Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2010 SP2 multi tenant, SSL certificate per domain

Posted on 2013-05-13
6
Medium Priority
?
860 Views
Last Modified: 2016-04-25
Hello,
We have a multi tenant Exchange 2010 SP2 system, we're hosting multiple clients, each client has its down domain. For example: client1 -> domain1.com & client2 -> domain2.com

Currently each client access OWA via our main domain: https://exchange.mycompany.com/owa
Each customer can configure his Outlook using our mail domain: exchange.mycompany.com
or using its own domain mail.domain1.com or mail.domain2.com.

One of my customers told me that he is getting certificate warnings from Outlook, he has his domain configured as exchange server: mail.domain1.com and the warnings are coming about his domain.

Our main domain has an SSL certificate installed, I can see it's working in the Exchange Console and also our IIS OWA is protected.

How can I install a separate SSL certificate for each customer? I have bough a wildcard SSL for him *.domain1.com and I want to use it so he will stop receiving this alerts.

Thank you.
0
Comment
Question by:m4dd0g
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39160923
This isn't how multi tenant works.
You are setup correctly, it is your customer's DNS settings that are wrong.
Almost certainly they have a wildcard in their DNS and autodiscover.example.com resolves somewhere else, to a place there there is an SSL certificate in place for another domain. If you get the client to look at the certificate that should confirm it. Removing the wildcard form the DNS will resolve the problem.

Simon.
0
 

Author Comment

by:m4dd0g
ID: 39160949
Thanks, is it possible to exclude a record from * wildcard record in dns zone ?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39161105
No. There is no such thing as an exclusion in DNS.
The wildcard must be removed. The closest you can get is to blackhole autodiscover (So set it to 127.0.0.2) but that can cause problems with Outlook clients so it isn't a recommended path.

There should be no need for a wildcard in DNS - it is just laziness from hosting companies.

Simon.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:m4dd0g
ID: 39164075
the clients keep receiving the message after disabling the autodiscover,
the warning they receive is:
"the certificate cn name does not match the passed value"
"Do you want to continue using this server?"

thanks for help.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39164123
You need to look at the certificate to see where it is coming from. Their DNS is obviously not setup correctly.

Simon.
0
 
LVL 4

Expert Comment

by:PCLANVADWPB
ID: 41565328
Simon Butler you are a wise man.

I like to ship in a couple of my own tips.

Sometimes, we folks who do multi tenant Exchange hosting do not have the luxury of managing the DNS for the client's domain, we have no say if they do a wildcard host name, only the MX records are pointing to our system.  The way we overcome DNS problems when someone else manages it, is as followed:

Make sure the autodiscover feature of the primary domain (exchange.mycompany.com) is working properly, since all the tenant domains rely on the primary domain's SSL certificate.  In particular, make sure the SRV record for the primary domain is fully spelled out, i.e _autodiscover, _tcp, 0,0,443, SSL name.  

If an incorrect client domain autodiscover record is causing error with your SSL certificate, as in the above example, when autodiscover.clientdomain.com does not match the name of the certificate, namely exchange.mycompany.com, then we simply block the host name by adding 127.0.0.2 to autodiscover.clientdomain.com on the client's PC "hosts" file.  This will eliminate the certificate pop up error.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question