none
Exchange 2010 single name certificate - server name mismatch issue with Outlook clients

    Question

  • As above we have a certificate with a single external server name. There are several articles published on the NET that indicate that this is possible and we've just upgraded from Exchange 2007 which didn't have this issue using the same certificate. We've changed ALL services and URLs to the external name on the certificate and gone through http://support.microsoft.com/kb/940726. The certificate presented is for the external server name and the server ID in the mismatch message is listed as the internal name still.

    Using Test E-mail autoconfiguration utility with Outlook (2010) SCP still uses the internal name of our server for autodiscover services. I've even removed this service from our internal DNS server to try to stop it but it still resolves to the internal service name. SCP appears correct in AD and the servicebindinginformation string is correctly pointing to the external address.

    Any help appreciated.

    Wednesday, February 16, 2011 2:16 PM

Answers

  • Many thanks to Martin & Busbar for your responses.

    I have found the issue. After going through the new server settings and using a script similar to the one that Martin lists above previously, the new server settings were correct. I found that the issue wasn't with the new 2010 server but with the old 2007 server which hasn't been uninstalled yet. The autodiscoverServiceInternalUri name on the old server was the local hostname of the new 2010 server. I have no idea why this was set in this way, perhaps this was done at install time.

    The certificate error is now resolved.

    Thursday, February 17, 2011 2:47 PM

All replies

  • you need to update the internal SCP name, check this article

    http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Exchange-2007-2010-Web-services-and-Autodiscover-Ultimate-Troubleshooting-Guide.html


    Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I post here: http://www.enowconsulting.com/ese/blog.asp, follow my blog: http://autodiscover.wordpress.com , corp blog: http://ingazat.wordpress.com, Follow me on twitter http://www.twitter.com/_busbar and if you Liked my post please mark it as helpful and accept it as an answer
    Wednesday, February 16, 2011 2:57 PM
  • Thanks for your response Busbar.

    A couple of issues, I've already stated that SCP Internal name has been set to our external name and there is no reference to SCP in the article you list. The article states that you need to use a certificate that includes your local FQDN of the server and we don't have this. We didn't need it for our Exchange 2007 Server either. We simply changed all server & URL names to the external address on 2007 server. For some reason this doesn't work with Exchange 2010 and SCP still directs our Outlook clients to the server internal autodiscover name (that is my assumption). Can anybody tell me why?

    Has anybody successfully got a single name certificate to work with Exchange 2010?

    Thursday, February 17, 2011 10:33 AM
  • if you receive the error message then you didn't set the internal SCP to match the certificate URL, this must be done using  Set-ClientAccessServer –Identity <CAS Server Name> -AutoDiscoverServiceInternalUri: <Internal URL>

    if you beleive that you did that can you post the config you have, using

    get-clientaccessserver | fl *name*,*internal*

    I have single certificate configured for zillions of my customers


    Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I post here: http://www.enowconsulting.com/ese/blog.asp, follow my blog: http://autodiscover.wordpress.com , corp blog: http://ingazat.wordpress.com, Follow me on twitter http://www.twitter.com/_busbar and if you Liked my post please mark it as helpful and accept it as an answer
    Thursday, February 17, 2011 10:56 AM
  • Exchange Ninjas created a script you could use to configure the settings required when using a single name certificate. Barry Martin has made some changes for it to work in Exchange 2010, you could try to run the script to make sure that all settings are configured properly. The script can be found here:
    http://virtualbarrymartin.me/2009/12/29/how-to-setup-exchange-2010-to-use-a-single-certificate-for-internal-and-external-use/

    Let's go through some of the settings and make sure that they are ok, have you created an DNS zone on the internal DNS servers for the name you use on the certificate?

    If you run the following commands, does the correct name show up on all url properties?
    Get-AutodiscoverVirtualDirectory | fl Identity,InternalURL,ExternalUrl
    Get-webservicesVirtualDirectory | fl Identity,InternalURL,ExternalUrl
    Get-OabVirtualDirectory | fl Identity,InternalURL,ExternalUrl
    Get-OwaVirtualDirectory | fl Identity,InternalURL,ExternalUrl
    Get-EcpVirtualDirectory | fl Identity,InternalURL,ExternalUrl
    Get-ActiveSyncVirtualDirectory | fl Identity,InternalURL,ExternalUrl
    Get-ClientAccessServer | fl Identity,AutoDiscoverServiceInternalUri


    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    Thursday, February 17, 2011 11:02 AM
  • Many thanks to Martin & Busbar for your responses.

    I have found the issue. After going through the new server settings and using a script similar to the one that Martin lists above previously, the new server settings were correct. I found that the issue wasn't with the new 2010 server but with the old 2007 server which hasn't been uninstalled yet. The autodiscoverServiceInternalUri name on the old server was the local hostname of the new 2010 server. I have no idea why this was set in this way, perhaps this was done at install time.

    The certificate error is now resolved.

    Thursday, February 17, 2011 2:47 PM
  • Great, thanks for getting back to us with the update!
    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com
    Thursday, February 17, 2011 2:55 PM
  • We have a similar situation but we migrated from Exchange 2003 and it does not use Autodicover so not sure how to handle this. The Exchange 2003 server has a self signed cert and we installed a SAN cert on the Exchange 2010 CAS/Hub server. Here is the results from checking the Internal and External URLs on the Exch 2010 system:

    [PS] C:\Windows\system32>
    [PS] C:\Windows\system32>Get-webservicesVirtualDirectory | fl Identity,InternalURL,ExternalUrl

    Identity    : OUR-NEW-SRVR\EWS (Default Web Site)
    InternalUrl : https://Our-New-Srvr.mycompany.local/EWS/Exchange.asmx
    ExternalUrl : https://ourmail.ourcompany.com/ews/exchange.asmx

    [PS] C:\Windows\system32>Get-OabVirtualDirectory | fl Identity,InternalURL,ExternalUrl

    Identity    : OUR-NEW-SRVR\OAB (Default Web Site)
    InternalUrl : https://ourmail.ourcompany.local/OAB
    ExternalUrl : https://ourmail.ourcompany.com/OAB

    [PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl Identity,InternalURL,ExternalUrl

    Identity    : OUR-NEW-SRVR\owa (Default Web Site)
    InternalUrl : https://our-new-srver.ourcompany.local/OWA
    ExternalUrl : https://ourmail.ourcompany.com/OWA

    [PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl Identity,InternalURL,ExternalUrl

    Identity    : OUR-NEW-SRVR\ecp (Default Web Site)
    InternalUrl : https://our-new-server.ourcompany.local/ecp
    ExternalUrl : https://ourmail.ourcompany.com/ECP

    [PS] C:\Windows\system32>Get-ClientAccessServer | fl Identity,AutoDiscoverServiceInternalUri

    Identity                       : OUR-NEW-SRVR
    AutoDiscoverServiceInternalUri : https://ourmail.ourcompany.local/Autodiscover/Autodiscover.xml

    Our purchased Cert for 2010 is for:

    DNS Name=macmail.macallister.com

    DNS Name=macmail.macallister.local

    DNS Name=autodiscover.macallister.local

    DNS Name=autodiscover.MacAllister.com

    Do I need to have a DNS entry for each of these to resolve this issue.


    Thank you,

    Nick Laurino


    Nick Laurino
    Tuesday, April 26, 2011 2:26 PM