[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1458
  • Last Modified:

Configure legacy on-premises public folders for a hybrid deployment - certificate error

We have Exchange 2010 SP3 UR6 and Office 365 in a Hybrid deployment.  We have 2 CAS servers and 3 Mailbox servers all Server 2008 R2.
Lets call them CAS1, CAS2, DATA1, DATA2, DATA3
DATA2 and DATA3 contain public folder databases that are replicated with each other. CAS1 and CAS2 are also Hub Transport servers.

We want to configure the legacy on-prem public folders so that all users (on-prem and Office 365) can view, change, and create on-prem public folders.

I started going through the steps in this article...

I didn't get very far b/c after installing the CAS server role on DATA3 (the 1st step in the instructions) I noticed our Outlook clients started receiving Security Alert pop-ups about certificate errors from DATA3.ourdomain.com ("The security certificate was issued by a company you have not chosen to trust.... Do you want to proceed?") and all Outlook clients became disconnected.

This was occurring on all client machines.

I ran "Test E-mail AutoConfiguration" in my Outlook client and see the following "attempting URL https://DATA3.ourdomain.com/Autodiscover/Autodiscover.xml"

...when it should have been resolving to "https://mail.ourdomain.com/Autodiscover/Autodiscover.xml" instead (which is how it is now after uninstalling the CAS server role from DATA3 to fix the issue).

After the fact, now that everything is back to normal I get the following after running the commands...

[PS] C:\Windows\system32>Get-ClientAccessServer | fl identity, autodiscoverserviceinternaluri

Identity                       : CAS1
AutoDiscoverServiceInternalUri : https://mail.ourdomain.com/Autodiscover/Autodiscover.xml
Identity                       : CAS2
AutoDiscoverServiceInternalUri : https://mail.ourdomain.com/Autodiscover/Autodiscover.xml

Also when I run...
[PS] C:\Windows\system32>Get-ClientAccessArray | fl

... some results omitted...
Fqdn              : cas-array1.domainname.com
Members           : {CAS1, CAS2}
Name              : cas-array1
Identity          : cas-array1
... some results omitted...

1) I did not add the DATA3 server to the network load balancer for the CAS array so why is Outlook even hitting DATA3 as a CAS server.  It should be directed to the VIP of the load balancer which then directs it to ONLY CAS1 or CAS2?  Or am I misunderstanding something here?

2) When I go to try this again, do I simply need to change the "AutoDiscoverServiceInternalUri" for DATA3 to match the others of "https://mail.ourdomain.com/Autodiscover/Autodiscover.xml"

3) Do I need to update my certificate to include the SAN of "DNS Name=DATA3.ourdomain.com" so that the Outlook client won't freak out.  We have the following now (which include the CAS servers)...
"DNS Name=mail.ourdomain.com"
"DNS Name=autodiscover.ourdomain.com"
"DNS Name=cas-array1.ourdomain.com"
"DNS Name=cas1.ourdomain.com"
"DNS Name=cas2.ourdomain.com"

  • 2
2 Solutions
Vasil Michev (MVP)Commented:
When you run the "Test E-mail AutoConfiguration", which method was it trying? You can play around with the registry settings to force Outlook to look at the right place: http://support.microsoft.com/kb/2212902
The article however mentions that the CAS server doesnt need to be part of array...

You can suppress the waring in Outlook: http://support.microsoft.com/kb/2783881
For 2010 based hybrid, you do need all the domains added to the SAN, you might want to consider 2013 based hybrid instead: http://technet.microsoft.com/en-us/magazine/dn249970.aspx
K_ITAuthor Commented:
This is now fixed.  

I did the following...

I got the certificate warnings to stop by updating our Exchange UC certificate to include the names of the servers that were added as Client Access Server roles to the SAN names on the cert.  I also changed the following in Exchange for the CAS servers that were added…

Set-ClientAccessServer -Identity ESERVER01 –AutoDiscoverServiceInternalUri https://mail.ourdomain.com/Autodiscover/Autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “ESERVER01\EWS (Default Web Site)” -InternalUrl https://mail.ourdomain.com/EWS/Exchange.asmx -BasicAuthentication:$true

Set-WebServicesVirtualDirectory -Identity “ESERVER01\EWS (Default Web Site)” -ExternalUrl https://mail.ourdomain.com/EWS/Exchange.asmx 

The public folders then showed for Office 365 users about 10 hours after completing the last step in the following article…

I hope this information helps others in the future.
K_ITAuthor Commented:
Vasil gets all the points b/c it is the only response to my question.  Thank you Vasil.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now