How to Setup Exchange UCC or SAN certificate with non-standard domain

If you found this article useful please click on my referral link before buying your godaddy certificate www.godaddy.com

When trying to purchase a SSL SAN certificate you may run into problems if your Active Directory domain uses a non-standard domain name e.g. if it ends with .local

For example godaddy with fail giving you the error message

One or more SANs is not a fully qualified domain name. You must drop the invalid SANs

Please note:After November 1, 2015, Go Daddy will no longer provide SSL certificates without a fully-qualified domain name or IP address, such as ‘mail’, ‘intranet’, or 10.0.0.1

This is due to a change in legislation for certificate authorities designed to improve security.

In the example below I have tried to register 5 FQDNs:-

  • Mail.yourdomain.net
  • Autodiscover.yourdomain.net
  • Autodiscover.yourdomain.local (this is a non-standard FQDN)
  • Servername  (this is a non-standard FQDN)
  • Servername.yourdomain.local  (this is a non-standard FQDN)

 

As you cannot register the non-standard domains you will not be able to register

  • Autodiscover.yourdomain.local (this is a non-standard FQDN)
  • Servername  (this is a non-standard FQDN)
  • Servername.yourdomain.local  (this is a non-standard FQDN)

You can only register

  • Mail.yourdomain.net
  • Autodiscover.yourdomain.net

This means that you will need to reconfigure your exchange server to use your public domain name (e.g. mail.yourdomain.net) on your internal network. Otherwise you may get Outlook certificate error messages stating “The name on the security certificate is invalid or does not match the name of the site”.

Create DNS Zone for your public internet domain

By creating an Active Directory zone for your public DNS name you can change what IP address is resolved. E.g. mail.yourdomain.net should resolve to an internal IP. This is known as split brain DNS.

As you are creating a DNS zone for your public domain name you will need to enter any host records you use e.g. www for your website. All exchange DNS records should point to the exchange server’s internal IP.

This allows you to use your public FQDN internally. This reduces the number of DNS names you need to register, e.g. just two.

  • Mail.yourdomain.net
  • Autodiscover.yourdomain.net

Note I have created host records for “mail” and “autodiscover”. Therefore please order the SSL certificate with just the 2 FQDNs e.g. mail.yourdomain.net, autodiscover.yourdomain.net

Set Exchange to Use the Public FQDN

You can view what URLs exchange is using by running the “test e-mail autoconfiguration” program in Outlook.

You will need to set exchange to listen on the public FQDN for a number of key services. To do this need to open the Exchange Management Shell and enter the below commands changing the FQDN (mail.contoso.com) and change the servername (CAS_Server_Name)

Exchange 2007

  1. Change the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To change this URL, type the following command, and then press Enter:

    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

  2. Change the InternalUrl attribute of the EWS. To do this, type the following command, and then press Enter:

     

     

    Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)” -InternalUrl https://mail.contoso.com/ews/exchange.asmx

  3. Change the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press Enter:

    Set-OABVirtualDirectory -Identity “CAS_Server_name\oab (Default Web Site)” -InternalUrl https://mail.contoso.com/oab

  4. Change the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press Enter:

    Set-UMVirtualDirectory -Identity “CAS_Server_Name\unifiedmessaging (Default Web Site)” -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx

  5. Open IIS Manager.
  6. Expand the local computer, and then expand Application Pools.
  7. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

exchange2007

Note you can check the current settings using the get-clientaccessserver command.

Exchange 2010

  1. Start the Exchange Management Shell.
  2. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER:       Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
  3. Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:         Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)” -InternalUrl https://mail.contoso.com/ews/exchange.asmx
  4. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:            Set-OABVirtualDirectory -Identity “CAS_Server_name\oab (Default Web Site)” -InternalUrl https://mail.contoso.com/oab
  5. Open IIS Manager.
  6. Expand the local computer, and then expand Application Pools.
  7. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

Confirm Working

By running test email autoconfiguration in Outlook the URLs used for exchange should have changed to the public addresses.

THE END

Comments 12

  • You sir are an absolute life saver.

    Only found out about this issue 6 days before my cert was about to expire. Imagine my surprise when I tried to get the cert when presented with the non fqdn warning.

    Also used the split dns workarround for my ts/rdp setup

    Again thank you sir

  • Thanks very much for this. It was a great help and worked flawlessly.

  • Thanks for this, I had been fighting this problem for hours before I found your concise explanation and fix. This fixed everything for me.

    A few typos in this though, under Exchange 2010 step 2 you have ” AutodiscoverServiceInternal Uri ” but you need to add a dash before Auto and remove the space before Uri.

    Also, you don’t need to create the whole external zone in DNS, you can just make the records you need as zones, e.g. “mail.contoso.com” then add an A record with no name and the IP you need. Then you don’t have to duplicate everything.

    Cheers!

  • Very impressive stuff. Got me out of a hole,,.

    Thanks

  • Hi

    What about ECP. What’s the command to change this?

    Thanks

  • I am glad to have found your article. However, the command set your gave returned the following error:

    [PS] C:Windowssystem32>Set-ClientAccessServer -Identity “SERVER1” AutodiscoverServiceInternalUri “https://remote.ourdomain.com/autodiscover/autodiscover.xml”
    A positional parameter cannot be found that accepts argument ‘AutodiscoverServiceInternalUri’.
    + CategoryInfo : InvalidArgument: (:) [Set-ClientAccessServer], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Set-ClientAccessServer

    I would appreciate any help on this.

    Thank you,

    Jack

  • Never mind. I saw the parameter corrections above. Shocking that the error of not including the hyphen/dash in front of “Auto…” is also in the MS KB article.

    Thank you very much for your help.

    Sincerely,

    Jack

  • @Gary:

    First list the current Ecp url and copy the identity value:

    Get-OwaVirtualDirectory | select identity

    Now set the new Ecp url:

    Set-EcpVirtualDirectory -Identity owa (Default Web Site)> -InternalUrl /owa

  • @Gary:

    @gary

    Copied the wrong lines out of my script, sorry.

    Here is the correct data:

    First list the current Ecp url and copy the identity value:

    Get-EcpVirtualDirectory | select identity

    Now set the new Ecp url:

    Set-EcpVirtualDirectory -Identity -InternalUrl

  • Will this allow Outlook anywhere to still function outside the organization?

Leave a Reply

Your email address will not be published. Required fields are marked *