Hi I have an issue with a 2010 server. I'll use a couple of sample domain name to outline my issue: Lets say our public domain name is abc.com, so our mail is accessed via mail.abc.com Our internal domain name is xyz.com (not .local), so servernames are server1.xyz.com, server2.xyz.com, etc. So I created a SAN cert via godaddy which included mail.abc.com, autodiscover.abc.com, legacy.abc.com. Installed the cert, no problems. Tested connetviety using the remote tool, no problem. Can access OWA without the security warning. Unfortunately there are some issues that were discovered later. Numerous sync errors, and issues with out of office on Windows 7 clients. We did some troubleshooting and I was told to add the FQDN name to the cert. Lets say the servername is mail1.xyz.com. I tried adding this to the godaddy cert, but unfortunately it is impossible since xyz.com is a public domain name that has nothing to do with out company (we are using it internally only). So I'm stuck with this issue. Godaddy said I can use internal names such as xyz.local, but our internal domain is .com so I don't know how to add the FQDN to the cert. Any suggestions? Thanks.Mike V

On Mon, 26 Sep 2011 19:55:42 +0000, varrus999 wrote: > > >Hi > >I have an issue with a 2010 server. I'll use a couple of sample domain name to outline my issue: > >Lets say our public domain name is abc.com, so our mail is accessed via mail.abc.com > >Our internal domain name is xyz.com (not .local), so servernames are server1.xyz.com, server2.xyz.com, etc. Okay. Do you own the domain xyz.com, too? >So I created a SAN cert via godaddy which included mail.abc.com, autodiscover.abc.com, legacy.abc.com. Installed the cert, no problems. Tested connetviety using the remote tool, no problem. Can access OWA without the security warning. > >Unfortunately there are some issues that were discovered later. Numerous sync errors, and issues with out of office on Windows 7 clients. We did some troubleshooting and I was told to add the FQDN name to the cert. Lets say the servername is mail1.xyz.com. I tried adding this to the godaddy cert, but unfortunately it is impossible since xyz.com is a public domain name that has nothing to do with out company (we are using it internally only). Soooo . . . whatever possessed you to use someone else's domain name??? >So I'm stuck with this issue. Godaddy said I can use internal names such as xyz.local, but our internal domain is .com so I don't know how to add the FQDN to the cert. > >Any suggestions? You may have to create your own CA and issue the certs yourself. Your employees will just have to add your CA's root certificate to their machine's certificte store as a trusted root (or you can do that with a GPO, I think, for the managed machines). It's a PITA to deal with when it comes to mobile devices, though. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi Rich, A Exchange server can only install one certificate; besides, aself-certificate is not supported by Outlook Anywhere, it might not suitable for Mike. @Mike, You may troubleshoot this issue via one of the following method: Purchase another Certificate that contains all names. Please refer to "Planning your organization's namespace" at http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx. Change the internal DNS record and the web-based service urls to match the existing certificate. for details, see http://support.microsoft.com/kb/940726. Hope it is helpfu.Fiona

You will have to run a split DNS system so that the external name that you do own works internally. Then change all of the internal URLs to use the external address. As long as you aren't using UM then it shouldn't be a problem. The important one to change, which a lot of people miss is the autodiscoverserviceinternalURI which is set on set-clientaccessserver. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

On Wed, 28 Sep 2011 03:24:09 +0000, Fiona_Liao wrote: >Hi Rich, > >A Exchange server can only install one certificate; besides, aself-certificate is not supported by Outlook Anywhere, it might not suitable for Mike. I wasn't suggesting a "self-signed" certificate, but one from an internal CA. Provided the root and any intermediate CAs are trusted by the servers and clients they should work. >@Mike, > >You may troubleshoot this issue via one of the following method: 1. Purchase another Certificate that contains all names. Please refer to "Planning your organization's namespace" at http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx. 2. Change the internal DNS record and the web-based service urls to match the existing certificate. for details, see http://support.microsoft.com/kb/940726. > >Hope it is helpfu. >Fiona --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP