Exchange 2010 Cert issue

Recently installed a wildcard cert on my exchange 2010 server to secure owa/autodiscover externally, In doing so, it seems to have  broken internal. Now everyone gets cert errors when opening outlook.  I guess UC SAN can't secure internal any longer, what do i need to do to get the cert errors to go away
LVL 1
leadthewayAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
I would suggest replacing the wild card cert with a UCC SAN cert. Wild card certs doesn't place nicely with exchange. Its recommended that you use a UCC SAN. I'm sure you CA would reissue the cert if you contact them.
1
leadthewayAuthor Commented:
no, they aren't allowed to secure .local or netbios any longer
0
timgreen7077Exchange EngineerCommented:
what does .local have to do with Exchange?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

leadthewayAuthor Commented:
because .local is the AD domain internal which outlook users connect to..   UC can't secure .local, IP, or netbios names as they could in the past...You could just put your netbios name in one of the 5 slots and exchange was happy
0
Jose Gabriel Ortega CastroCEOCommented:
So you have a self-certificate for your Exchange server? or have you ever bought a certificate for your exchange before?
0
leadthewayAuthor Commented:
there is a self signed one that was used for all services in the past, just now have users accessing OWA so that wasnt needed.. FBA was turned off.  Needed to secure it and turn FBA on, so went an got a wildcard cert for the mail domain.  Installed the intermediate ca cert and the wildcard, Assigned the IIS service to it.  OWA works fine now, but internally users getting cert error when opening outlook because its looking for the server.domain.local  and the cert is for the maildomain.com
0
timgreen7077Exchange EngineerCommented:
Run the below cmdlets. These are the virtual directories and they should be set to something like mail.domain.com and not servername.domain.local.

$Server = "servername"
Get-OWAVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ECPVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-OABVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ActiveSyncVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-WebServicesVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-MapiVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ClientAccessService -Identity $server | fl AutodiscoverServiceInternalURI
0
leadthewayAuthor Commented:
ok all the VD point to internal where specified internal and external likewise,  the Get-Client AccessService doesn't work, but did get to work with Get-ClientAccessServer and the ADS URI was the internal address
0
timgreen7077Exchange EngineerCommented:
These need to point to mail.domain.com or whatever name space you are using on your cert.
Also that name space needs to be in your internal DNS and pointing to your exchange server.
Internal and External alike can have the same name space.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
leadthewayAuthor Commented:
so just create a new zone for external with internal addresses
0
timgreen7077Exchange EngineerCommented:
No, just the internal. The external DNS will still be handled by your external domain registrar DNS servers.
0
leadthewayAuthor Commented:
i took it as both URLs point to mail.outsidedomain.com. as opposed to having 2 separate URL's for each zone
0
timgreen7077Exchange EngineerCommented:
yes.
0
timgreen7077Exchange EngineerCommented:
be sure to perform changes after hours like a weekend for testing.
0
leadthewayAuthor Commented:
is there a place to change autodiscoverURI and EWS via console?
0
timgreen7077Exchange EngineerCommented:
No the Autodiscover SCP will need to be changed via the Exchange shell

Set-ClientAccessService -Identity "exchangeserver" -AutodiscoverServiceInternalURI https://autodiscover.domain.com/autodiscover/autodiscover.xml

Autodiscover is the SCP that the outlook clients will be connecting to to provision mailbox. Make sure that the name is on the cert, where you use
https://autodiscover.domain.com/autodiscover/autodiscover.xml

or
https://mail.domain.com/autodiscover/autodiscover.xml


Either would work since this is internal, but make sure that your internal DNS A record for that name is pointing to your exchange server.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.