Exchange 2010 and Single Name Certificates

You are here:
< Back

Goal / Scope

The purpose of this article is to provide a method for leveraging a single name certificate with Exchange 2010 without getting errors and warnings and potentially having some services fail altogether.  Please NOTE:  It is Microsoft recommended best practice to use a SAN (Subject Alternative Name) certificate with Exchange.  However, if for some reason this is not an option, maybe due to cost, or wanting to leverage an existing certificate, the process below will allow a single name certificate to be used with Exchange.

Notes:
Again, this is likely not a Microsoft supported configuration. While successfully rolled it out in small environments with success, if a SAN certificate can be purchased and used, that is the best case.

Background

Below are some of the things that need to be in place for this configuration to be successful.

Prerequisites

  • An external DNS provider that supports SRV records. You’ll need to insert an SRV record of _autodiscover._tcp.domain.com in DNS for this to work
  • Outlook 2007 with the update rollup released June 27, 2007 (Discussed in this Microsoft KB article) to provide support for Exchange Autodiscover via SRV lookup
  • An SSL certificate for mail.domain.com

Methodology / Process Steps

In the examples shown below, [domain.com] is the domain name, [mail.domain.com] is the URL being set for all services and EXCHANGE is the NetBIOS name of the Exchange server.

  1. Point external DNS for mail.domain.com to the external IP address of the Exchange server.
  2. Create the SRV record _autodiscover._tcp.domain.com with content of [mail.domain.com] on port 443. Your DNS provider might also have you enter it like this:
    Service: _autodiscover
    Protocol: _tcp
    Port Number: 443
    Host: [mail.domain.com]
  3. Point internal DNS for [mail.domain.com] to the internal IP address of the Exchange server.
  4. Set the Internal URLs.

    Note:  These examples can be copied and pasted into a text editor.  Simply replacing [mail.domain.com] with the correct FQDN of the Exchange server and paste the new commands directly into a PowerShell window on the Exchange 2010 server.

    Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory –InternalUrl "https://mail.domain.com/Autodiscover/Autodiscover.xml"
    Get-ClientAccessServer | Set-ClientAccessServer –AutodiscoverServiceInternalUri "https://mail.domain.com/Autodiscover/Autodiscover.xml"
    Get-WebservicesVirtualDirectory | Set-WebservicesVirtualDirectory –InternalUrl "https://mail.domain.com/Ews/Exchange.asmx"
    Get-OabVirtualDirectory | Set-OabVirtualDirectory –InternalUrl "https://mail.domain.com/Oab"
    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory –InternalUrl "https://mail.domain.com/Owa"
    Get-EcpVirtualDirectory | Set-EcpVirtualDirectory –InternalUrl "https://mail.domain.com/Ecp"
    Get-ActiveSyncVirtualDirectory -Server $CASserver | Set-ActiveSyncVirtualDirectory -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"
  5. Set the External URLs.

    Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory –ExternalUrl "https://mail.domain.com/Autodiscover/Autodiscover.xml"
    Get-webservicesVirtualDirectory | Set-webservicesVirtualDirectory –ExternalUrl "https://mail.domain.com/Ews/Exchange.asmx"
    Get-OabVirtualDirectory | Set-OabVirtualDirectory –ExternalUrl "https://mail.domain.com/Oab"
    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory –ExternalUrl "https://mail.domain.com/Owa"
    Get-EcpVirtualDirectory | Set-EcpVirtualDirectory –ExternalUrl "https://mail.domain.com/Ecp"
    Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"
  6. Verify everything was set correctly
    Get-AutodiscoverVirtualDirectory | ft Identity,InternalURL,ExternalUrl
    
    Get-webservicesVirtualDirectory | ft Identity,InternalURL,ExternalUrl
    
    Get-OabVirtualDirectory | ft Identity,InternalURL,ExternalUrl
    
    Get-OwaVirtualDirectory | ft Identity,InternalURL,ExternalUrl
    
    Get-EcpVirtualDirectory | ft Identity,InternalURL,ExternalUrl
    
    Get-ActiveSyncVirtualDirectory | ft Identity,InternalURL,ExternalUrl
  7. Verify everything is working by using the Exchange Remote Connectivity Analyzer located at https://www.testexchangeconnectivity.com

Known Issues / Troubleshooting

This section is for the issues that have well defined and tested solutions.

Problem: | Certificate errors are still present, services fail to function properly like OAB for example

Solution: | Use the Outlook Connectivity Test (found by pressing Ctrl on the keyboard and right clicking the Outlook icon with the mouse.  One of the options will be “Test E-mail AutoConfiguration …”.  After supplying username and password information, it attempt an autodiscover email configuration and supply results of the test in the window.  “Connection Status” is also a useful utility and can be opened using the same method.  This will display the connection status of the Outlook client.

References

The PowerShell code used in this guide was taken directly from this article:

http://blog.cohesivelogic.com/exchange-2010-single-name-ssl-certificates

Last Updated On October 24, 2017