Certificates are used to encrypt traffic between exchange servers and clients.

There are 3 things that need to be true for a certificate to be valid.

1. The name used to access the resource needs match the certificate exactly.
   Example: If I connect to say owa with mail.mydomain.com then the certificate needs to also have mail.mydomain.com on it in either the subject or the subject alternate name field.
2. The Certificate time must be valid
3. The issuing Certificate Authority must be trusted by the client. (It needs to exist in the “Trusted Root Certificate Authorities)

Now that we have some VERY basic info about certificates.

The issues I see constantly are: Autodiscover, Out of Office, Free Busy and Outlook Anywhere miss-configuration.

Reasons:

1. Not using a trusted certificate
   • Solution: use a 3rd party cert provider
2. The certificate name does not match the DNS name\s
   • Solution: create a new cert request containing all the names used to access the server. Minimum of
     1. Autodiscover.domain.com
     2. <ExternalName>.domain.com
     3. <InternalName>.domain.local (if using for internal systems also)

Example of a correct cert request:

• New-ExchangeCertificate -GenerateRequest -SubjectName “C=US, O=Org Name, CN=mail.domain.com” -domainname mail.domain.com, autodiscover.domain.com, servername, servername.domain.local -FriendlyName mail.domain.com -privatekeyexportable:$true -path c:\cert_myserver.txt

Example of Cert import

• Import-ExchangeCertificate –Path “C:\CertificateFile.cer” | Enable-ExchangeCertificate -Services pop, smtp, iis, imap(2007 Example)
• Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\certificates\newcert.cer -Encoding Byte -ReadCount 0)) | Enable-ExchangeCertificate -Services SMTP   (2010 Example)

1. External URLs not defined correctly
   • Solution: Configure the External urls
   • Set-WebServicesVirtualDirectoy -ID server.domain.com\* -externalurl https://mail.domain.com/ews/exchange.asmx
   • Set-OABVirtualDirectoy -ID server.domain.com\* -externalurl http://mail.com.com/OAB
   • Set-UMVirtualDirectoy -ID server.domain.com\*-externalurlhttps://server.com.com/UnifiedMessaging/services.asmx
2. Can’t resolve Fully qualified domain names (FQDN)
   • Solution: make sure that the FQDNs for your external URLs as well as autodiscover have A records registered in DNS
   • Verify you can access the autodiscover XML file https://autodiscover.domain.com/autodiscover/autodiscover.xml

    SCP Record does not contain the correct value

1. 1. Test from outlook:
      1. Hold CTRL and Click the outlook Icon in the system tray  and select “Test Email Auto Configuration”
      2. Uncheck guess smart and click Test
   2. check SCP value returned
      1. If you get info on the results tab then autodiscover is working
      2. If not look at the Log tab and look at the URL that is returned

              

1.  
   1. Test the URL (Type it into Internet explorer) if its not change SCP to a valid URL
      1. Run ADSIEDIT and view the “Service Binding Information” to verify the correct value

                     

2. Set the SCP allong with the internal URL: Set-ClientAccessServer CASServerName -AutoDiscoverServiceInternalUri https://mail.domain.local/Autodiscover/Autodiscover.xml