locked
Exchange 2010 and Outlook Cert Issues RRS feed

  • Question

  • Hi all,

    I have a question about certs. I am not that familiar with the cert system in Exchange. I have kind of just been fumbling along here, so please forgive any ignorance on this issue.

    Our company has a new Exchange 2010 Server setup in co-existence with an Exchange 2003 Server.

    The Exchange 2010 server is joined to our internal domain as ex2.company.net. However, OWA and such are connected on exchange.comapny.com.

    Or existing 2003 server is setup the same way. IE: ex1.comapny.net and external access for OWA WAS exchange.company.com. It has now been changed to legacy.comapny.com and the Exchange 2010 system forwards user accordingly.

    The issue I am having is with our wildcard cert. our wildcard cert is for *.company.com. As such, users connecting through OWA are fine. However, local users on the network are getting cert errors when using outlook. The error indicates that the cert is valid, however it is for company.com not ex2.comapny.net. I understand why it is doing this; I just don’t know how to fix it.

    Our 2003 exchange server is using the same cert and was in the same configuration working fine. Can someone help me here?

    Thanks.

    Saturday, October 6, 2012 4:00 PM

All replies

  • Implement split-brain DNS.  Create a zone in your internal DNS for company.com, add records that duplicate your entries in external DNS, except that they point to internal IP addresses as appropriate, or external addresses when the hosts are outside your network.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Proposed as answer by steve siyavaya Saturday, October 6, 2012 6:31 PM
    Saturday, October 6, 2012 5:54 PM
  • Hi

    In addition to what Ed said, you may alos need to set the Outlook provider as per this article: http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx

    Cheers, Steve

    Saturday, October 6, 2012 6:30 PM
  • Thanks Ed and Steve. I will give this a try and reprot back.
    Saturday, October 6, 2012 8:46 PM
  • I don't think split-DNS can solve your problem.

    The reason why Outlook give you the warning is because the server's host name does not match the cert subject name or SAN. To resolve it, you need another cert which contains proper names, i.e. ex2.company.net and exchange.company.com. BTW, wild card name as common name is not supported by Microsoft although it normally works.

    Sunday, October 7, 2012 2:41 AM
  • Split-brain DNS will certainly fix this because it won't be necessary to have internal names in the certificate since all access will be made via the external names, which would then be the same as the internal names.  Exchange will not support multiple certificates on the same server, and I don't know of any certificate issuers who will put hostnames in a certificate with domains that are not publicly registered to you.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."


    Monday, October 8, 2012 11:07 PM
  • However, this may require split-brain DNS.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Monday, October 8, 2012 11:09 PM
  • You never mentioned changing any Exchange settings, e.g. iternalUrl, SCP etc. Even you have split-DNS, Outlook will use internal URL because it is connected using TCP not HTTPS. It accesses AutoDiscover using names in SCP. It accesses EWS/OAB using internal URL. So it will still prompt the cert error. Isn't it?

    Tuesday, October 9, 2012 7:00 AM
  • It will of course be necessary for all InternalURL and ExternalURL settings and all other URLs to use the external domain.  I mentioned it in my post just above but didn't spell it out completely.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, October 9, 2012 10:23 PM
  • Thanks everyone for your help.

    Carol Chisholm solution worked for me. I have a new issue pop up after that though, but I will open a new thread to deal with it.

    Thanks.

    Wednesday, October 10, 2012 1:01 AM