Sign in
 
HomeOnline20132010Other VersionsLibraryForumsGalleryEHLO Blog
TechCenter >
Exchange 2010 hub transport certificate

Answered Exchange 2010 hub transport certificate

  • Friday, February 08, 2013 10:41 AM
     
     
    Sign In to Vote
    0
    I have a SAN  certificate for my Exchange 2010 environment that contains the following names mail.domainname, legacy.domainname, email.domainname, outlook-1.domainname, mail2.domainname, autodiscovery.domainname.  OWA uses email. and mail is routed via mail. and outlook clients connect to Outlook via outlook-1.domainname.  I am receiving an error that the internal urls of each my three hub transport  cas server names are not contained in the certificate .  The error presents itself each time my test users connect to Outlook and references whichever transport server they are connecting through at the time.  Surely I  do not need to add the three htcas servers as SAN names on the certificate at a hug extra cost.  Get-certificate |Fl shows my purchased SAN certificate that does not contain my hub trans cas server names and an internally generated certificate that contains names - both show as active certificates for SMTP.  I have tried enable-exchangecertificate -thumbprint 765AB45269E65FCA28C8B03EA9CE80DD5E802DEE -services smtp with a reboot but the error persists.  I used the thumbprint of the certificate that contains the two internal URLs.  This is hopefully the last thing to resolve before going live with a pilot group and this project is behind schedule.  Any help is appreciated.
     

All Replies

  • Friday, February 08, 2013 6:41 PM
     
     
    Sign In to Vote
    0

    I have a SAN  certificate for my Exchange 2010 environment that contains the following names

    mail.domainname, legacy.domainname, email.domainname, outlook-1.domainname, mail2.domainname, autodiscovery.domainname.

    OWA uses email. and mail is routed via mail. and outlook clients connect to Outlook via outlook-1.domainname.  I am receiving an error that the internal urls of each my three hub transport  cas server names are not contained in the certificate .  The error presents itself each time my test users connect to Outlook and references whichever transport server they are connecting through at the time.  Surely I  do not need to add the three htcas servers as SAN names on the certificate at a hug extra cost.  Get-certificate |Fl shows my purchased SAN certificate that does not contain my hub trans cas server names and an internally generated certificate that contains names - both show as active certificates for SMTP. 

    No, you don't need to add the names of all the servers to the certificate.

    *

    It's the other way: you adjust the URLs of the various IIS virtual directories so they match the name(s) on your certificate.

    For example, if you have email.yourdomainName.com as the name on the certificate, then for OWA (one example among others), you would configure the URL like this:

    *

    https://email.yourdomainName.com/owa

     *

    You can do this in the EMC for most but not all these URLs. For Unified Messaging and EWS, you have to use the EMS.

    Here's how you can see the existing URLs, entering these commands in the EMS:

    *

    Get-AutodiscoverVirtualDirectory

    Get-WebServicesVirtualDirectory

    Get-OABVirtualDirectory

    Get-OwaVirtualDirectory-id "owa (default web site)"

    *

    Do the domain names indicated here match with any of those on your certificate?

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Le Pivert Friday, February 08, 2013 6:41 PM
    •  
     
  • Monday, February 11, 2013 12:20 PM
     
     
    Sign In to Vote
    0

    I have run Get-AutodiscoverVirtualDirectory and Get-WebServicesVirtualDirectory and they only display the server name of the ht cas servers (not contained in the certificate).

    Get-OABVirtualDirectory gives the external usl (contained in the certificate)

    I tried to remedy this by running the following (note that autodiscover.domain.org is not included in the certificate name)

    From the Hub Transport/ CAS server I run :

    
    
    
    
    
    

    Set-ClientAccessServer -Identity htcasexch2.domain.local -AutodiscoverServiceInternalUri https://autodiscover.domain.org/autodiscover/autodiscover.xml

    and

    Set-WebServicesVirtualDirectory -identity "htcasexch1.domain.local\EWS (Default Web Site)" -externalurl https://autodiscover.domain.org/EWS/Exchange.asmx -BasicAuthentications:$True

    I then restart IIS . . I run this on each htcase server then re-run the Get commands above and find that nothing has changed.

    Any advice???? Am I closer?  Any additional help is appreciated.  Thank you.

    
     
  • Monday, February 11, 2013 12:21 PM
     
     
    Sign In to Vote
    0
    I am sorry - autodiscover.domain.org IS included in the certificate.
     
  • Monday, February 11, 2013 2:21 PM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Could you pleae caputure a screenshot for the error you receive? It would help us better understand the issue you are encontering.

    Besides, please run the cmdlet below and post the result:

    Test-OutlookWebServices |FL

    Get-ExchangeCertificate |FL

    Besides, let me know how does your test user connects to Exchange server when the issue occurs, internally via LAN, or externally via Outlook Anywhere? or both?

    Thanks.

    Fiona Liao
    TechNet Community Support


     
  • Tuesday, February 12, 2013 8:11 AM
     
     
    Sign In to Vote
    0

    Thank you for all of your assistance.  Below are the answers to the questions you had about our environment.
    All of our test users are experiencing the error whenever they open Outlook (all version) on the LAN. 

    Active Sync and OWA are working fine without any certificate errors.  OWA works without a problem on the LAN or remotely.

    We do not have Outlook Anywhere enabled nor do want to have that enabled.
    --------------------------------------------------------------------------
    [PS] C:\Windows\system32>Test-OutlookWebServices |FL
    WARNING: An unexpected error has occurred and a Watson dump is being generated: Failed to find the mailbox. Mailbox =
    'extest_085bb1d88b2d4@**.local'.
    Failed to find the mailbox. Mailbox = 'extest_085bb1d88b2d4@**.local'.
        + CategoryInfo          : NotSpecified: (:) [Test-OutlookWebServices], MailboxNotFoundException
        + FullyQualifiedErrorId : Microsoft.Exchange.Monitoring.MailboxNotFoundException,Microsoft.Exchange.Management.Sys
       temConfigurationTasks.TestOutlookWebServicesTask

    [PS] C:\Windows\system32>Get-ExchangeCertificate |FL
    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule, System.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains : {mail.************.org, mail2.************.org, email.************.org, failover.************.org,
                          autodiscover.************.org, legacy.************.org}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=thawte SSL CA, O="thawte, Inc.", C=US
    NotAfter           : 1/9/2015 6:59:59 PM
    NotBefore          : 1/8/2013 7:00:00 PM
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 12254FD2BA37751111E16DA209AAA72B
    Services           : IMAP, POP, IIS, SMTP
    Status             : Valid
    Subject            : CN=mail.************.org, OU=IT Dept, O=******* *****, L=*************, S=********, C=US
    Thumbprint         : 2AC6C2E48F045D2F11155948A37A0159DBE46AB

    AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR
                         ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc
                         essRule}
    CertificateDomains : {HTCASEXCH1, HTCASEXCH1.**.local}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=HTCASEXCH1
    NotAfter           : 6/7/2017 11:45:00 AM
    NotBefore          : 6/7/2012 11:45:00 AM
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 586101A282088A111110280B802540D0
    Services           : SMTP
    Status             : Valid
    Subject            : CN=HTCASEXCH1
    Thumbprint         : 765AB45269E65FCA281111EA9CE80DD5E802DEE
    _________________________________________________________________________________________________________


      
     
  • Tuesday, February 12, 2013 1:55 PM
    Moderator
     
     
    Sign In to Vote
    0

    Thanks.

    If the issue occurs while Outlook is running, it is generally caused by web-services. Since thes test failed, could you please run Test EMail AutoConfiguration in Outlook when the issue occurs? I'd like to verify which web-service url is associated with HTCASEXCH2.**.local, which is not included in any of your certs.

    Besides, please help verify the application event log in Exchange servers to see if there is any error about cert.

    Thanks for your patience.

    Fiona Liao
    TechNet Community Support

     
  • Tuesday, February 12, 2013 2:54 PM
     
     
    Sign In to Vote
    0

    I can't find any cert related errors in the application log.  Results of the Outlook test attached - they show outlook-1.*.org which is in the certificate.  Note that public folders have not been migarted from Exchange 2007 yet.

     
  • Tuesday, February 12, 2013 2:58 PM
    Moderator
     
     
    Sign In to Vote
    1
    No, I mean Outlook Test Email AutoConfiguration and tab of Result, not the Connection Status.

    Fiona Liao
    TechNet Community Support

     
  • Wednesday, February 13, 2013 1:48 AM
     
     
    Sign In to Vote
    0

    You might be getting closer...

    *

    Set-WebServicesVirtualDirectory -identity "htcasexch1.domain.local\EWS (Default Web Site)" -externalurlhttps://autodiscover.domain.org/EWS/Exchange.asmx -BasicAuthentications:$True

    *

    That's good but... what about the internal URL?

    Your first image posted is barely legible (cannot read it) but it LOOKS like there is still a URL with .LOCAL as opposed to .ORG and none of your alternate names include .LOCAL.

    Please run your Get- commands again with this after them:

    | fl *url*

    For example:

    Get-AutodiscoverVirtualDirectory | fl *url*

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

     
  • Wednesday, February 13, 2013 1:51 AM
     
     
    Sign In to Vote
    0

    Having said that... is there really no space after externalurl in the command I quote above?

    It may have been the way it got pasted.

    I think powershell would have errored out on that that if it had been entered that way.

    Looks right in your post above.

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

     
  • Wednesday, February 13, 2013 3:59 AM
     
     
    Sign In to Vote
    0

    Thank you Fiona - this helped me find an error in my DNS which I fixed.  Having said that, I still have the certificate error that started this thread.

    What are you looking for in the results? The only error that I recived was

    Autodiscover to https://mail2.domain.org/autodiscover.xml Failed (0x800C8204)
    which was subsequently followed by . . .
    Autodiscover URL redirection to https://autodiscover.domain.org/autodiscover/autodiscover.xml
    Autodiscover to https://autodiscover.domain.org/autodiscover/autodiscover.xml Succeeded (0x00000000)

     
  • Wednesday, February 13, 2013 4:09 AM
     
     
    Sign In to Vote
    0

    Thanks - The .local that you saw in the image above was related to the public folders which are still on the Exchange 2007 server.  What are you looking for from the Get commands?  The only error that I receive is An IIS directory entry couldn't be created. The error message is Access is denied.
    . HResult = -2147024891
        + CategoryInfo          : NotInstalled: (CAEXCH\Autodiscover (Default Web Site):ADObjectId) [Get-AutodiscoverVirtu
       alDirectory], IISGeneralCOMException
        + FullyQualifiedErrorId : E260EF1B,Microsoft.Exchange.Management.SystemConfigurationTasks.GetAutodiscoverVirtualDi
       rectory

    CAEXCH is our  CA server in our Exchange 2007

    • Edited by TUBS99 Wednesday, February 13, 2013 4:17 AM
    •  
     
  • Friday, February 15, 2013 3:47 PM
     
     
    Sign In to Vote
    1

    I'm looking for URLs that are not included in the certificate.

    I see that external URLs were configured but was not sure about internal URLs.

    It looks like there is a problem with the Autodiscover virtual directory.

    That may not be an issue though: I have no URLs configured on my production Exchange server and my users are not having any problems. They probably just use the SCP record in Active Directory.

    *

    In your last screenshot, Exchange Web Services (EWS - works with availability and OOF) are still using the server name in the URL.

    Try changing that to email. or mail. - so it's something that you have on your certificate.

    Should have noticed this the first time, but your EWS would usually point to something like: mail.yourdomain.com and not to the Autodiscover virtual directory:

    *

    Set-WebServicesVirtualDirectory -identity "htcasexch1.domain.local\EWS (Default Web Site)" -externalurlhttps://autodiscover.domain.org/EWS/Exchange.asmx -BasicAuthentications:$True

    *

    Try this:

    Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -internalurl https://mail.yourdomain.org/EWS/Exchange.asmx -externalurl https://mail.yourdomain.org/EWS/Exchange.asmx

    Of course, if you are not .org, put .com or .edu or .uk or whatever.

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

     
  • Sunday, February 17, 2013 4:12 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi TUBS99,

    Thanks for your update. From the Test Email AutoConfiguration result, I could not see any url started with htcasexch2, which is displaied in the certificate error. So there is the question:

    1. Were you running Test Email AutoConfiguration with the user account of problematic test user? or a normal user?

    2. Can you Ping  htcasexch2.*.local and check which server it is pointting to?

    3. Can you Ping all URLs returned by Test Email AutoConfiguration and check if there is any proxy/redirect?

    Thanks.

    Fiona Liao
    TechNet Community Support

     
  • Monday, February 18, 2013 5:47 AM
     
     Answered
    Sign In to Vote
    0
    Thank you all for your assistance - I found the solution.  For any others looking for the solution, see http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/ - After following the article, I still had issues.  Unfortunately restarting IIS on the hub transport was not enough and I needed ro reboot the mailbox servers as well.  I know that does not make sense but that worked for me. 
    • Marked As Answer by TUBS99 Monday, February 18, 2013 5:48 AM
    •