Mark Hoepelman
asked on
New SSL certificate requirments and configuring microsoft exchange appropriately
As many of you already know, there are new SSL certificate restrictions in place that will soon be enforced, which will no longer support including the use of internal SAN names (such as .local) in the certificate.
I have renewed my SSL cert, excluding any unsupported SAN values, and re-configured exchange 2010 to point everything from HOSTNAME.local to FQDN.com.
I have also created the appropriate internal dns zone to point my FQDN.com to my internal ip.
Externally, everything works great. i have tested activesync, outlook web access and outlook connectivity with no issues whatsoever. mxtoolbox comes back with no issues reported. all my devices (phones, tablets, etc.) appear to be working externally as well.
Internally, everything seems to be working with one issue: on my workstations running outlook 2010 or lower, they are getting prompted to accept the certificate 1-2 times upon startup, and often at seemingly random times that outlook is already open, and you have to click on "accept" to continue. it does not seem to be affecting client running outlook 2013.
i have tried deleting the existing exchange profile on a workstation and recreating it using FQDN.com as the mail server, but as soon as i click on on "check name" it of course reverts it back to HOSTNAME.local. i cant force it to use FQDN.com.
Does anyone know how to proceed with correcting this particular issue?
I have renewed my SSL cert, excluding any unsupported SAN values, and re-configured exchange 2010 to point everything from HOSTNAME.local to FQDN.com.
I have also created the appropriate internal dns zone to point my FQDN.com to my internal ip.
Externally, everything works great. i have tested activesync, outlook web access and outlook connectivity with no issues whatsoever. mxtoolbox comes back with no issues reported. all my devices (phones, tablets, etc.) appear to be working externally as well.
Internally, everything seems to be working with one issue: on my workstations running outlook 2010 or lower, they are getting prompted to accept the certificate 1-2 times upon startup, and often at seemingly random times that outlook is already open, and you have to click on "accept" to continue. it does not seem to be affecting client running outlook 2013.
i have tried deleting the existing exchange profile on a workstation and recreating it using FQDN.com as the mail server, but as soon as i click on on "check name" it of course reverts it back to HOSTNAME.local. i cant force it to use FQDN.com.
Does anyone know how to proceed with correcting this particular issue?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
this was exactly the issue. apparently some of these values are only configurable via the exchange management shell and not via the exchange GUI. after running through this config the issue was resolved. thank you very much!
http://www.shudnow.net/2013/07/26/outlook-certificate-error-and-autodiscover-domain-com-not-working/