Our existing SAN Cert expired so I bought and installed a new one from godaddy. The old Cert had SAN Names for the internal name of the server I'll say server.internal.local. The new ICANN rules persuaded me to not include the internal name of the server on the replacement Cert and only use publicly accessible names, I'll say mail.public.org.
Now our Outlook Clients in our internal network are throwing an error at startup saying:
There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site server.internal.local.
Outlook is unable to connect to the proxy server. (Error Code 10)
I looked at the settings of the Outlook email Account and sure enough under the Exchange Proxy Settings, the Use this URL... and the Only connect to... are showing server.internal.local.
I followed the instructions here: http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/managing-certificates-exchange-server-2013-part1.html
Which led me through creating a split brain DNS zone so the internal clients will find the server using the public name that matches the cert and also (theoretically) modifying the autodiscover so the clients will look for the server at the new address.
Apparently, I'm missing something because even when configuring a new Outlook profile I still get the certificate error and the proxy settings are still being set to the old internal name and I am unable to change them.
To further complicate things, this environment has a SBS2011 that Exchange has been mostly migrated to the new Exchange 2013 machine but Exchange has not been decommissioned from it yet. I'll call it OLDSERVER. I did go into Sites and Services and delete the Autodiscover serviceconnection point for OLDSERVER thinking it would simplify the issue. No Bueno.- Edited by kidwon Wednesday, April 29, 2015 8:31 PM