Ok... Exchange 2007 on Windows 2008. Internal CA. First certificates we installed on the CAS servers were setup following the directions in http://technet.microsoft.com/en-us/library/aa995942.aspx and were layed out in the following way: Subject Name: CAS01.subdomain.domain.com Subject Alternative Name 1: CAS01.subdomain.domain.com SAN 2: CAS01 SAN 3: owa.domain.com SAN 4: autodiscover.domain.com We want users to be using owa.domain.com/owa to access OWA. We also set up redirect so if the user went to http://owa.domain.com (for instance) it would redirect them to https://owa.domain.com/owa. OWA worked with no certificate errors. Yay right? Then we tried Outlook Anywhere. To keep things simple we set the external host name for Outlook Anywhere to be owa.domain.com. It would connect and prompt for username and password (whether using Basic or NTLM) and it would never accept the password. Outlook Anywhere was not working. So I found online in a forum discussion (yes, I know, trustworthy source) that in order for Outlook Anywhere to work you need to have the External Hostname you used when setting up Outlook Anywhere in the Subject Name of the Certificate you were using. Having it as a Subject Alternative Name was not good enough. So I requested and installed new certificates: Subject Name: owa.domain.com Subject Alternative Name 1: CAS01.subdomain.domain.com SAN 2: CAS01 SAN 4: autodiscover.domain.com Now I get name mismatch certificate errors in OWA when I try to go there. SO, what am I doing wrong here? Any help would be very much appreciated. Thanks

Ok so I feel somewhat vindicated in that the following article says: Therefore, you must make sure that the client computers trust the certification authority. Additionally, if you use your own certification authority, when you issue a certificate to your Client Access server, you must make sure that the Common Name field or the Issued to field on that certificate contains the same name as the URL of the Client Access server that is available on the Internet. For example, the Common Name field or the Issued to field must contain a name that resembles mail.contoso.com. These fields cannot contain the internal fully qualified domain name of the computer. For example, they cannot contain a name that resembles mycomputer.contoso.com. http://technet.microsoft.com/en-us/library/aa997703.aspx Oh, and Outlook Anywhere does, indeed, work now..... of course it doesn't help me solve my OWA issue :P

Hi, I also want to setup my exchange server for both OWA and Outlook Anywhere. Have you resolved your OWA issue by using certificate with following details: Subject Name: owa.domain.com Subject Alternative Name 1: CAS01.subdomain.domain.com SAN 2: CAS01 SAN 4: autodiscover.domain.com My Outlook 2007 users will use SRV record to search AutoDiscovery URLs and I want to use only Default Website (no extra website for AutoDiscover redirect). Mail.MyCompany.com point to my CAS server in DNS. We will use a third party SSL certificate. Waiting for your reply... Regards, Laeeq Qazi|Snr Software Engineer(Exchange + Sharepoint + BES + DynamicsCRM) www.HostingController.com

Hi,The CertPrincipalName (MSSTD) should be the same as Issued to (Subject name) rather than the External Hostname. By default, CertPrincipalName parameter is null which obtains the value from the Server. And the Server obtains the value from External Hostname if the Server parameter is also null. Thus, that means the External Hostname should be the same as Issued to (Subject name) by default. In fact, the issue exists between the CertPrincipalName and Issued to.Thus, there have two methods to resolve this issue:If you use the original certificate, you need to run set-Outlookprovider EXPR -CertPrincipalName CAS01.subdomain.domain.com in EMS in order to make the MSSD match the Issued to.If you use the new certificate, you need to include the owa.domain.com in the Subject Alternative Name in order to make OWA working normal.Below is the similar thread for your reference:http://social.technet.microsoft.com/forums/en-US/exchangesvrdeploy/thread/1349e80f-09f3-4a57-8abe-68ef8ec6a408/ThanksAllen