?
Solved

Exchange 2010 and wildcard certificate

Posted on 2011-10-18
39
Medium Priority
?
1,142 Views
Last Modified: 2012-06-27
I have a wildcard certificate with CN = *.company.be
I have the following SAN's in the certificate:
owa.company.be
servername.company.be
autodiscover.company.be
company.be
*.company.be

The external host name voor Outlook Anywhere = owa.company.be

Whenever I try to use HTTP/RPC connection, I get the following error:
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site owa.company.be.
Outlook is unable to connect to the proxy server.

Any ideas ??

0
Comment
Question by:HamannWetteren
  • 18
  • 11
  • 9
  • +1
39 Comments
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36985861
You need to use a UCC SSL Certificate for Exchange 2010.
0
 

Author Comment

by:HamannWetteren
ID: 36985880
strange thing is, this has worked for more than 1 year, but since we updated the Exchange server last weekend to Windows 2008 R2 SP1, it fails
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36985883
And then include at least the following:

owa.company.be
autodiscover.company.be
servername.company.be

After installing the certificate you would be able to use: https://owa.company.be/OWA
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36985896
Just ensure that your certificate is installed correctly and is also not self signed. Also check to see if your certificate did not expire.
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36985898
Or rather, are you using a third party certificate as this is recommended.
0
 

Author Comment

by:HamannWetteren
ID: 36985912
Selfsigned = False
Valid from: 24/09/2010 to 2/10/2013

Digicert people told me that a wildcard certificate is 100% usuable in Exchange...??
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36985935
Ensure that the correct services is assigned to the certificate:

IIS, POP, SMTP and IMAP
0
 

Author Comment

by:HamannWetteren
ID: 36985943
All correct services are assigned
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36985956
What happens if you go to https://servername.company.be/OWA do you also get a certificate mismatch?
0
 

Author Comment

by:HamannWetteren
ID: 36985978
No, that works fine
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36986069
Go to https://www.testexchangeconnectivity.com/ and let me know what the results are?

The only time that one would get that error is when the owa.company.be is not included in the certificate or when the services are not correctly assigned.
0
 

Author Comment

by:HamannWetteren
ID: 36986204
Hendrik,

I did the tests, and they all worked fine....
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36986342
You would definitely be better off using a UCC SSL Certificate. But lets carry on.

Try pointing the autodiscove to the existing SSL using:
Set-ClientAccessServer -Identity CASserver1 -AutoDiscoverServiceInternalUri https://yourinternaladdress.xxx

Open in new window

0
 

Author Comment

by:HamannWetteren
ID: 36986384
I did that, but when I test know I get timeouts
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36986414
It should be:

Set-ClientAccessServer -Identity CASserver1 -AutoDiscoverServiceInternalUri https://servername.company.be/autodiscover/autodiscover.xml
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36986422
Sorry was suppose to be in code blocks:

Set-ClientAccessServer -Identity CASserver1 -AutoDiscoverServiceInternalUri https://servername.company.be/autodiscover/autodiscover.xml

Open in new window

0
 

Author Comment

by:HamannWetteren
ID: 36986432
Correction, it works fine now from my local desktop !!
(I forgot to add.../autodiscover/autodiscover.xml)

But from a remote desktop I keep on getting these timeouts
0
 
LVL 21

Expert Comment

by:Hendrik Wiese
ID: 36986455
First try restarting your exchange box and see if the issue is now resolved. If not ensure that your owa.company.be points to your internet facing CAS server. The run the script above again and just replace the uri with owa.company.be which should also resolve the issue.
0
 

Author Comment

by:HamannWetteren
ID: 36986523
Hendrik
you want me change the url with the same url ??
0
 
LVL 11

Expert Comment

by:madhatter5501
ID: 36986560
the wildcard cert will work fine, The problem with outlook anywhere is you are using the wrong name (i believe) under the "Only connect to proxy servers that have this principal name in their certificate"

try changing that to *.domain.com or just unchecking that box.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 36986668
Can you run
Test-webservicesconnectivity and copy the results here.

Also, please run test-outlookconnectivity, as per the article here
You'd need to create a test user first.
http://technet.microsoft.com/en-us/library/ee633453.aspx
0
 

Author Comment

by:HamannWetteren
ID: 36986733
@Sunnyc7

Is there way to test this on a remote site PC or server?

Both tests on my Exchange servers show: ALL SUCCESS

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 36986843
On Server
did you try ExRCA
www.testexchangeconnectivity.com

you can remotely test your RPC/HTTPS
Select outlook anywhere
0
 

Author Comment

by:HamannWetteren
ID: 36986859
Yes, and that all worked fine.

Are there any default ports need to be openend besides 443 ?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 36986881
25/80/443 port forwarded to lan IP of exchange.

Can you post a screenshot of the error you are getting
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 36986888
What is the MSSTD: value in outlook ?
0
 

Author Comment

by:HamannWetteren
ID: 36986898
msstd:*.hamann.be
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 36986921
you have to enter the FQDN
not *.hamann.be

Enter the FQDN of your OWA URL / First MX
if your OWA URL is https://mail.domain.com/owa
then enter msstd:mail.domain.com

I believe in your case it will be owa.hamann.be
0
 

Author Comment

by:HamannWetteren
ID: 36986935
I already tried this out, but this did not work at all
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 36986954
What's the authentication set in IIS for RPC

start > run > inetmgr
expand default website > go to RPC folder
on the right tab click permissions
Do you have anything other than basic ?
0
 

Author Comment

by:HamannWetteren
ID: 36987075
No,, only basic authentication on RPC
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 36987118
close outlook
start > run > 
outlook /rpcdiag

Please post the screenshot
0
 

Author Comment

by:HamannWetteren
ID: 36987227
I can't send you a screen shot, because it's in Dutch ;-)

I tell you what I see: PC connects and tries, due to slow network connection, the connection through HTTPS, this fails so it connects over tcp/ip and then times out
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 36987250
can you run this from exch shell
Set-OutlookProvider EXPR -Server $null -CertPrincipalName msstd:Autodiscover.externaldomain.net
0
 

Author Comment

by:HamannWetteren
ID: 36987300
nope, no luck....
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 36987310
Restart RPC Service and try again ?
You can restart AD Topology to reset all other services.
0
 

Author Comment

by:HamannWetteren
ID: 36991461
To all,
the problem lies in slow network performance after the Windows 2008 R2 SP1 upgrade.
The exchange server is a VM in Vsphere 4.1.
The ESXi is OK, because other VM hosts are running on that machine, without any network issues.
0
 

Accepted Solution

by:
HamannWetteren earned 0 total points
ID: 37213644
Solved: problem in SPAMfilter Appliance, which degraded network performance.
0
 

Author Closing Comment

by:HamannWetteren
ID: 37236356
We found the solution ourselves
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses
Course of the Month13 days, 12 hours left to enroll

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question