Once the cert has been installed you will need to enable the cert, you can run the following command to enable the certificate
Enable-ExchangeCertificate -Thumbprint 59 5e a4 7c f0 c0 4f 64 dc 3d 6d 29 95 f7 c4 b1 72 ca 0f 92 -Services "SMTP, IIS"
Note: The thumbprint needs to match the cert you have just installed, use either the get-certificate command or use the MMC, select the cert, click the details page and click on thumbprint or use the command specified in PART 1 to find the correct thumbprint
For each CAS server that is installed a Service Connection Point (SCP) record is created for the autodiscover service for internal clients
When i go into Outlook i get the following error:-
This is because i’m connecting to services using the NetBIOS name of mbx1 which does not match the name on the certificate. If i run Get-ClientAccessServer -Identity mbx1 | FL i’ll see that the AutoDiscoverServiceInternalUri says https://MBX1/Autodiscover/Autodiscover.xml, this does not match the certificate. I can also check the other services and see that i get the same results for OAB, EWS, Outlook Anywhere (OA) and Exchange Active Sync (EAS). So i need to update all theses internal url’s to match the name on the cert.
- Set-ClientAccessServer -Identity "mbx1" –AutodiscoverServiceInternalURI https://nlb.nwtraders.msft/autodiscover/autodiscover.xml
- Set-WebServicesVirtualDirectory -Identity "mbx1\EWS (Default Web Site)" –InternalUrl https://nlb.nwtraders.msft/EWS/Exchange.asmx
- Set-OABVirtualDirectory -Identity “mbx1\OAB (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/OAB
- Enable-OutlookAnywhere -Server mbx1 -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”
- Set-ActiveSyncVirtualDirectory -Identity “mbx1\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/Microsoft-Server-Activesync
Note: If your customer does decide to enable OA externally it is important to note that the external host name value configured for Outlook Anywhere must match the Certificate Principal Name (CPN) on the certificate used by clients and must match the end point property in the client.
In order for Subject Alternate Name (SAN) certificates to be used for clients to connect to the OA service, where the CPN does not match the msstd value configured in the Outlook client profile (but the url is listed in the SAN part of the certificate), certain conditions need to be met, these are listed below:-
- Outlook 2007 or higher
- Vista SP1
Then when you open Outlook you should not longer get the cert error!
Written by Daniel Kenyon-Smith