Exchange 2010 Cert issue

Recently installed a wildcard cert on my exchange 2010 server to secure owa/autodiscover externally, In doing so, it seems to have  broken internal. Now everyone gets cert errors when opening outlook.  I guess UC SAN can't secure internal any longer, what do i need to do to get the cert errors to go away
LVL 1
leadthewayAsked:
Who is Participating?
 
timgreen7077Exchange EngineerCommented:
These need to point to mail.domain.com or whatever name space you are using on your cert.
Also that name space needs to be in your internal DNS and pointing to your exchange server.
Internal and External alike can have the same name space.
0
 
timgreen7077Exchange EngineerCommented:
I would suggest replacing the wild card cert with a UCC SAN cert. Wild card certs doesn't place nicely with exchange. Its recommended that you use a UCC SAN. I'm sure you CA would reissue the cert if you contact them.
1
 
leadthewayAuthor Commented:
no, they aren't allowed to secure .local or netbios any longer
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
timgreen7077Exchange EngineerCommented:
what does .local have to do with Exchange?
0
 
leadthewayAuthor Commented:
because .local is the AD domain internal which outlook users connect to..   UC can't secure .local, IP, or netbios names as they could in the past...You could just put your netbios name in one of the 5 slots and exchange was happy
0
 
Jose Gabriel Ortega CCEO Faru Bonon ITCommented:
So you have a self-certificate for your Exchange server? or have you ever bought a certificate for your exchange before?
0
 
leadthewayAuthor Commented:
there is a self signed one that was used for all services in the past, just now have users accessing OWA so that wasnt needed.. FBA was turned off.  Needed to secure it and turn FBA on, so went an got a wildcard cert for the mail domain.  Installed the intermediate ca cert and the wildcard, Assigned the IIS service to it.  OWA works fine now, but internally users getting cert error when opening outlook because its looking for the server.domain.local  and the cert is for the maildomain.com
0
 
timgreen7077Exchange EngineerCommented:
Run the below cmdlets. These are the virtual directories and they should be set to something like mail.domain.com and not servername.domain.local.

$Server = "servername"
Get-OWAVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ECPVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-OABVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ActiveSyncVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-WebServicesVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-MapiVirtualDirectory -Server $Server | ft InternalURL, ExternalURL
Get-ClientAccessService -Identity $server | fl AutodiscoverServiceInternalURI
0
 
leadthewayAuthor Commented:
ok all the VD point to internal where specified internal and external likewise,  the Get-Client AccessService doesn't work, but did get to work with Get-ClientAccessServer and the ADS URI was the internal address
0
 
leadthewayAuthor Commented:
so just create a new zone for external with internal addresses
0
 
timgreen7077Exchange EngineerCommented:
No, just the internal. The external DNS will still be handled by your external domain registrar DNS servers.
0
 
leadthewayAuthor Commented:
i took it as both URLs point to mail.outsidedomain.com. as opposed to having 2 separate URL's for each zone
0
 
timgreen7077Exchange EngineerCommented:
yes.
0
 
timgreen7077Exchange EngineerCommented:
be sure to perform changes after hours like a weekend for testing.
0
 
leadthewayAuthor Commented:
is there a place to change autodiscoverURI and EWS via console?
0
 
timgreen7077Exchange EngineerCommented:
No the Autodiscover SCP will need to be changed via the Exchange shell

Set-ClientAccessService -Identity "exchangeserver" -AutodiscoverServiceInternalURI https://autodiscover.domain.com/autodiscover/autodiscover.xml

Autodiscover is the SCP that the outlook clients will be connecting to to provision mailbox. Make sure that the name is on the cert, where you use
https://autodiscover.domain.com/autodiscover/autodiscover.xml

or
https://mail.domain.com/autodiscover/autodiscover.xml


Either would work since this is internal, but make sure that your internal DNS A record for that name is pointing to your exchange server.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.