Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

The final piece! Wildcard certificate within Exchange 2010

Posted on 2013-06-27
8
Medium Priority
?
1,890 Views
Last Modified: 2013-06-29
First off...THANK YOU FOR YOUR HELP THUS FAR - YOU ARE ALL AMAZING! :D

I'm in the final stage of my new Exchange, load balanced and clustered environment. I was doing a "testexchangeconnectivity.com" check and found my new Exchange setup was failing on "Testing SSL mutual authentication with the RPC proxy server." It was attempting to use the cert for my production Exchange environment (EMAIL.domain.com) instead of the new cert (MAIL.domain.com). The actual error was:

The certificate common name email.domain.com doesn't validate against the mutual authentication string that was provided: msstd:mail.domain.com

I did some digging and found I needed to run a quick command to fix this:

set-outlookprovider  EXPR -CertPrincipalName msstd:mail.domain.com

And, at moment, everything within my new Exchange environment began to work beautifully! But, my  joy was short lived...

I found that after switching the outlook provider cert to mail.domain.com (from email.domain.com), my clients in the production environment started getting a nasty error:

 
There is a problem with the proxy server’s security certificate. The name on the security certificate is invalid or does not match the name of the target site mail.domain.com. Outlook is unable to conned to the proxy server. (Error Code 0)

Scary! D:

I immediately switched the outlook provider cert back. I need to know... Can I simply get a wildcard certificate and use that for both my mail.domain.com and email.domain.com? For example, running this command:

set-outlookprovider  EXPR -CertPrincipalName msstd:*.domain.com

How would I do this?

Thank you!!
0
Comment
Question by:jmichaelpalermo4
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39281859
If you are going to use a wildcard certificate instead of a UC (aka multiple domain) certificate then that is the command that you need to run.

Simon.
0
 
LVL 49

Accepted Solution

by:
Akhater earned 2000 total points
ID: 39281876
If you are planning to use a wildcard certificate then yes you have to run
set-outlookprovider  EXPR -CertPrincipalName msstd:*.domain.com


that being said you shouldn't have such issues, the second error was most probably due to the fact that you changed the certificate on your exchange but didn't do the needed changes in tyour excchange urls
0
 
LVL 3

Author Comment

by:jmichaelpalermo4
ID: 39281883
Is it as simple as that? Are there drawbacks to doing it this way? Is there a way to successfully use both mail.domain.com and email.domain.com without going the wildcard route?

J
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 49

Expert Comment

by:Akhater
ID: 39281892
yes you can buy a UCC (SAN) certificate and add both URI to it that's the common way of doing it
0
 
LVL 3

Author Comment

by:jmichaelpalermo4
ID: 39281902
Well, there's also another side I haven't mentioned. Currently, in production, I use a single Exchange server with CAS, HUB, and MBX, roles. When I created the CAS Array in my development domain, my production server joined the Array. When I set the URLs for each of my services ECP, OWA, Active Sync, OAB, etc. I only did it for the CAS servers in my test environment. Leaving the production server using the email.domain.com URL.

Would having a CAS server within an Array cause problems if it was using different URLs than the other Exchange servers?

J
0
 
LVL 49

Expert Comment

by:Akhater
ID: 39281942
cas array is only used for RPC connectivity it has nothing to do with the exchange URLs or the the certificate
0
 
LVL 3

Author Comment

by:jmichaelpalermo4
ID: 39281954
Do I just create a certificate for *.domain.com or add alternative DNS names to the certificate, or both?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 39281959
You can't do both you need to decide on one route or another both would work
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question