ExBPA report SAN mismatch
I have just completed installing new certificates for Exchange 2010 and when I run the ExBPA, it reports a SAN mismatch. "The subject alternative name (SAN) of SSL certificate for
https://mail.company.com/ews/exchange.asmx does not appear to match the host address. Host address: mail.company.com. Current SAN: DNS Name=webmail.company.com DNS Name=autodiscover.company.com
That was on the old cert. I changed all of the web services internal/external urls to mail.company.com
I got rid of the old cert, why is it still reporting that?
June 7th, 2011 4:00pm
When running Get-OutlookProvider | fl the CertPrincipalName is blank for EXCH,EXPR,WEB
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2011 4:13pm
Maybe it is because when I imported the new cert, I think I deleted the original cert that had all of the services assigned to it without first gracefully removing services. Is it possible that the services are still somehow "bound" to the old cert? If so,
how can I reset them?
(I may be able to find the original cert)
June 7th, 2011 7:23pm
On Tue, 7 Jun 2011 23:23:57 +0000, Vegas588 wrote:
>
>
>Maybe it is because when I imported the new cert, I think I deleted the original cert that had all of the services assigned to it without first gracefully removing services. Is it possible that the services are still somehow "bound" to the old cert? If
so, how can I reset them?
>
>(I may be able to find the original cert)
enable-exchangecertificate <thumbprint> -services IIS,SMTP
You can add the IMAP, POP, and UM services to the list if you use
them.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2011 10:03pm
Rich,
I already tried that step. Didn't change anything. These Cas servers are in a CASArray, load balanced by an F5 device. i just read that the F5 also has a certificate added to it? I don't know much about F5 LBs, could it be that the Exchange side is fine,
but the F5 still has the old cert?
June 7th, 2011 10:16pm
On Wed, 8 Jun 2011 02:16:39 +0000, Vegas588 wrote:
>I already tried that step. Didn't change anything. These Cas servers are in a CASArray, load balanced by an F5 device. i just read that the F5 also has a certificate added to it? I don't know much about F5 LBs, could it be that the Exchange side is fine,
but the F5 still has the old cert?
Yes, it is.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
June 8th, 2011 7:54pm
I am working with MS support on the case. Got it working, and will post the results when I hear back from them tomorrow. Although, I am not confident that the fix is 100% because it counters many of the things I have read online. But, it is interesting.
There is a CAS array and an F5 HLB. Outlook.company.com has F5 VIP of 10.xxx.xxx.218 and Mail.company.com 10.xxx.xxx.217. Autodiscover.company.com I believe also points to 217.
Esentially, we need to look at the various web services in two groups:
Group 1: (AutodiscoverServiceInternalUri, EWS, OAB), Group 2: (OWA, ECP, ActiveSync)
The CAS Array name is outlook.company.com and this is set as the RPCClientAccessServer on all databases. We ended up setting the Internal URLs of the first group to outlook.company.com. The external URLs are mail.company.com. For the second group, we kept
Internal and External URLs to mail.company.com. In this scenario, it is clear that the Internal DNS value for autodiscover is not even being used. Therefore, it is clear that there needs to be no internal DNS value for Autodiscover?
In that configuration, Autodiscover worked internally. No problem at all. Opened Outlook and it detected everything and voila! Done. We have not been able to test external stuff just yet. It still feels like something is wrong though. I know that F5 load
balancers have a lot of configuration steps and that they must be set up to distribute all of these services correctly. We are essentially saying that these services are being distriubuted through 2 internal IP addresses. Will that work for external users?
What can you find wrong with this whole configuration and how do you have your Load Balanced CAS Array setup?
Thank you.
June 8th, 2011 8:57pm
You might like to look at KEMP's Load Balancers (whether virtual or hardware) as they are much easier to configure with hardly any configuration steps. Additionally they have pre-configured templates for
Exchange 2010 that can be downloaded right off of the main website.
Free Windows Admin Tool Kit Click here and download it now
June 27th, 2012 9:06am