A Certifiable Case of Mistaken Identity  —  Exchange Server Certificates

courtesy of photoxpress.com
A student recently brought up the following issue/question:

“I have Outlook XP clients predominantly, and they’re OK, but I also have some Outlook 2007 clients on my network, and I get an error message each time they open Outlook 2007.”

Outlook 2007 and Outlook 2010, especially with Outlook Anywhere (OA), as well as the Exchange Server 2007/2010 hosted services such as Outlook Web Access/App (OWA), Exchange ActiveSync (EAS), Exchange Web Services (EWS), and POP and IMAP all use the Client Access (CA) server role. Actually, a few scenarios with Exchange Server 2007 still allow Outlook clients to directly access the Mailbox (MB) server role without going through the CA role, however we will not focus on that scenario here.

If you receive an error such as “Security Alert: The name on the security certificate is invalid or does not match the name of the site,” this can be due to a difference in the internal and external names of your Client Access server(s).

If you have issued a public key (PK) certificate to each of your Exchange Client Access servers, there are two kinds of mistaken identity issues that could arise. Let’s consider just one Exchange Client Access Server for the moment for simplicity. If you organization is using an internal name for the server such as myorgexch.myorg.local and an external name such as webmail.myorg.com, those are the seeds for an identity issue to sprout up.

If you use an internal Active Directory Certificate Services (AD CS) infrastructure to issue a PK certificate to this server and use its internal name (myorgexch.myorg.local) in the subject field of the certificate, web clients using URLs which use the external name (webmail.myorg.com) may receive this error.

On the other hand, if you have payed an external PK certification authority for a certificate for this server, which uses the external name (webmail.myorg.com) as the subject, yet use the internal name (myorgexch.myorg.local) in any of the URLs for clients, this error can also result.

Several services in the Exchange Server Client Access role, such as Outlook Anywhere and Outlook Web Access/App, support both an internal and an external URL. If you included the /ExternalCASServerDomain option during the Exchange Server setup, then both of these URLs might be set appropriately. If not, these external/internal URLs can be reconfigured either via the graphical Exchange management tools, or of course using the Exchange Management Shell (EMS).

For example, the following commands are some examples to accommodate the names listed above, assuming that the myorgexch part of myorgexch.myorg.local is the name of your (first, or current concern) server with the Client Access role.

Set-OWAVirtualDirectory myorgexch\OWA* -ExternalURL https://webmail.myorg.com/OWA
Enable-OutlookAnywhere -Server:myorgexch -ExternalHostName:webmail.myorg.com -SSLOffloading $false
Set-ActiveSyncVirtualDirectory -Identity myorgexch\Microsoft-Server-ActiveSync -ExternalURL https://webmail.myorg.com
Set-WebServicesVirtualDirectory myorgexch\EWS* -ExternalURL https://webmail.myorg.com/ews/exchange.asmx
Set-OABVirtualDirectory myorgexch\OAB* -ExternalURL https://webmail.myorg.com/OAB
Set-ECPVirtualDirectory myorgexch\ECP* -ExternalURL https://webmail.myorg.com/ECP

As these examples show, there are far more services than just OWA hosted by the CA server role, and therefore the name webmail.myorg.com is not necessarily the best name for your public Exchange presence. There are other complexities as well with a variety of load balancing techniques and such certificates. The critical aspect of PK certificates used for https (and other SSL/TLS-ized access) is consistent names as well as an appropriate web of trust (an aspect of PK infrastructure, or PKI) for such certificates. Consider this general guideline: For access from public networks such as the public Internet, external publicly-registered names should be used in the certificates and in the external URLs.

In this article

Join the Conversation