How to fix wrong CAS host in Outlook profile?
We have Exchange 2010 SP1 on a single CAS/HUB (mail1) and 2 mailbox servers at SP2 (mail3 & mail4). We installed a purchased certificate for "ourhost.external.tld" enabled that cert for IMAP, POP, IIS, SMTP services. Then we set DNS to resolve
"ourhost.external.tld" both inside our LAN to mail1's internal IP and publicly to mail1's external IP. We also set OWA, ECP, ActiveSync, OAB and POP3/IMAP internal and external url's both to "ourhost.external.tld".
We decided to set up mail4 (cas/hub), mail5 (mbox), and mail6 (mbox) and configured them as "ourhost2.external.tld".
It seemed like everything was working OK, clients attaching to "ourhost" did not get certificate warnings and "ourhost.external.tld" showed up in those users Outlook profile. Similarly, clients attaching to "ourhost2" had no certificate warnings and "ourhost2.external.tld"
showed up in their Outlook profile.
Then we UNinstalled mail6, then mail5 then mail4 via the Exchange uninstall routine. No errors and the uninstalls went smoothly.
Users connecting to mail1, mail2 & mail3 still do not get certificate warnings in Outlook but their Outlook profiles now show "mail1.internal.tld" instead of "ourhost.external.tld". And a handful of POP3 / SMTP users we just started testing get a certificate
warning when trying to send email via their Outlook.
We have found there is still a default self-signed certificate referencing "mail1.internal.tld" and enabled for SMTP in the Exchange Certificates tab of EMC. Does this default certificate influence POP3 / SMTP users because the Outlook clients
are reaching out to "mail1.internal.tld"? Is it safe to delete this certificate since we already installed the purchased cert and enabled services as mentioned above?
Is there a way we can get our Outlook profiles back to displaying "ourhost.external.tld"? What settings need checked / set for this?
Thanks in advance for any help!
January 31st, 2012 3:58pm
First - you shouldn't have your CAS role servers on an older version of Exchange than the mailbox servers. You should have installed Exchange 2010 SP2 on the CAS role first, then mailbox.
The Outlook client will show the true name of the CAS role that it has connected to - that is by design. The only way that you can change that is to use an RPC CAS array. However an RPC CAS array should NOT resolve externally, it should be used exclusively
for TCP connections to Exchange.
Therefore you would have outlook.example.local as the RPC CAS Array. This CAS array host would point to one or more of the CAS role server.
The SSL certificate has nothing to do with the host name that Outlook is using. Furthermore, the host name that you are seeing in Outlook is not using the SSL certificate either, the server name is TCP, not HTTPS.
Exchange will create its own certificates if the names are not correct. Furthermore, the FQDN on the Receive Connector used by Exchange for internal traffic should be either blank, the server's FQDN or NETBIOS name, so you may well get SSL warnings
if you aren't using a Unified Communications certificate with the additional names, if you remove the self signed certificate.
As such, I would recommend leaving the self signed SSL certificate alone and ensure that the FQDN on the connector used for the clients to send email via SMTP matches the SSL certificate. That should stop the errors.
Of course the ideal scenario would be to have a UC certificate so that you can put the required names on it.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2012 4:17pm
OK, oops, about the service pack install order. I'm installing SP2 on the CAS server tomorrow morning.
We have 3 receive connectors. They are,
Client MAIL1
Default MAIL1
Relay MAIL1
All 3 receive connectors have mail1.internal.tld set as the FQDN.
Are you saying the only legitmate way to get the certificate warning to go away for POP3->SMTP senders is to upgrade the current single hostname certificate to a multi certificate and add mail1.internal.tld and remove / reinstall the certificate?
Or would removing the internal or external URL in the client access tabs for OWA, ECP, AS, OAB, POP3andIMAP influence it?
I'm really not quite understanding why the CAS box has to have dual hostname identities when it's effectively one entity.
January 31st, 2012 4:44pm
You can really only use a single URL when you have a single server. Once you start to get in to multiple servers with the roles spread out, then things change. The server's real name then becomes very important to the operation of Exchange. This isn't like
Exchange 2003 where a single name SSL certificate works, and Exchange doesn't really care about it - web services is key to the operation of Exchange.
Thus if you have multiple CAS role servers then ideally you should have a multiple name certificate so that all functionality works correctly. You can pick up a five name certificate for $60/year.
I think trying to do everything with two single name SSL certificates is simply going to cause you more problems, and switching to a single UC certificate that covers all CAS role servers, plus the external names and autodiscover will be the best option
for you. The certificate will then work for both internal and external web services traffic, such as OAB, EWS, Outlook Anywhere, ActiveSync etc, as well as POP3/SMTP.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2012 5:44pm
Two single name SSL certificates?
I should clarify (and I see I was mistaken in my 1st post) that we did not install a 2nd certificate for the scenario "ourhost2". Sorry about leaving that important bit off, it's probably caused some confusion. In the end we do only have 1 CAS server
+ 2 MBX servers.
Is the receive connector we defined "Relay" and allow our POP3 users to relay through responsible for the Hostname those clients try to resolve? Should the FQDN on that Receive Connector be "ourhost.external.tld"?
I have not seen a $60 multi name certificate vendor that won't have us jumping through hoops to get the certificate authority onto users desktops and mobile devices. Is there one we should consider? (I understand any names provded is
not an endorsement for said vendor)
thanks!
January 31st, 2012 8:10pm
Certificate from GoDaddy or one of their resellers such as
http://CertificatesForExchange.com/ are $60 for five names. Nothing to install on the clients or mobile devices. You do have to install an intermediate certificate on the server, but that takes all of two minutes. I have installed 100s of those certificates
for clients.
If you have setup a second connector for external clients to use then the FQDN should match the external host name and SSL certificate.
However my previous advise above still stands - get a commercial certificate that covers all CAS role servers, their names and all of the host names that you want to use. Life is a lot easier as you don't have to worry about trust issues.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
February 1st, 2012 5:03am
Hi,
First please keep all the Exchange server roles in the same version.
Then you can try to add record in hosts file and then try to create profile.
Please get-exchangecertificate |fl name, services, thrumprint to check which certificate has been enabled on pop3, smtp services.Xiu Zhang
TechNet Community Support
February 2nd, 2012 3:05am
Hi,
First please keep all the Exchange server roles in the same version.
Then you can try to add record in hosts file and then try to create profile.
Please get-exchangecertificate |fl name, services, thrumprint to check which certificate has been enabled on pop3, smtp services.
Xiu Zhang
TechNet Community Support
All Exchange servers are on SP2 as of 2/1/2012 AM. get-exchangecertificate returns two certificates installed:
Services : IMAP, POP, IIS, SMTP
Thumbprint : <snip> This is cert1 and corresponds to "ourhost.external.tld" aka Our purchased certificate.
Services : SMTP
Thumbprint : <snip> This is cert2 for "mail1" aka the Self-signed certificate created when Exchange was installed. Can this certifcate be safely removed because cert1 also has SMTP enabled?
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2012 3:35am
Hi,
You can remove the self-signed certificate, I think.Xiu Zhang
TechNet Community Support
February 6th, 2012 2:13am