Outlook 2010 Certificate Error even with SAN Certificate being installed

Posted on 2011-10-25
Last Modified: 2012-05-12
Hi Guys,

I've got the following scenario:

Single AD/Domain, Single Site, 2 CAS/HUB Servers, 2 MBX Servers.

The CAS Servers are: and
The MBX Servers are: and

CAS are in Array with NLB. The FQDN is

There is no external access at this moment.

I have an Enteprise Root CA in place.

I configured Exchange CAS Arrays by using the cmdlet New-ClientAccessArray and updated the the mailbox configuration by running the command Set-MailboxDatabase -identity servename -RpcClientAccessServer

The SAN certificate has the following FQDNs:

The certificate is trusted by the domain clients because it comes from an enterprise root ca. I can confirm this statement by opening the certificate in the client, and go all way up to the root ca.

I read many docs that says you DON'T need to add CAS Servers's FQDN in the SAN certificate nor CAS Array FQDN because both FQDNs are not used by SSL connections. The exception is when CAS Array FQDN is the same URL for OWA, ECP and further services.

When Outlook 2010 starts the autodiscover process, it can locate all services and configure the user profile pointing the server to, which is the expected behavior.

The unexpected behavior happens after profile gets configured: the certificate's security warning pops up because Outlook can't find the name in the certificate.

Trying to investigate why outlook is directing connections to this FQDN, I opened Outlook Connection Status. All endpoints are on (expect for the public folders that goes directly to mailbox server). there is no enpoint at

Autodiscover is also working fine. It points to

Therefore my question is: Why Am I getting the certificate error? I know that some of you might tell me just to add all CAS FQDN to the SAN Certificate. It's not an option, though. The certificate has already been bought without those names. What I need to know is the reason outlook is looking for the CAS name in the certificate whereas it should not do so.


Rodrigo Garcone
Question by:garconer
    LVL 5

    Expert Comment

    what is the comman name of the certificate ?
    LVL 14

    Expert Comment

    Hi are you Running Exchange 2010 sp1 ru5? I believe prior to service pack 1 you did in fact need the fqdn of all cas servers likely to offer an end point but this requirement went away with sp1.

    Accepted Solution

    Found the answer myself.

    InternalUrl for AutoDiscoverVirtualDirectory was not properly set.

    Sharing this solution for others who come here.

    Thanks for the replies anyway

    Author Closing Comment

    Found the solution myself

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video discusses moving either the default database or any database to a new volume.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now