• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 80
  • Last Modified:

Exchange 2010 Cert error

Hi all,

I am looking to see if someone can link me to a workaround for issuing a new cert that includes SAN to resolve my issues on a network I inherited.

Currently - I just resolved the Free/Busy, OOF issues internally by adjusting all my internal URL's.  I have a single issue cert. that includes only webmail.domain.ca.  It has no SAN.

I know the proper resolution is to issue a multi-cert (can't recall the actual name for that right now) that includes autodiscover.domain.ca and localservername.domain.local.

Is there a workaround to Exchange 2010 that can let me prevent the Outlook pop up with security alert "servername.domain.local" and 'The name on the security certificate is invalid or does not match the name of the site'.

Thanks!
0
browningit
Asked:
browningit
2 Solutions
 
Julian123Commented:
Yes, user set-clientaccessserver -autodiscoverinternalserviceuri to https://webmail.domain.ca/autodiscover/autodiscover.xml. This article has more detail: http://www.shudnow.net/2013/07/26/outlook-certificate-error-and-autodiscover-domain-com-not-working/

You will also want to do this for the other URLs Exchange uses as described here: http://www.bing.com/search?q=exchange+2010+web+serivices+urls&src=IE-TopResult&FORM=IE11TR&conversationid=.

I recommend setting the internal and external urls to use the FQDN that's on your certificate. You should make sure that that FQDN is reachable by both users inside the firewall and outside.
0
 
browningitSysadminAuthor Commented:
Thanks for the reply Julian.

However, it was set to the webmail.domain.ca previously, and would not resolve/time out looking for it hence my change to the internally resolve-able FQDN.

I am looking over your article now.  I can always hit the URL externally on all /ews /autodiscover /owa etc., but internally was the issue and my 'forced hand' at changing all the URL's to reflect FQDN to make sure that my users could hit the OOF buttons and so on to make it work.
0
 
Simon Butler (Sembee)ConsultantCommented:
You need a split DNS so the external host name resolves internally.
http://semb.ee/splitdns

Then you can configure everything to use the external host name internally.

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
browningitSysadminAuthor Commented:
Looks like a reasonable solution sembee, I'll hammer that out after hours today and see what happens.  

Thanks!
0
 
Julian123Commented:
Agreed, the urls mentioned in the article I sent above must be reachable internally and proper DNS configuration will enable that..
0
 
browningitSysadminAuthor Commented:
Simon,

I just flipped all the records for internal URL's back to webmail, and configured the internal DNS server ( hosted on another virtual server internally ) as suggested.  I am essentially back at square one.  I have an SRV record, and the new zone for webmail.domain.ca pointing to my internal IP for the Exchange server.  Doesn't fly.  No OOF, no Free/Busy.
0
 
browningitSysadminAuthor Commented:
Tentatively, I appear to have resolved it through catching a typo, and making some other network changes.  More testing and an update on the matter tomorrow.

As far as my message about DNS testing not working, it could be related to a record I am unable to clear linking to the previous and dead DNS server.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
I've requested that this question be closed as follows:

Accepted answer: 500 points for Simon Butler (Sembee)'s comment #a39669759

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now