Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Outlook 2010 Certificate Error even with SAN Certificate being installed

Posted on 2011-10-25
4
Medium Priority
?
569 Views
Last Modified: 2012-05-12
Hi Guys,

I've got the following scenario:

Single AD/Domain, Single Site, 2 CAS/HUB Servers, 2 MBX Servers.

The CAS Servers are: cas01.domain.com and cas02.domain.com
The MBX Servers are: mbx01.domain.com and mbx02.domain.com

CAS are in Array with NLB. The FQDN is array.domain.com

There is no external access at this moment.

I have an Enteprise Root CA in place.

I configured Exchange CAS Arrays by using the cmdlet New-ClientAccessArray and updated the the mailbox configuration by running the command Set-MailboxDatabase -identity servename -RpcClientAccessServer array.domain.com

The SAN certificate has the following FQDNs:

autodiscover.domain.com
array.domain.com
mail.domain.com
legacy.domain.com

The certificate is trusted by the domain clients because it comes from an enterprise root ca. I can confirm this statement by opening the certificate in the client, and go all way up to the root ca.

I read many docs that says you DON'T need to add CAS Servers's FQDN in the SAN certificate nor CAS Array FQDN because both FQDNs are not used by SSL connections. The exception is when CAS Array FQDN is the same URL for OWA, ECP and further services.

When Outlook 2010 starts the autodiscover process, it can locate all services and configure the user profile pointing the server to array.domain.com, which is the expected behavior.

The unexpected behavior happens after profile gets configured: the certificate's security warning pops up because Outlook can't find the name cas01.domain.com in the certificate.

Trying to investigate why outlook is directing connections to this FQDN, I opened Outlook Connection Status. All endpoints are on array.domain.com (expect for the public folders that goes directly to mailbox server). there is no enpoint at cas01.domain.com.

Autodiscover is also working fine. It points to array.domain.com.

Therefore my question is: Why Am I getting the certificate error? I know that some of you might tell me just to add all CAS FQDN to the SAN Certificate. It's not an option, though. The certificate has already been bought without those names. What I need to know is the reason outlook is looking for the CAS name in the certificate whereas it should not do so.

Regards,

Rodrigo Garcone
0
Comment
Question by:garconer
  • 2
4 Comments
 
LVL 5

Expert Comment

by:HeshamMousa
ID: 37029376
what is the comman name of the certificate ?
0
 
LVL 14

Expert Comment

by:Radweld
ID: 37029379
Hi are you Running Exchange 2010 sp1 ru5? I believe prior to service pack 1 you did in fact need the fqdn of all cas servers likely to offer an end point but this requirement went away with sp1.
0
 

Accepted Solution

by:
garconer earned 0 total points
ID: 37029389
Found the answer myself.

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/40f05965-a496-440e-b9fb-0db763aabdff/

InternalUrl for AutoDiscoverVirtualDirectory was not properly set.

Sharing this solution for others who come here.

Thanks for the replies anyway
0
 

Author Closing Comment

by:garconer
ID: 37052407
Found the solution myself
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses
Course of the Month20 days, 19 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question