Certificates with other SANs (SBS 2008)
Hello
I don't know if it is the correct place for this, but here it is.
We have an Exchange 2007 as part of an SBS 2008. Do we need to change the certificate created from the SBS to include other SANs such as "autodiscover.company.com", or should I leave it as is?
Thanks in advance
Kostas Backas
July 1st, 2009 7:21pm
Hi Kostas,
Please understand when you install Exchange 2007, a self-signed certificate is created which is not trusted by clients. Therefore, when you access the mailbox through OWA, a certificate related warning will be received indicated the certificate is not trusted. You can still access OWA if you ignore the warning. Nevertheless, if you use Outlook Anywhere to access your mailbox, the Outlook cannot connect to Exchange Server if the certificate is not trusted by client.
Regarding the SANs such as autodiscover.company.com, I would like to explain that the autodiscover.company.com is used by Outlook 2007 client which does not join domain to access autodiscover service. If the Certificate does not including autodiscover.company.com, a certificate warning will be received. Nevertheless, if all the Outlook 2007 is joined domain to access the Exchange Server, it does not use autodiscover.company.com to access autodiscover service.
Therefore, whether you need to require SAN certificate based on you requirements. I suggest you read following article:
Certificate Use in Exchange Server 2007
http://technet.microsoft.com/en-us/library/bb851505.aspx
Mike
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2009 12:58pm
Hi Kostas, Any updates regarding the issue?Mike
July 6th, 2009 10:53am
Well the thing is: I need to configure Outlook Anywhere to this specific SBS 2008 Server. Should I change the certificate with one containing the appropriate SANs? or I will mess-up the SBS?
Thanks
Kostas
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2009 5:27pm
Hi Kostas,
Thanks for your response.
Regarding Outlook Anywhere Certificate requirements:
1. The URL Outlook Anywhere used to access Exchange Server needs to be included in the Certificate Name
2. For external Outlook Client, as it cannot connect to DC to retrieve the SCP record to get the Autodiscover URL. It use following method to access autodiscover service:
a. Access following two URLs:
https://domain.com/Autodiscover/Autodiscover.xml
https://autodiscover.domain.com/Autodiscover/Autodiscover.xml
If you create an A record on external DNS for Autodiscover service, the autodiscover.domain.com needs to be included in Certificate. Nevertheless, Microsoft also provides other workaround without need to add Autodiscover.domain.com to certificate name
b. We can add the SRV record to external DNS. For your reference:
A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service
http://support.microsoft.com/kb/940881/en-us
c. Configuration Autodiscover Redirection. You can refer to Scenario 4 of Autodiscover whitepaper:
White Paper: Exchange 2007 Autodiscover Service
http://technet.microsoft.com/en-us/library/bb332063.aspx#Scenario4HowTo
3. You need to configure external URL for Availability service and OAB service and the external URL needs to be included in the Certificate name
You can use Set-OABVirtualDirectory and Set-WebServicesVirtualDirectory with externalURL switch to configure the external URLs which will be provided by Autodiscover service to external client.
Mike
July 7th, 2009 6:21am