locked
SSL_EXCHANGE 2016 SAN NOT VALID RRS feed

  • Question

  • Hello, Team
    I have recently applied SSL for my exchange server 2016 having two exchange server (dag)
    And the both servers ssl applied successfully and autodiscover is giving profile to outlook clients internal and external.
    However, I have noticed today one of the pc which is joined domain and when we attempt to open outlook its profile is created and got certificate from server issued by CA and it’s states valid but also states that one of the SAN not included in the certificate can’t be verified (the san is same my internal server name )

    I didn’t add my internal server in CSR/Certificate. How can i resolve this issue.

    my internal DNS recirds as per below. 

    mail.domain.com   192.168.1.31
    autodiscover.domain.com CNAME to mail.ihcc.sa 



    Faris

    Monday, February 11, 2019 6:05 PM

Answers

  • Agreed with Fazal.

    You have to configure exchange url's based on your certificate entries.

    To correct autodiscover run below on Exchange:-

    Set-ClientAccessService -Identity Server04 -AutoDiscoverServiceInternalUri https://mail.ddomain.com/Autodiscover/Autodiscover.xml
    Replace Identity with your server name.


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.

    Monday, February 11, 2019 9:29 PM
  • Hi,

    You need to make it with your SAN entry. As you mentioned that acceted domain is in SAN entry then you need to put that in url.

    For e.g if accepted domain is test.com and that is in your SAN entry then uri would be like this:-

    https://Autodiscover.test.com/Autodiscover/Autodiscover.xml

    I will recommend to have autodiscover.yourdomain.com in your SAN entry.


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.

    • Marked as answer by Farispv Sunday, February 17, 2019 5:43 PM
    Wednesday, February 13, 2019 9:04 PM
  • You can use SRV or cname or A record. Records should be there.

    Here thing is that name should be in certificate else it will fail.


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.

    • Marked as answer by Farispv Sunday, February 17, 2019 5:43 PM
    Wednesday, February 13, 2019 9:29 PM
  • Agree with Ashish.

    Please make sure autodiscover.domain.com record in public hosted DNS server is pointed to public IP of your organization. Also make sure, autodiscover.domain.com is added as Subject Alternative Name in the digital certificate installed in the Exchange server.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by Farispv Sunday, February 17, 2019 5:43 PM
    Friday, February 15, 2019 4:56 AM

All replies

  • Check if your Autodiscoveruri has the correct name as the one binded to your certificate SAN..

    Get-ClientAccessServer | fl AutoDiscoverServiceInternalUri

    Regards,

    Fazal


    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    • Proposed as answer by Dawn Zhou Tuesday, February 12, 2019 7:21 AM
    Monday, February 11, 2019 8:13 PM
  • Agreed with Fazal.

    You have to configure exchange url's based on your certificate entries.

    To correct autodiscover run below on Exchange:-

    Set-ClientAccessService -Identity Server04 -AutoDiscoverServiceInternalUri https://mail.ddomain.com/Autodiscover/Autodiscover.xml
    Replace Identity with your server name.


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.

    Monday, February 11, 2019 9:29 PM
  • Hi Faris,

    Do you have any further query on this?

    Note:- Please remember to vote and mark the replies as answers if they help


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.

    Wednesday, February 13, 2019 4:06 PM
  • Hi, Many Thnaks for your reply. 

    Applogized for delayed reply. 

    i ran the cmdelt. the out put is below. the FDQN not as per my SSL SAN Name. do i need to change. If i change i have one accepted domain, so how it will be [ my accepted domain already in my SAN ]

    AutoDiscoverServiceInternalUri : https://exchange1.domain.com/Autodiscover/Autodiscover.xml

    AutoDiscoverServiceInternalUri : https://exchange2.domain.com/Autodiscover/Autodiscover.xml


    Faris

    Wednesday, February 13, 2019 8:11 PM
  • Hi, Many Thnaks for your reply. 

    Applogized for delayed reply. 

    i ran the cmdelt. the out put is below. the FDQN not as per my SSL SAN Name. do i need to change. If i change i have one accepted domain, so how it will be [ my accepted domain already in my SAN ]

    AutoDiscoverServiceInternalUri : https://exchange1.domain.com/Autodiscover/Autodiscover.xml

    AutoDiscoverServiceInternalUri : https://exchange2.domain.com/Autodiscover/Autodiscover.xml


    Faris

    Wednesday, February 13, 2019 8:12 PM
  • Hi,

    You need to make it with your SAN entry. As you mentioned that acceted domain is in SAN entry then you need to put that in url.

    For e.g if accepted domain is test.com and that is in your SAN entry then uri would be like this:-

    https://Autodiscover.test.com/Autodiscover/Autodiscover.xml

    I will recommend to have autodiscover.yourdomain.com in your SAN entry.


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.

    • Marked as answer by Farispv Sunday, February 17, 2019 5:43 PM
    Wednesday, February 13, 2019 9:04 PM
  • ok I will try this Also could you please tell me is mandatory to have SRV record for auto discovery In internal dns server as well as in public dns Currently I have only a record for autodiscover by pointing to my both email servers I made remote connectivity analyser it’s giving warning on this ? Please advise Thank you

    Faris

    Wednesday, February 13, 2019 9:18 PM
  • You can use SRV or cname or A record. Records should be there.

    Here thing is that name should be in certificate else it will fail.


    Thanks, Ashish (I can be wrong but can't be rude) “Tell me and I forget, teach me and I may remember, involve me and I learn.” MCITP, MCT, MCSE. Please remember to vote and mark the replies as answers if they help.

    • Marked as answer by Farispv Sunday, February 17, 2019 5:43 PM
    Wednesday, February 13, 2019 9:29 PM
  • Agree with Ashish.

    Please make sure autodiscover.domain.com record in public hosted DNS server is pointed to public IP of your organization. Also make sure, autodiscover.domain.com is added as Subject Alternative Name in the digital certificate installed in the Exchange server.

    Regards,

    Dawn Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    • Marked as answer by Farispv Sunday, February 17, 2019 5:43 PM
    Friday, February 15, 2019 4:56 AM
  • Thank you its worked for me.

    Faris

    Sunday, February 17, 2019 5:42 PM
  • Thank you its worked for me.

    Faris

    Sunday, February 17, 2019 5:42 PM
  • Thank you

    Faris

    Sunday, February 17, 2019 5:42 PM