Configure legacy on-premises public folders for a hybrid deployment - certificate error

Posted on 2014-08-20
Last Modified: 2014-08-30
We have Exchange 2010 SP3 UR6 and Office 365 in a Hybrid deployment.  We have 2 CAS servers and 3 Mailbox servers all Server 2008 R2.
Lets call them CAS1, CAS2, DATA1, DATA2, DATA3
DATA2 and DATA3 contain public folder databases that are replicated with each other. CAS1 and CAS2 are also Hub Transport servers.

We want to configure the legacy on-prem public folders so that all users (on-prem and Office 365) can view, change, and create on-prem public folders.

I started going through the steps in this article...

I didn't get very far b/c after installing the CAS server role on DATA3 (the 1st step in the instructions) I noticed our Outlook clients started receiving Security Alert pop-ups about certificate errors from ("The security certificate was issued by a company you have not chosen to trust.... Do you want to proceed?") and all Outlook clients became disconnected.

This was occurring on all client machines.

I ran "Test E-mail AutoConfiguration" in my Outlook client and see the following "attempting URL"

...when it should have been resolving to "" instead (which is how it is now after uninstalling the CAS server role from DATA3 to fix the issue).

After the fact, now that everything is back to normal I get the following after running the commands...

[PS] C:\Windows\system32>Get-ClientAccessServer | fl identity, autodiscoverserviceinternaluri

Identity                       : CAS1
AutoDiscoverServiceInternalUri :
Identity                       : CAS2
AutoDiscoverServiceInternalUri :

Also when I run...
[PS] C:\Windows\system32>Get-ClientAccessArray | fl

... some results omitted...
Fqdn              :
Members           : {CAS1, CAS2}
Name              : cas-array1
Identity          : cas-array1
... some results omitted...

1) I did not add the DATA3 server to the network load balancer for the CAS array so why is Outlook even hitting DATA3 as a CAS server.  It should be directed to the VIP of the load balancer which then directs it to ONLY CAS1 or CAS2?  Or am I misunderstanding something here?

2) When I go to try this again, do I simply need to change the "AutoDiscoverServiceInternalUri" for DATA3 to match the others of ""

3) Do I need to update my certificate to include the SAN of "DNS" so that the Outlook client won't freak out.  We have the following now (which include the CAS servers)...

Question by:K_IT
    LVL 38

    Assisted Solution

    by:Vasil Michev (MVP)
    When you run the "Test E-mail AutoConfiguration", which method was it trying? You can play around with the registry settings to force Outlook to look at the right place:
    The article however mentions that the CAS server doesnt need to be part of array...

    You can suppress the waring in Outlook:
    For 2010 based hybrid, you do need all the domains added to the SAN, you might want to consider 2013 based hybrid instead:

    Accepted Solution

    This is now fixed.  

    I did the following...

    I got the certificate warnings to stop by updating our Exchange UC certificate to include the names of the servers that were added as Client Access Server roles to the SAN names on the cert.  I also changed the following in Exchange for the CAS servers that were added…

    Set-ClientAccessServer -Identity ESERVER01 –AutoDiscoverServiceInternalUri

    Set-WebServicesVirtualDirectory -Identity “ESERVER01\EWS (Default Web Site)” -InternalUrl -BasicAuthentication:$true

    Set-WebServicesVirtualDirectory -Identity “ESERVER01\EWS (Default Web Site)” -ExternalUrl

    The public folders then showed for Office 365 users about 10 hours after completing the last step in the following article…

    I hope this information helps others in the future.

    Author Closing Comment

    Vasil gets all the points b/c it is the only response to my question.  Thank you Vasil.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    This video discusses moving either the default database or any database to a new volume.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now