none
Exchange + Outlook + RPC + UC Certificate problem RRS feed

  • Question

  • Will external Outlook clients connecting to exchange via HTTP (RPC) authenticate OK if the server name they are trying to reach matches a SAN on the 3rd party UC SSL certificate the server presents (as opposed to the common name)?

    This is what I'm trying to do:

    I have a large number of outlook clients which connect to server.domain.local via HTTP (RPC) using proxy www.oldaddress.org.uk.

    server.domain.local currently has a 3rd party basic SSL certificate for www.oldaddress.org.uk.  Owa also runs off www.oldaddress.org.uk, and some outlook clients also connect via SMTP & POP.

    Word from onhigh has come down that "oldaddress" is to be purged and replaced with "newaddress" anywhere it appears, and the .uk is to be removed.

    I had thought I could save myself some pain by buying a 3rd party UC SSL certificate for "mail.newaddress.org", with a SAN for (among other things) "www.oldaddress.org.uk".

    I've tested this and with the new certificate everything is OK for "mail.newaddress.org" but clients trying to authenticate using "www.oldaddress.org.uk" just get their password rejected by Outlook (2003 - alas!).  In exchange if I switch back to old certificate this resolves this problem.

    Is there a way to configure exchange so the existing clients will authenticate OK on the new certificate?

    Tuesday, August 14, 2012 12:58 PM

Answers

  • Update:  I was actually able to get this to work (for most users)-

    I.e. my cert common name is newname.com, and my Outlook 2003 clients are connecting to oldname.com (which is different to the common name, but is listed as a SAN) and many will authenticate OK without any configuration changes.

    Sadly I'm not sure what did it but I think it was the result of some troubleshooting I was doing for an Autodiscover 2010 issue.

    What I did:

    • I tidied up the SSL toggles in IIS for my default website (all relevant virtual folders were set to require SSL)
    • I tidied up my DNS.  I had previous made CNAMES and SRV records in a bid to get autodiscover to work without the UC cert.  With the UC cert in place I deleted these and now just have relevant A records.
    • I also restarted Exchange & IIS.

    Now I can change my server name & cert without reconfiguring hundreds of Outlook 2003 clients - rejoice!

    If only I could figure out what was holding back the clients that won't authenticate.  They are all thes same version and configured the same way.  Puzzling...
    • Marked as answer by cgskc Friday, August 31, 2012 8:54 AM
    • Edited by cgskc Friday, August 31, 2012 11:09 AM
    Friday, August 31, 2012 8:54 AM

All replies

  • Yes common name matters, it needs to be first. Talk to your CA to request to re-issue.

    http://social.technet.microsoft.com/Forums/en-US/exrca/thread/2cfba583-722e-4a7a-9fa5-3107b942642c


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    • Marked as answer by cgskc Tuesday, August 14, 2012 2:46 PM
    • Unmarked as answer by cgskc Friday, August 31, 2012 8:54 AM
    Tuesday, August 14, 2012 2:13 PM
  • You may refer to Microsoft articles below:

    Planning for Your Organization's Namespace (the same in Ex2010 that all possible names should be included in SAN cert) 

    http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx

    Certificate Use in Exchange 2007 Server

    http://technet.microsoft.com/en-us/library/bb851505.aspx

    Third-party SSL Certificates

    http://technet.microsoft.com/en-us/library/hh852419.aspx


    Fiona Liao

    TechNet Community Support

    Friday, August 24, 2012 8:38 AM
    Moderator
  • Update:  I was actually able to get this to work (for most users)-

    I.e. my cert common name is newname.com, and my Outlook 2003 clients are connecting to oldname.com (which is different to the common name, but is listed as a SAN) and many will authenticate OK without any configuration changes.

    Sadly I'm not sure what did it but I think it was the result of some troubleshooting I was doing for an Autodiscover 2010 issue.

    What I did:

    • I tidied up the SSL toggles in IIS for my default website (all relevant virtual folders were set to require SSL)
    • I tidied up my DNS.  I had previous made CNAMES and SRV records in a bid to get autodiscover to work without the UC cert.  With the UC cert in place I deleted these and now just have relevant A records.
    • I also restarted Exchange & IIS.

    Now I can change my server name & cert without reconfiguring hundreds of Outlook 2003 clients - rejoice!

    If only I could figure out what was holding back the clients that won't authenticate.  They are all thes same version and configured the same way.  Puzzling...
    • Marked as answer by cgskc Friday, August 31, 2012 8:54 AM
    • Edited by cgskc Friday, August 31, 2012 11:09 AM
    Friday, August 31, 2012 8:54 AM