Link to home
Start Free TrialLog in
Avatar of HamannWetteren
HamannWetteren

asked on

Exchange 2010 and wildcard certificate

I have a wildcard certificate with CN = *.company.be
I have the following SAN's in the certificate:
owa.company.be
servername.company.be
autodiscover.company.be
company.be
*.company.be

The external host name voor Outlook Anywhere = owa.company.be

Whenever I try to use HTTP/RPC connection, I get the following error:
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site owa.company.be.
Outlook is unable to connect to the proxy server.

Any ideas ??

Avatar of Hendrik Wiese
Hendrik Wiese
Flag of South Africa image

You need to use a UCC SSL Certificate for Exchange 2010.
Avatar of HamannWetteren
HamannWetteren

ASKER

strange thing is, this has worked for more than 1 year, but since we updated the Exchange server last weekend to Windows 2008 R2 SP1, it fails
And then include at least the following:

owa.company.be
autodiscover.company.be
servername.company.be

After installing the certificate you would be able to use: https://owa.company.be/OWA
Just ensure that your certificate is installed correctly and is also not self signed. Also check to see if your certificate did not expire.
Or rather, are you using a third party certificate as this is recommended.
Selfsigned = False
Valid from: 24/09/2010 to 2/10/2013

Digicert people told me that a wildcard certificate is 100% usuable in Exchange...??
Ensure that the correct services is assigned to the certificate:

IIS, POP, SMTP and IMAP
All correct services are assigned
What happens if you go to https://servername.company.be/OWA do you also get a certificate mismatch?
No, that works fine
Go to https://www.testexchangeconnectivity.com/ and let me know what the results are?

The only time that one would get that error is when the owa.company.be is not included in the certificate or when the services are not correctly assigned.
Hendrik,

I did the tests, and they all worked fine....
You would definitely be better off using a UCC SSL Certificate. But lets carry on.

Try pointing the autodiscove to the existing SSL using:
Set-ClientAccessServer -Identity CASserver1 -AutoDiscoverServiceInternalUri https://yourinternaladdress.xxx

Open in new window

I did that, but when I test know I get timeouts
It should be:

Set-ClientAccessServer -Identity CASserver1 -AutoDiscoverServiceInternalUri https://servername.company.be/autodiscover/autodiscover.xml
Sorry was suppose to be in code blocks:

Set-ClientAccessServer -Identity CASserver1 -AutoDiscoverServiceInternalUri https://servername.company.be/autodiscover/autodiscover.xml

Open in new window

Correction, it works fine now from my local desktop !!
(I forgot to add.../autodiscover/autodiscover.xml)

But from a remote desktop I keep on getting these timeouts
First try restarting your exchange box and see if the issue is now resolved. If not ensure that your owa.company.be points to your internet facing CAS server. The run the script above again and just replace the uri with owa.company.be which should also resolve the issue.
Hendrik
you want me change the url with the same url ??
the wildcard cert will work fine, The problem with outlook anywhere is you are using the wrong name (i believe) under the "Only connect to proxy servers that have this principal name in their certificate"

try changing that to *.domain.com or just unchecking that box.
Can you run
Test-webservicesconnectivity and copy the results here.

Also, please run test-outlookconnectivity, as per the article here
You'd need to create a test user first.
http://technet.microsoft.com/en-us/library/ee633453.aspx
@Sunnyc7

Is there way to test this on a remote site PC or server?

Both tests on my Exchange servers show: ALL SUCCESS

On Server
did you try ExRCA
www.testexchangeconnectivity.com

you can remotely test your RPC/HTTPS
Select outlook anywhere
Yes, and that all worked fine.

Are there any default ports need to be openend besides 443 ?
25/80/443 port forwarded to lan IP of exchange.

Can you post a screenshot of the error you are getting
What is the MSSTD: value in outlook ?
msstd:*.hamann.be
you have to enter the FQDN
not *.hamann.be

Enter the FQDN of your OWA URL / First MX
if your OWA URL is https://mail.domain.com/owa
then enter msstd:mail.domain.com

I believe in your case it will be owa.hamann.be
I already tried this out, but this did not work at all
What's the authentication set in IIS for RPC

start > run > inetmgr
expand default website > go to RPC folder
on the right tab click permissions
Do you have anything other than basic ?
No,, only basic authentication on RPC
close outlook
start > run > 
outlook /rpcdiag

Please post the screenshot
I can't send you a screen shot, because it's in Dutch ;-)

I tell you what I see: PC connects and tries, due to slow network connection, the connection through HTTPS, this fails so it connects over tcp/ip and then times out
can you run this from exch shell
Set-OutlookProvider EXPR -Server $null -CertPrincipalName msstd:Autodiscover.externaldomain.net
nope, no luck....
Restart RPC Service and try again ?
You can restart AD Topology to reset all other services.
To all,
the problem lies in slow network performance after the Windows 2008 R2 SP1 upgrade.
The exchange server is a VM in Vsphere 4.1.
The ESXi is OK, because other VM hosts are running on that machine, without any network issues.
ASKER CERTIFIED SOLUTION
Avatar of HamannWetteren
HamannWetteren

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
We found the solution ourselves