subject alternate names

TheMSsForum.com: The Microsoft Software Forum

Hi All:

I'm needing to create a self signed certificate for OWA 2007. I'm
wanting to use my own certificate authority which is Microsoft
Certificate Services.

The common name (CN) for my certificate will the the URL that most
external users will access OWA 2007 with (webmail.companyname.com)

The internal computer name of the Exchange server (which also runs
webmail) is not webmail but is something else.

Unfortunately, when the certificate with the common name of
webmail.companyname.com is placed on the Exchange server, all my
Outlook 2007 internal clients start giving a certificate error.

I'm assuming this is because Outlook 2007 clients notice that the
Exchange server's certificate has the CN of webmail.companyname.com
which doesn't match the server's internal name on the network. This
internal name is the name that Outlook 2007 Autodiscover picks up on
to connect to the server with. So, since that internal name isn't
webmail, the Outlook clients start complaining but external users who
access OWA are fine because the names match.

So, I need a certificate with some subject alternate names (SAN).
However, I do not see a place in the Microsoft Certificate Services to
do this.

The closest thing looks like the Additional Attributes box that is
under Advanced Certificate Request/Submit a cert request by using base
64 encoded CMC, etc when accessing the URL http://servername/certsrv
where servername is my internal Microsoft CA.

Can I use the Additional Attributes to do SANs? Or can the Microsoft
Certificate Services not do this at all? Am I forced to go to a 3rd
party CA?

Thanks!
Drew
Top

Re: subject alternate names by Andy

Andy
Sat May 10 15:24:30 CDT 2008

On Sat, 10 May 2008 15:44:52 -0400, Drew <drew@drew.com> wrote:

>
>Hi All:
>
>I'm needing to create a self signed certificate for OWA 2007. I'm
>wanting to use my own certificate authority which is Microsoft
>Certificate Services.

Yuck.

>
>The common name (CN) for my certificate will the the URL that most
>external users will access OWA 2007 with (webmail.companyname.com)
>
>The internal computer name of the Exchange server (which also runs
>webmail) is not webmail but is something else.
>
>Unfortunately, when the certificate with the common name of
>webmail.companyname.com is placed on the Exchange server, all my
>Outlook 2007 internal clients start giving a certificate error.

Yep.

>
>I'm assuming this is because Outlook 2007 clients notice that the
>Exchange server's certificate has the CN of webmail.companyname.com
>which doesn't match the server's internal name on the network. This
>internal name is the name that Outlook 2007 Autodiscover picks up on
>to connect to the server with. So, since that internal name isn't
>webmail, the Outlook clients start complaining but external users who
>access OWA are fine because the names match.

So change the internal name that autodiscover uses by changing the
AutoDiscoverServiceInternalUri attribute with the
set-clientaccessserver powershell command.


>
>So, I need a certificate with some subject alternate names (SAN).
>However, I do not see a place in the Microsoft Certificate Services to
>do this.

Dont know if you can. I would use a 3rd party certificate. Much less
hassle.

>
>The closest thing looks like the Additional Attributes box that is
>under Advanced Certificate Request/Submit a cert request by using base
>64 encoded CMC, etc when accessing the URL http://servername/certsrv
>where servername is my internal Microsoft CA.
>
>Can I use the Additional Attributes to do SANs? Or can the Microsoft
>Certificate Services not do this at all? Am I forced to go to a 3rd
>party CA?
>
>Thanks!
>Drew
Top

Re: subject alternate names by Drew

Drew
Sat May 10 15:31:35 CDT 2008

On Sat, 10 May 2008 16:24:30 -0400, Andy David {MVP}
<adavid@pleasekeepinngcheesebucket.com> wrote:

>On Sat, 10 May 2008 15:44:52 -0400, Drew <drew@drew.com> wrote:
>
>>
>>Hi All:
>>
>>I'm needing to create a self signed certificate for OWA 2007. I'm
>>wanting to use my own certificate authority which is Microsoft
>>Certificate Services.
>
>Yuck.
>
>>
>>The common name (CN) for my certificate will the the URL that most
>>external users will access OWA 2007 with (webmail.companyname.com)
>>
>>The internal computer name of the Exchange server (which also runs
>>webmail) is not webmail but is something else.
>>
>>Unfortunately, when the certificate with the common name of
>>webmail.companyname.com is placed on the Exchange server, all my
>>Outlook 2007 internal clients start giving a certificate error.
>
>Yep.
>
>>
>>I'm assuming this is because Outlook 2007 clients notice that the
>>Exchange server's certificate has the CN of webmail.companyname.com
>>which doesn't match the server's internal name on the network. This
>>internal name is the name that Outlook 2007 Autodiscover picks up on
>>to connect to the server with. So, since that internal name isn't
>>webmail, the Outlook clients start complaining but external users who
>>access OWA are fine because the names match.
>
>So change the internal name that autodiscover uses by changing the
>AutoDiscoverServiceInternalUri attribute with the
>set-clientaccessserver powershell command.

But this internal name is already correct. If I change it to be
'webmail', won't that mess autodiscover up? Or will that be alright
since there's a DNS CNAME record pointing 'webmail' to the internal
name of the exchange server, which is EXCHANGE2007?


>
>
>>
>>So, I need a certificate with some subject alternate names (SAN).
>>However, I do not see a place in the Microsoft Certificate Services to
>>do this.
>
>Dont know if you can. I would use a 3rd party certificate. Much less
>hassle.
>
>>
>>The closest thing looks like the Additional Attributes box that is
>>under Advanced Certificate Request/Submit a cert request by using base
>>64 encoded CMC, etc when accessing the URL http://servername/certsrv
>>where servername is my internal Microsoft CA.
>>
>>Can I use the Additional Attributes to do SANs? Or can the Microsoft
>>Certificate Services not do this at all? Am I forced to go to a 3rd
>>party CA?
>>
>>Thanks!
>>Drew
Top

Re: subject alternate names by Andy

Andy
Sat May 10 15:42:21 CDT 2008

>
>But this internal name is already correct. If I change it to be
>'webmail', won't that mess autodiscover up? Or will that be alright
>since there's a DNS CNAME record pointing 'webmail' to the internal
>name of the exchange server, which is EXCHANGE2007?
>

The AutoDiscoverServiceInternalUri is an attribute in AD. If you
change that to the FQDN that matches the cert, thats what the Outlook
2007 clients who are connected to the domain will attempt to connect
to.

http://support.microsoft.com/kb/940726




You can always change it back if you want :)

Top

Re: subject alternate names by Drew

Drew
Sat May 10 17:09:44 CDT 2008


Gocha!

So, if I change this attribute to point to webmail.companyname.com,
even though webmail is just a internal DNS CNAME or alias record
pointing to the Exchange server (and not the name of the actual
Exchange server), the Outlook clients should work okay with this?

Thanks for the help!
Drew


On Sat, 10 May 2008 16:42:21 -0400, Andy David {MVP}
<adavid@pleasekeepinngcheesebucket.com> wrote:

>>
>>But this internal name is already correct. If I change it to be
>>'webmail', won't that mess autodiscover up? Or will that be alright
>>since there's a DNS CNAME record pointing 'webmail' to the internal
>>name of the exchange server, which is EXCHANGE2007?
>>
>
>The AutoDiscoverServiceInternalUri is an attribute in AD. If you
>change that to the FQDN that matches the cert, thats what the Outlook
>2007 clients who are connected to the domain will attempt to connect
>to.
>
>http://support.microsoft.com/kb/940726
>
>
>
>
>You can always change it back if you want :)
Top

Re: subject alternate names by Andy

Andy
Sat May 10 17:47:56 CDT 2008

On Sat, 10 May 2008 18:09:47 -0400, Drew <drew@drew.com> wrote:

>
>Gocha!
>
>So, if I change this attribute to point to webmail.companyname.com,
>even though webmail is just a internal DNS CNAME or alias record
>pointing to the Exchange server (and not the name of the actual
>Exchange server), the Outlook clients should work okay with this?

Yes, if that FQDN points to the client access server and matches the
cert, your Outlook 2007 clients should be able to find it and not
generate the cert error.
Also test to make sure the OOF dialog box opens correctly ( follow
that KB and test.



>
>Thanks for the help!
>Drew
>
>
>On Sat, 10 May 2008 16:42:21 -0400, Andy David {MVP}
><adavid@pleasekeepinngcheesebucket.com> wrote:
>
>>>
>>>But this internal name is already correct. If I change it to be
>>>'webmail', won't that mess autodiscover up? Or will that be alright
>>>since there's a DNS CNAME record pointing 'webmail' to the internal
>>>name of the exchange server, which is EXCHANGE2007?
>>>
>>
>>The AutoDiscoverServiceInternalUri is an attribute in AD. If you
>>change that to the FQDN that matches the cert, thats what the Outlook
>>2007 clients who are connected to the domain will attempt to connect
>>to.
>>
>>http://support.microsoft.com/kb/940726
>>
>>
>>
>>
>>You can always change it back if you want :)
Top

Re: subject alternate names by roke-it

roke-it
Mon May 12 08:41:01 CDT 2008

Should you need to create a SAN cert in the future from your Windows CA refer
to http://support.microsoft.com/kb/931351 - you need to tweak the CA server
before it will give you the option of a SAN.

"Andy David {MVP}" wrote:

> On Sat, 10 May 2008 18:09:47 -0400, Drew <drew@drew.com> wrote:
>
> >
> >Gocha!
> >
> >So, if I change this attribute to point to webmail.companyname.com,
> >even though webmail is just a internal DNS CNAME or alias record
> >pointing to the Exchange server (and not the name of the actual
> >Exchange server), the Outlook clients should work okay with this?
>
> Yes, if that FQDN points to the client access server and matches the
> cert, your Outlook 2007 clients should be able to find it and not
> generate the cert error.
> Also test to make sure the OOF dialog box opens correctly ( follow
> that KB and test.
>
>
>
> >
> >Thanks for the help!
> >Drew
> >
> >
> >On Sat, 10 May 2008 16:42:21 -0400, Andy David {MVP}
> ><adavid@pleasekeepinngcheesebucket.com> wrote:
> >
> >>>
> >>>But this internal name is already correct. If I change it to be
> >>>'webmail', won't that mess autodiscover up? Or will that be alright
> >>>since there's a DNS CNAME record pointing 'webmail' to the internal
> >>>name of the exchange server, which is EXCHANGE2007?
> >>>
> >>
> >>The AutoDiscoverServiceInternalUri is an attribute in AD. If you
> >>change that to the FQDN that matches the cert, thats what the Outlook
> >>2007 clients who are connected to the domain will attempt to connect
> >>to.
> >>
> >>http://support.microsoft.com/kb/940726
> >>
> >>
> >>
> >>
> >>You can always change it back if you want :)
>
Top

Re: subject alternate names by Drew

Drew
Sat May 17 19:41:53 CDT 2008


Thanks for all the help Andy!

One last question. The below is from the KB article. The
CAS_ServerName field will be the internal NetBios name of my Exchange
server, and not webmail.companyname.com, right?

I'll replace mail.contoso.com with webmail.mycompanyname.com

Correct here?

Thank you!
Drew

2. Modify the Autodiscover URL in the Service Connection Point. The
Service Connection Point is stored in the Active Directory directory
service. To modify this URL, type the following command, and then
press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name
-AutodiscoverServiceInternalUri
https://mail.contoso.com/autodiscover/autodiscover.xml
3. Modify the InternalUrl attribute of the EWS. To do this, type the
following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS
(Default Web Site)" -InternalUrl
https://mail.contoso.com/ews/exchange.asmx
4. Modify the InternalUrl attribute for Web-based Offline Address Book
distribution. To do this, type the following command, and then press
ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web
Site)" -InternalUrl https://mail.contoso.com/oab
5. Modify the InternalUrl attribute of the UM Web service. To do this,
type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging
(Default Web Site)" -InternalUrl
https://mail.contoso.com/unifiedmessaging/service.asmx






On Sat, 10 May 2008 18:47:56 -0400, Andy David {MVP}
<adavid@pleasekeepinngcheesebucket.com> wrote:

>On Sat, 10 May 2008 18:09:47 -0400, Drew <drew@drew.com> wrote:
>
>>
>>Gocha!
>>
>>So, if I change this attribute to point to webmail.companyname.com,
>>even though webmail is just a internal DNS CNAME or alias record
>>pointing to the Exchange server (and not the name of the actual
>>Exchange server), the Outlook clients should work okay with this?
>
>Yes, if that FQDN points to the client access server and matches the
>cert, your Outlook 2007 clients should be able to find it and not
>generate the cert error.
>Also test to make sure the OOF dialog box opens correctly ( follow
>that KB and test.
>
>
>
>>
>>Thanks for the help!
>>Drew
>>
>>
>>On Sat, 10 May 2008 16:42:21 -0400, Andy David {MVP}
>><adavid@pleasekeepinngcheesebucket.com> wrote:
>>
>>>>
>>>>But this internal name is already correct. If I change it to be
>>>>'webmail', won't that mess autodiscover up? Or will that be alright
>>>>since there's a DNS CNAME record pointing 'webmail' to the internal
>>>>name of the exchange server, which is EXCHANGE2007?
>>>>
>>>
>>>The AutoDiscoverServiceInternalUri is an attribute in AD. If you
>>>change that to the FQDN that matches the cert, thats what the Outlook
>>>2007 clients who are connected to the domain will attempt to connect
>>>to.
>>>
>>>http://support.microsoft.com/kb/940726
>>>
>>>
>>>
>>>
>>>You can always change it back if you want :)
Top

Re: subject alternate names by Drew

Drew
Sat May 17 20:19:36 CDT 2008


Andy:

Can't thank you enough for the help man. After following thru that KB
article, the Outlook 2007 clients are fine and the certificate is now
secured properly with a third party, GoDaddy, so all of the outside
clients no longer get an error.

I did notice that internally, if a user types https://webmail or
https://webmail/owa that they get a certificate error about mismatched
names. I guess that is because webmail doesn't match
webmail.mountairy.org. I doubt a user would ever do these two and
there is probably no good way of catching this one. So, no biggie.

I also noticed that if a user does the above 2 URLs but leaves off the
s in https, that they get redirected (as I had attempted) over to
https://webmail.companyname.com and thus no certificate errors.

Externally (which will be most webmail users), these two URLs don't
apply of course.

Thanks again so much for your help!

Drew



On Sat, 10 May 2008 16:42:21 -0400, Andy David {MVP}
<adavid@pleasekeepinngcheesebucket.com> wrote:

>>
>>But this internal name is already correct. If I change it to be
>>'webmail', won't that mess autodiscover up? Or will that be alright
>>since there's a DNS CNAME record pointing 'webmail' to the internal
>>name of the exchange server, which is EXCHANGE2007?
>>
>
>The AutoDiscoverServiceInternalUri is an attribute in AD. If you
>change that to the FQDN that matches the cert, thats what the Outlook
>2007 clients who are connected to the domain will attempt to connect
>to.
>
>http://support.microsoft.com/kb/940726
>
>
>
>
>You can always change it back if you want :)
Top