• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 575
  • Last Modified:

Outlook 2010 Certificate Error even with SAN Certificate being installed

Hi Guys,

I've got the following scenario:

Single AD/Domain, Single Site, 2 CAS/HUB Servers, 2 MBX Servers.

The CAS Servers are: cas01.domain.com and cas02.domain.com
The MBX Servers are: mbx01.domain.com and mbx02.domain.com

CAS are in Array with NLB. The FQDN is array.domain.com

There is no external access at this moment.

I have an Enteprise Root CA in place.

I configured Exchange CAS Arrays by using the cmdlet New-ClientAccessArray and updated the the mailbox configuration by running the command Set-MailboxDatabase -identity servename -RpcClientAccessServer array.domain.com

The SAN certificate has the following FQDNs:


The certificate is trusted by the domain clients because it comes from an enterprise root ca. I can confirm this statement by opening the certificate in the client, and go all way up to the root ca.

I read many docs that says you DON'T need to add CAS Servers's FQDN in the SAN certificate nor CAS Array FQDN because both FQDNs are not used by SSL connections. The exception is when CAS Array FQDN is the same URL for OWA, ECP and further services.

When Outlook 2010 starts the autodiscover process, it can locate all services and configure the user profile pointing the server to array.domain.com, which is the expected behavior.

The unexpected behavior happens after profile gets configured: the certificate's security warning pops up because Outlook can't find the name cas01.domain.com in the certificate.

Trying to investigate why outlook is directing connections to this FQDN, I opened Outlook Connection Status. All endpoints are on array.domain.com (expect for the public folders that goes directly to mailbox server). there is no enpoint at cas01.domain.com.

Autodiscover is also working fine. It points to array.domain.com.

Therefore my question is: Why Am I getting the certificate error? I know that some of you might tell me just to add all CAS FQDN to the SAN Certificate. It's not an option, though. The certificate has already been bought without those names. What I need to know is the reason outlook is looking for the CAS name in the certificate whereas it should not do so.


Rodrigo Garcone
  • 2
1 Solution
what is the comman name of the certificate ?
Hi are you Running Exchange 2010 sp1 ru5? I believe prior to service pack 1 you did in fact need the fqdn of all cas servers likely to offer an end point but this requirement went away with sp1.
garconerAuthor Commented:
Found the answer myself.


InternalUrl for AutoDiscoverVirtualDirectory was not properly set.

Sharing this solution for others who come here.

Thanks for the replies anyway
garconerAuthor Commented:
Found the solution myself
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now