Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
Exchange
2000.active.directory
2000.admin
2000.announcements
2000.app.conversion
2000.applications
2000.clients
2000.clustering
2000.connectivity
2000.development
2000.documentation
2000.general
2000.information.store
2000.interop
2000.kms
2000.misc
2000.protocols
2000.realtime.collabo.
2000.setup
2000.transport
2000.win2000
admin
application.conversion
applications
clients
clustering
connectivity
design
development
misc
mobility
setup
tools
  
 
date: Sat, 10 May 2008 15:44:52 -0400,    group: microsoft.public.exchange.admin        back       


subject alternate names    
Hi All:

I'm needing to create a self signed certificate for OWA 2007.  I'm
wanting to use my own certificate authority which is Microsoft
Certificate Services.

The common name (CN) for my certificate will the the URL that most
external users will access OWA 2007 with (webmail.companyname.com)

The internal computer name of the Exchange server (which also runs
webmail) is not webmail but is something else.  

Unfortunately, when the certificate with the common name of
webmail.companyname.com is placed on the Exchange server, all my
Outlook 2007 internal clients start giving a certificate error.

I'm assuming this is because Outlook 2007 clients notice that the
Exchange server's certificate has the CN of webmail.companyname.com
which doesn't match the server's internal name on the network.  This
internal name is the name that Outlook 2007 Autodiscover picks up on
to connect to the server with.  So, since that internal name isn't
webmail, the Outlook clients start complaining but external users who
access OWA are fine because the names match.

So, I need a certificate with some subject alternate names (SAN).
However, I do not see a place in the Microsoft Certificate Services to
do this.  

The closest thing looks like the Additional Attributes box that is
under Advanced Certificate Request/Submit a cert request by using base
64 encoded CMC, etc when accessing the URL http://servername/certsrv
where servername is my internal Microsoft CA.

Can I use the Additional Attributes to do SANs?  Or can the Microsoft
Certificate Services not do this at all?  Am I forced to go to a 3rd
party CA?

Thanks!
Drew
date: Sat, 10 May 2008 15:44:52 -0400   author:   Drew

Re: subject alternate names    
On Sat, 10 May 2008 15:44:52 -0400, Drew  wrote:

>
>Hi All:
>
>I'm needing to create a self signed certificate for OWA 2007.  I'm
>wanting to use my own certificate authority which is Microsoft
>Certificate Services.

Yuck.

>
>The common name (CN) for my certificate will the the URL that most
>external users will access OWA 2007 with (webmail.companyname.com)
>
>The internal computer name of the Exchange server (which also runs
>webmail) is not webmail but is something else.  
>
>Unfortunately, when the certificate with the common name of
>webmail.companyname.com is placed on the Exchange server, all my
>Outlook 2007 internal clients start giving a certificate error.

Yep.

>
>I'm assuming this is because Outlook 2007 clients notice that the
>Exchange server's certificate has the CN of webmail.companyname.com
>which doesn't match the server's internal name on the network.  This
>internal name is the name that Outlook 2007 Autodiscover picks up on
>to connect to the server with.  So, since that internal name isn't
>webmail, the Outlook clients start complaining but external users who
>access OWA are fine because the names match.

So change the internal name that autodiscover uses by changing the
AutoDiscoverServiceInternalUri attribute with the
set-clientaccessserver powershell command.


>
>So, I need a certificate with some subject alternate names (SAN).
>However, I do not see a place in the Microsoft Certificate Services to
>do this.  

Dont know if you can. I would use a 3rd party certificate. Much less
hassle.

>
>The closest thing looks like the Additional Attributes box that is
>under Advanced Certificate Request/Submit a cert request by using base
>64 encoded CMC, etc when accessing the URL http://servername/certsrv
>where servername is my internal Microsoft CA.
>
>Can I use the Additional Attributes to do SANs?  Or can the Microsoft
>Certificate Services not do this at all?  Am I forced to go to a 3rd
>party CA?
>
>Thanks!
>Drew
date: Sat, 10 May 2008 16:24:30 -0400   author:   Andy David {MVP}

Re: subject alternate names    
On Sat, 10 May 2008 16:24:30 -0400, Andy David  {MVP}
 wrote:

>On Sat, 10 May 2008 15:44:52 -0400, Drew  wrote:
>
>>
>>Hi All:
>>
>>I'm needing to create a self signed certificate for OWA 2007.  I'm
>>wanting to use my own certificate authority which is Microsoft
>>Certificate Services.
>
>Yuck.
>
>>
>>The common name (CN) for my certificate will the the URL that most
>>external users will access OWA 2007 with (webmail.companyname.com)
>>
>>The internal computer name of the Exchange server (which also runs
>>webmail) is not webmail but is something else.  
>>
>>Unfortunately, when the certificate with the common name of
>>webmail.companyname.com is placed on the Exchange server, all my
>>Outlook 2007 internal clients start giving a certificate error.
>
>Yep.
>
>>
>>I'm assuming this is because Outlook 2007 clients notice that the
>>Exchange server's certificate has the CN of webmail.companyname.com
>>which doesn't match the server's internal name on the network.  This
>>internal name is the name that Outlook 2007 Autodiscover picks up on
>>to connect to the server with.  So, since that internal name isn't
>>webmail, the Outlook clients start complaining but external users who
>>access OWA are fine because the names match.
>
>So change the internal name that autodiscover uses by changing the
>AutoDiscoverServiceInternalUri attribute with the
>set-clientaccessserver powershell command.

But this internal name is already correct.  If I change it to be
'webmail', won't that mess autodiscover up?  Or will that be alright
since there's a DNS CNAME record pointing 'webmail' to the internal
name of the exchange server, which is EXCHANGE2007?


>
>
>>
>>So, I need a certificate with some subject alternate names (SAN).
>>However, I do not see a place in the Microsoft Certificate Services to
>>do this.  
>
>Dont know if you can. I would use a 3rd party certificate. Much less
>hassle.
>
>>
>>The closest thing looks like the Additional Attributes box that is
>>under Advanced Certificate Request/Submit a cert request by using base
>>64 encoded CMC, etc when accessing the URL http://servername/certsrv
>>where servername is my internal Microsoft CA.
>>
>>Can I use the Additional Attributes to do SANs?  Or can the Microsoft
>>Certificate Services not do this at all?  Am I forced to go to a 3rd
>>party CA?
>>
>>Thanks!
>>Drew
date: Sat, 10 May 2008 16:31:38 -0400   author:   Drew

Re: subject alternate names    
>
>But this internal name is already correct.  If I change it to be
>'webmail', won't that mess autodiscover up?  Or will that be alright
>since there's a DNS CNAME record pointing 'webmail' to the internal
>name of the exchange server, which is EXCHANGE2007?
>

The AutoDiscoverServiceInternalUri is an attribute in AD. If you
change that to the FQDN that matches the cert, thats what the Outlook
2007 clients who are connected to the domain  will attempt to connect
to.

http://support.microsoft.com/kb/940726




You can always change it back if you want :)
date: Sat, 10 May 2008 16:42:21 -0400   author:   Andy David {MVP}

Re: subject alternate names    
Gocha!

So, if I change this attribute to point to webmail.companyname.com,
even though webmail is just a internal DNS CNAME or alias record
pointing to the Exchange server (and not the name of the actual
Exchange server), the Outlook clients should work okay with this?

Thanks for the help!
Drew


On Sat, 10 May 2008 16:42:21 -0400, Andy David  {MVP}
 wrote:

>>
>>But this internal name is already correct.  If I change it to be
>>'webmail', won't that mess autodiscover up?  Or will that be alright
>>since there's a DNS CNAME record pointing 'webmail' to the internal
>>name of the exchange server, which is EXCHANGE2007?
>>
>
>The AutoDiscoverServiceInternalUri is an attribute in AD. If you
>change that to the FQDN that matches the cert, thats what the Outlook
>2007 clients who are connected to the domain  will attempt to connect
>to.
>
>http://support.microsoft.com/kb/940726
>
>
>
>
>You can always change it back if you want :)
date: Sat, 10 May 2008 18:09:47 -0400   author:   Drew

Re: subject alternate names    
On Sat, 10 May 2008 18:09:47 -0400, Drew  wrote:

>
>Gocha!
>
>So, if I change this attribute to point to webmail.companyname.com,
>even though webmail is just a internal DNS CNAME or alias record
>pointing to the Exchange server (and not the name of the actual
>Exchange server), the Outlook clients should work okay with this?

Yes, if that FQDN points to the client access server and matches the
cert, your Outlook 2007 clients should be able to find it and not
generate the cert error.
Also test to make sure the OOF dialog box opens correctly ( follow
that KB and test.



>
>Thanks for the help!
>Drew
>
>
>On Sat, 10 May 2008 16:42:21 -0400, Andy David  {MVP}
> wrote:
>
>>>
>>>But this internal name is already correct.  If I change it to be
>>>'webmail', won't that mess autodiscover up?  Or will that be alright
>>>since there's a DNS CNAME record pointing 'webmail' to the internal
>>>name of the exchange server, which is EXCHANGE2007?
>>>
>>
>>The AutoDiscoverServiceInternalUri is an attribute in AD. If you
>>change that to the FQDN that matches the cert, thats what the Outlook
>>2007 clients who are connected to the domain  will attempt to connect
>>to.
>>
>>http://support.microsoft.com/kb/940726
>>
>>
>>
>>
>>You can always change it back if you want :)
date: Sat, 10 May 2008 18:47:56 -0400   author:   Andy David {MVP}

Re: subject alternate names    
Should you need to create a SAN cert in the future from your Windows CA refer 
to http://support.microsoft.com/kb/931351 - you need to tweak the CA server 
before it will give you the option of a SAN.

"Andy David  {MVP}" wrote:

> On Sat, 10 May 2008 18:09:47 -0400, Drew  wrote:
> 
> >
> >Gocha!
> >
> >So, if I change this attribute to point to webmail.companyname.com,
> >even though webmail is just a internal DNS CNAME or alias record
> >pointing to the Exchange server (and not the name of the actual
> >Exchange server), the Outlook clients should work okay with this?
> 
> Yes, if that FQDN points to the client access server and matches the
> cert, your Outlook 2007 clients should be able to find it and not
> generate the cert error.
> Also test to make sure the OOF dialog box opens correctly ( follow
> that KB and test.
> 
> 
> 
> >
> >Thanks for the help!
> >Drew
> >
> >
> >On Sat, 10 May 2008 16:42:21 -0400, Andy David  {MVP}
> > wrote:
> >
> >>>
> >>>But this internal name is already correct.  If I change it to be
> >>>'webmail', won't that mess autodiscover up?  Or will that be alright
> >>>since there's a DNS CNAME record pointing 'webmail' to the internal
> >>>name of the exchange server, which is EXCHANGE2007?
> >>>
> >>
> >>The AutoDiscoverServiceInternalUri is an attribute in AD. If you
> >>change that to the FQDN that matches the cert, thats what the Outlook
> >>2007 clients who are connected to the domain  will attempt to connect
> >>to.
> >>
> >>http://support.microsoft.com/kb/940726
> >>
> >>
> >>
> >>
> >>You can always change it back if you want :)
>
date: Mon, 12 May 2008 06:41:01 -0700   author:   RobM alias

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us