Certifcates on Exchange 2010 CAS server


Recently installed a 2nd CAS server at another site. Exported certificate from existing CAS cas and installed it on the 2nd CAS server. followed all steps to including enabling and assigning services to the certificate. Issue is that when some users connect to outlook using VPN, they get a certificate error. The error shows the server name of the new CAS server as not having a valid certificate. I have verified all URL on the 2nd CAS match the names in the certificate (mail.company.com, autodiscover.company.com, outlook.company.com) . Am I missing something?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StuartTechnical Architect - CloudCommented:
Is the cert error a name mismatch? If so double check all your internal URL's so they match the namespace defined in the cert - I had this a couple of weeks ago

Hardik DesaiIT Architect and TrainerCommented:
Since other exchange server it at different site, is it using a separate name space or internet facing, if yes you need to include that as well in SAN on certificates on both the exchange servers...exchange 2010 uses separate name space in different sites
Antonio02Author Commented:
Stuart, the cert does not have a server name, just mail.company.com, autodiscover.company.com, outlook.company.com. I have verified all internal and external url's reference mail.company.com in the exchange console, under server, cas server role.

Hardik, I am looking into your suggestion.

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Hardik DesaiIT Architect and TrainerCommented:
From the description you had mentioned you are missing namespace of other site on your certificate. Please include that as well on both the exchange servers and should be it. Do not include any server names on the certificate as you do not want to expose them to the external world.
Hardik DesaiIT Architect and TrainerCommented:
Antonio02Author Commented:
Thanks Hardik,

I read through the entire article and it is very informative, however I do not understand what you mean "missing namespace of other site on my certificate". The certificate does not have any particular site name and I have never heard of a site name on a certificate. Can you please elaborate.

Hardik DesaiIT Architect and TrainerCommented:
Assuming you have your primary namespace as mail.contoso.com, you also need to have mailsec.contoso.com on your certificate to ensure proper proxying or redirection.
Antonio02Author Commented:
Thanks for your patience Hardik, but I want to make sure I understand this correctly.

We have a CAS server here at the local site, call it serverA. This server has a certificate installed which has the following SAN entries:

There is no server name in the certificate. Also have a A record for autodiscover.comany.com pointing to serverA.

I export the certificate from ServerA to ServerB , import it on serverB, assign all services to the certificate and enable the Cert. when I move my mailbox to server and launch Outlook, I get a certificate warning. Do you think that if I added another A record for Autodiscover and pointed it to ServerB, the warning message would go away?

Thanks for you time and efforts.
Hardik DesaiIT Architect and TrainerCommented:
Exchange 2010 introduced additional namespace requirements, which resulted in additional complexity around namespace planning, especially for site resilient solutions:

    1. Primary datacenter Internet protocol namespace (mail.contoso.com)
    2. Secondary datacenter Internet protocol namespace (mail2.contoso.com)
    3. Primary datacenter Outlook Web App failback namespace (mailpri.contoso.com)
    4. Secondary datacenter Outlook Web App failback namespace (mailsec.contoso.com)
    5. Transport namespace (smtp.contoso.com)
    6. Primary datacenter RPC Client Access namespace (rpc.contoso.com)
    7. Secondary datacenter RPC Client Access namespace (rpc2.contoso.com)

Above name space are required on Exchange Certificate.

Name Space planning in Exchange 2010/2013

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.