New Exchange 2013 Server and brand new AD.  Everything is working great except Internal Outlook 2010 clients can't stop Outlook Anywhere from inserting the internal server address instead of the external SSL cert address.  

I bought a UCC cert with 5 SAN names to include the internal server FQN as well as autodiscover names.  I have set all the virtual directories to use the external name as the internal name, I've setup an internal DNS zone for mail.ad.com to point to exchange server, I've set outanywhere and autodiscover to use the external name and no matter what I do I cannot get Outlook anywhere to push the Mail.Ad.com to the clients.  So Local AD Domain is AD.Company.com(no .local), Server FQN is Server.AD.Company.com, external mail server FQN is Mail.Company.com.

SSL Cert from GoDadday is Mail.Company.com, includes SAN Names, Ad.Company.com, Server.Ad.Company.com, autodiscover.company.com and Company.com.

But shouldn't the UCC cert recognize that Server.Ad.Company.com and Mail.Company.com are part of the same Cert and to not provide a Mismatch warning?

Anyone know what is going on

What is set for Get-outlookanywhere |FL  ( you can change the specific domain names)

Well, I was trying to keep my domain names above anyomyous but here is the real domain setup:

RunspaceId                         : 430692bd-68ce-49a9-a956-311f365d922a
ServerName                         : BITSERVER
SSLOffloading                      : True
ExternalHostname                   : mail.bitprosinc.com
InternalHostname                   : mail.bitprosinc.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://BitServer.ad.bitprosinc.com/W3SVC/1/ROOT/Rpc
Path                               : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.0 (Build 847.32)
Server                             : BITSERVER
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (15.0.0.0)
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web
                                     Site),CN=HTTP,CN=Protocols,CN=BITSERVER,CN=Servers,CN=Exchange Administrative
                                     Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First
                                     Organization,CN=Microsoft
                                     Exchange,CN=Services,CN=Configuration,DC=ad,DC=bitprosinc,DC=com
Identity                           : BITSERVER\Rpc (Default Web Site)
Guid                               : 805218eb-3d44-4869-a36b-89dde5c8cd2d
ObjectCategory                     : ad.bitprosinc.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 6/3/2015 10:29:08 AM
WhenCreated                        : 5/28/2015 11:53:13 AM
WhenChangedUTC                     : 6/3/2015 5:29:08 PM
WhenCreatedUTC                     : 5/28/2015 6:53:13 PM
OrganizationId                     :
OriginatingServer                  : BitServer.ad.bitprosinc.com
IsValid                            : True
ObjectState                        : Changed

Ok, you can edit that answer and put bogus domains in there. I am still not clear the issue is.

What do you mean by :

"except Internal Outlook 2010 clients can't stop Outlook Anywhere from inserting the internal server address instead of the external SSL cert address.  "

and also :

How did you set autodiscover to use the external name?

and what is set for get-clientaccessserver |FL AutoDiscoverServiceInternalUri

I meant that all is working for this new exchange server 2013 install.  BUT Outlook Anywhere keeps inserting into the Connection field the server FQN, bitserver.ad.bitprosinc.com, so there is a mismatched SSL as the common name for the SSL is mail.bitprosinc.com.  Although that shouldn't matter as I have a UCC cert with the SAN names for the Exchange server, so it shouldn't come up as mismatched......

I used the PS commandlet, but here is the query and as you see it's showing the common name of mail.bitp....

[PS] C:\Windows\system32>get-clientaccessserver |FL AutoDiscoverServiceInternalUri

AutoDiscoverServiceInternalUri : https://mail.bitprosinc.com/autodiscover/autodiscover.xml 

Could my SSL be hosed or other virtual directories be gummed up?

What you are seeing is normal and shouldn't cause cert mismatch issues:

https://support.microsoft.com/en-us/kb/2754898

You will need to review all the URL settings and also test EMail Auto Configuration in Outlook to see what is being returned to the client by holding the Control Key and right clicking the Outlook icon in the tray and choosing Test E-Mail AutoConfiguration ( Deselect the GuessSmart stuff)

Very strange, now it is working and returning mail.bitprosinc.com for the Outlook Anywhere, Yeah!!!

When you make changes via the Virtual Directories or through Powershell is the changes instantaneous or do I have to restart a certain service?

Ok but now I've messed up the internal ECP panel, I've tried using all the different dns names and I get this message:

You cannot visit localhost right now because this certificate has been revoked. Network errors and attacks are usually temporary, so this page will probably work later.

BUT i can get to ECP from outside the Lan.

I just went to the Certificate area and the mail.bitprosinc.com certificate is showing as invalid?  Do I have to rekey and regenerate my SSL at Godaddy to fix?

Hi Dan,

Please run the following command to check your certificate configuration:

Get-ExchangeCertificate | fl

If the certificate is invalid, please contact Godaddy about the vertificate invalid issue.

Regards,

So I have no access to the ECP on the server because the SSL has been revoked, so how do I get access to the ECP without bringing down the mail server? 

[PS] C:\Windows\system32>Get-ExchangeCertificate | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,                      System.Security.AccessControl.CryptoKeyAccessRule,                      System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.bitprosinc.com, www.mail.bitprosinc.com, ad.bitprosinc.com, bitprosinc.com,                      autodiscover.bitprosinc.com} HasPrivateKey      : True IsSelfSigned       : False Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,                      O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US NotAfter           : 5/29/2016 5:46:47 PM NotBefore          : 5/29/2015 5:46:47 PM PublicKeySize      : 2048 RootCAType         : Unknown SerialNumber       : 4B8FF710E7250A74 Services           : IMAP, POP, IIS, SMTP Status             : Invalid Subject            : CN=mail.bitprosinc.com, OU=Domain Control Validated Thumbprint         : D594903C41AD9F65E0A096B0A47F2B404543196F
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,                      System.Security.AccessControl.CryptoKeyAccessRule,                      System.Security.AccessControl.CryptoKeyAccessRule,                      System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {} HasPrivateKey      : True IsSelfSigned       : True Issuer             : CN=Microsoft Exchange Server Auth Certificate NotAfter           : 5/1/2020 11:32:25 AM NotBefore          : 5/28/2015 11:32:25 AM PublicKeySize      : 2048 RootCAType         : None SerialNumber       : 7C5E6443C719A88B4EF7A820AE8308F4 Services           : SMTP Status             : Valid Subject            : CN=Microsoft Exchange Server Auth Certificate Thumbprint         : EAB95578DFF64A0B84C520764208E7524765E683
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,                      System.Security.AccessControl.CryptoKeyAccessRule,                      System.Security.AccessControl.CryptoKeyAccessRule,                      System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {BitServer, BitServer.ad.bitprosinc.com} HasPrivateKey      : True IsSelfSigned       : True Issuer             : CN=BitServer NotAfter           : 5/28/2020 11:30:24 AM NotBefore          : 5/28/2015 11:30:24 AM PublicKeySize      : 2048 RootCAType         : None SerialNumber       : 64BC002BECC7B2B645DB5C29F6B22871 Services           : SMTP Status             : Valid Subject            : CN=BitServer Thumbprint         : A733E531FA54B8C42E41B0584FA7E78178FDC7B0
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,                      System.Security.AccessControl.CryptoKeyAccessRule,                      System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {WMSvc-BITSERVER} HasPrivateKey      : True IsSelfSigned       : True Issuer             : CN=WMSvc-BITSERVER NotAfter           : 5/25/2025 10:00:02 AM NotBefore          : 5/28/2015 10:00:02 AM PublicKeySize      : 2048 RootCAType         : Registry SerialNumber       : 1090E55C55D7A9B944A6FA7F5ADBAB31 Services           : None Status             : Valid Subject            : CN=WMSvc-BITSERVER Thumbprint         : D09CC91FA5FB43934EEE8BB488211D9B04C10B88

ok rekeyed the cert and all is fine now.

Thanks for all your help!!

• Edited by boho2112 13 hours 19 minutes ago

ok rekeyed the cert and all is fine now.

Thanks for all your help!!

• Edited by boho2112 Saturday, June 06, 2015 6:07 PM