/09/2010 to 2/10/2013
Digicert people told me that a wildcard certificate is 100% usuable in Exchange...??
Valid from: 24/09/2010 to 2/10/2013
Digicert people told me that a wildcard certificate is 100% usuable in Exchange...??
Ensure that the correct services is assigned to the certificate:
IIS, POP, SMTP and IMAP
IIS, POP, SMTP and IMAP
ASKER
All correct services are assigned
What happens if you go to https://servername.company.be/OWA do you also get a certificate mismatch?
ASKER
No, that works fine
Go to https://www.testexchangeconnectivity.com/ and let me know what the results are?
The only time that one would get that error is when the owa.company.be is not included in the certificate or when the services are not correctly assigned.
The only time that one would get that error is when the owa.company.be is not included in the certificate or when the services are not correctly assigned.
ASKER
Hendrik,
I did the tests, and they all worked fine....
I did the tests, and they all worked fine....
You would definitely be better off using a UCC SSL Certificate. But lets carry on.
Try pointing the autodiscove to the existing SSL using:
Try pointing the autodiscove to the existing SSL using:
Set-ClientAccessServer -Identity CASserver1 -AutoDiscoverServiceInternalUri https://yourinternaladdress.xxx
ASKER
I did that, but when I test know I get timeouts
It should be:
Set-ClientAccessServer -Identity CASserver1 -AutoDiscoverServiceInternalUri https://servername.company.be/autodiscover/autodiscover.xml
Sorry was suppose to be in code blocks:
Set-ClientAccessServer -Identity CASserver1 -AutoDiscoverServiceInternalUri https://servername.company.be/autodiscover/autodiscover.xml
ASKER
Correction, it works fine now from my local desktop !!
(I forgot to add.../autodiscover/autodi scover.xml )
But from a remote desktop I keep on getting these timeouts
(I forgot to add.../autodiscover/autodi
But from a remote desktop I keep on getting these timeouts
First try restarting your exchange box and see if the issue is now resolved. If not ensure that your owa.company.be points to your internet facing CAS server. The run the script above again and just replace the uri with owa.company.be which should also resolve the issue.
ASKER
Hendrik
you want me change the url with the same url ??
you want me change the url with the same url ??
the wildcard cert will work fine, The problem with outlook anywhere is you are using the wrong name (i believe) under the "Only connect to proxy servers that have this principal name in their certificate"
try changing that to *.domain.com or just unchecking that box.
try changing that to *.domain.com or just unchecking that box.
Can you run
Test-webservicesconnectivi ty and copy the results here.
Also, please run test-outlookconnectivity, as per the article here
You'd need to create a test user first.
http://technet.microsoft.com/en-us/library/ee633453.aspx
Test-webservicesconnectivi
Also, please run test-outlookconnectivity, as per the article here
You'd need to create a test user first.
http://technet.microsoft.com/en-us/library/ee633453.aspx
ASKER
@Sunnyc7
Is there way to test this on a remote site PC or server?
Both tests on my Exchange servers show: ALL SUCCESS
Is there way to test this on a remote site PC or server?
Both tests on my Exchange servers show: ALL SUCCESS
On Server
did you try ExRCA
www.testexchangeconnectivity.com
you can remotely test your RPC/HTTPS
Select outlook anywhere
did you try ExRCA
www.testexchangeconnectivity.com
you can remotely test your RPC/HTTPS
Select outlook anywhere
ASKER
Yes, and that all worked fine.
Are there any default ports need to be openend besides 443 ?
Are there any default ports need to be openend besides 443 ?
25/80/443 port forwarded to lan IP of exchange.
Can you post a screenshot of the error you are getting
Can you post a screenshot of the error you are getting
What is the MSSTD: value in outlook ?
ASKER
msstd:*.hamann.be
you have to enter the FQDN
not *.hamann.be
Enter the FQDN of your OWA URL / First MX
if your OWA URL is https://mail.domain.com/owa
then enter msstd:mail.domain.com
I believe in your case it will be owa.hamann.be
not *.hamann.be
Enter the FQDN of your OWA URL / First MX
if your OWA URL is https://mail.domain.com/owa
then enter msstd:mail.domain.com
I believe in your case it will be owa.hamann.be
ASKER
I already tried this out, but this did not work at all
What's the authentication set in IIS for RPC
start > run > inetmgr
expand default website > go to RPC folder
on the right tab click permissions
Do you have anything other than basic ?
start > run > inetmgr
expand default website > go to RPC folder
on the right tab click permissions
Do you have anything other than basic ?
ASKER
No,, only basic authentication on RPC
close outlook
start > run >
outlook /rpcdiag
Please post the screenshot
start > run >
outlook /rpcdiag
Please post the screenshot
ASKER
I can't send you a screen shot, because it's in Dutch ;-)
I tell you what I see: PC connects and tries, due to slow network connection, the connection through HTTPS, this fails so it connects over tcp/ip and then times out
I tell you what I see: PC connects and tries, due to slow network connection, the connection through HTTPS, this fails so it connects over tcp/ip and then times out
can you run this from exch shell
Set-OutlookProvider EXPR -Server $null -CertPrincipalName msstd:Autodiscover.externa ldomain.ne t
Set-OutlookProvider EXPR -Server $null -CertPrincipalName msstd:Autodiscover.externa
ASKER
nope, no luck....
Restart RPC Service and try again ?
You can restart AD Topology to reset all other services.
You can restart AD Topology to reset all other services.
ASKER
To all,
the problem lies in slow network performance after the Windows 2008 R2 SP1 upgrade.
The exchange server is a VM in Vsphere 4.1.
The ESXi is OK, because other VM hosts are running on that machine, without any network issues.
the problem lies in slow network performance after the Windows 2008 R2 SP1 upgrade.
The exchange server is a VM in Vsphere 4.1.
The ESXi is OK, because other VM hosts are running on that machine, without any network issues.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We found the solution ourselves