jmichaelpalermo4
asked on
The final piece! Wildcard certificate within Exchange 2010
First off...THANK YOU FOR YOUR HELP THUS FAR - YOU ARE ALL AMAZING! :D
I'm in the final stage of my new Exchange, load balanced and clustered environment. I was doing a "testexchangeconnectivity. com" check and found my new Exchange setup was failing on "Testing SSL mutual authentication with the RPC proxy server." It was attempting to use the cert for my production Exchange environment (EMAIL.domain.com) instead of the new cert (MAIL.domain.com). The actual error was:
I did some digging and found I needed to run a quick command to fix this:
And, at moment, everything within my new Exchange environment began to work beautifully! But, my joy was short lived...
I found that after switching the outlook provider cert to mail.domain.com (from email.domain.com), my clients in the production environment started getting a nasty error:
Scary! D:
I immediately switched the outlook provider cert back. I need to know... Can I simply get a wildcard certificate and use that for both my mail.domain.com and email.domain.com? For example, running this command:
How would I do this?
Thank you!!
I'm in the final stage of my new Exchange, load balanced and clustered environment. I was doing a "testexchangeconnectivity.
The certificate common name email.domain.com doesn't validate against the mutual authentication string that was provided: msstd:mail.domain.com
I did some digging and found I needed to run a quick command to fix this:
set-outlookprovider EXPR -CertPrincipalName msstd:mail.domain.com
And, at moment, everything within my new Exchange environment began to work beautifully! But, my joy was short lived...
I found that after switching the outlook provider cert to mail.domain.com (from email.domain.com), my clients in the production environment started getting a nasty error:
There is a problem with the proxy server’s security certificate. The name on the security certificate is invalid or does not match the name of the target site mail.domain.com. Outlook is unable to conned to the proxy server. (Error Code 0)
Scary! D:
I immediately switched the outlook provider cert back. I need to know... Can I simply get a wildcard certificate and use that for both my mail.domain.com and email.domain.com? For example, running this command:
set-outlookprovider EXPR -CertPrincipalName msstd:*.domain.com
How would I do this?
Thank you!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is it as simple as that? Are there drawbacks to doing it this way? Is there a way to successfully use both mail.domain.com and email.domain.com without going the wildcard route?
J
J
yes you can buy a UCC (SAN) certificate and add both URI to it that's the common way of doing it
ASKER
Well, there's also another side I haven't mentioned. Currently, in production, I use a single Exchange server with CAS, HUB, and MBX, roles. When I created the CAS Array in my development domain, my production server joined the Array. When I set the URLs for each of my services ECP, OWA, Active Sync, OAB, etc. I only did it for the CAS servers in my test environment. Leaving the production server using the email.domain.com URL.
Would having a CAS server within an Array cause problems if it was using different URLs than the other Exchange servers?
J
Would having a CAS server within an Array cause problems if it was using different URLs than the other Exchange servers?
J
cas array is only used for RPC connectivity it has nothing to do with the exchange URLs or the the certificate
ASKER
Do I just create a certificate for *.domain.com or add alternative DNS names to the certificate, or both?
You can't do both you need to decide on one route or another both would work
Simon.