Outlook 2010 Certificate Error even with SAN Certificate being installed
Posted on 2011-10-25
I've got the following scenario:
Single AD/Domain, Single Site, 2 CAS/HUB Servers, 2 MBX Servers.
The CAS Servers are: cas01.domain.com and cas02.domain.com
The MBX Servers are: mbx01.domain.com and mbx02.domain.com
CAS are in Array with NLB. The FQDN is array.domain.com
There is no external access at this moment.
I have an Enteprise Root CA in place.
I configured Exchange CAS Arrays by using the cmdlet New-ClientAccessArray and updated the the mailbox configuration by running the command Set-MailboxDatabase -identity servename -RpcClientAccessServer array.domain.com
The SAN certificate has the following FQDNs:
The certificate is trusted by the domain clients because it comes from an enterprise root ca. I can confirm this statement by opening the certificate in the client, and go all way up to the root ca.
I read many docs that says you DON'T need to add CAS Servers's FQDN in the SAN certificate nor CAS Array FQDN because both FQDNs are not used by SSL connections. The exception is when CAS Array FQDN is the same URL for OWA, ECP and further services.
When Outlook 2010 starts the autodiscover process, it can locate all services and configure the user profile pointing the server to array.domain.com, which is the expected behavior.
The unexpected behavior happens after profile gets configured: the certificate's security warning pops up because Outlook can't find the name cas01.domain.com in the certificate.
Trying to investigate why outlook is directing connections to this FQDN, I opened Outlook Connection Status. All endpoints are on array.domain.com (expect for the public folders that goes directly to mailbox server). there is no enpoint at cas01.domain.com.
Autodiscover is also working fine. It points to array.domain.com.
Therefore my question is: Why Am I getting the certificate error? I know that some of you might tell me just to add all CAS FQDN to the SAN Certificate. It's not an option, though. The certificate has already been bought without those names. What I need to know is the reason outlook is looking for the CAS name in the certificate whereas it should not do so.