Monday, May 2, 2016

Getting Rid of The Annoying Certificate Warnings During Exchange Deployment

Hi folks,

As you all well know when installing Exchange 2010/2013 CAS role or 2016 Mailbox role into the AD site which already hosts Exchange servers and users you may hear your users complaining that they see certificate warning in their Outlook client. This is the a well know issue and the reason for this is that AutoDiscoverServiceInternalUri on the server contains the hostname of the server rather than FQDN of AutoDiscover service that is configured as a CN or SAN of a certificate. This is usually quickly resolved by configuring AutoDiscover and assigning to a server the appropriate certificate to IIS service on the CAS server.

I have recently read this post on TechNet blog. According to it not only AutoDiscover settings can contribute to this. As you know when Outlook talks to Autodiscover SCP it receives settings of Outlook endpoint along with all the virtual directories that will be in use by the client. Among them are also virtual directories for OAB and EWS. Should Internal and External URL to be set to the default value (which is server hostname) and not to the URL that is included into the certificate, the same annoying certificate warning will be displayed to your user community,

In the same post MS is suggesting by isolating Exchange servers into a separate AD site so that end users don't see new Exchange server and return it back to the production site after all the configuration is over. As you well know in order to define a new AD site you will need to configure a separate IP subnet, create a new AD site object and assign new subnet object to the site. It is a very good method if you don't have any constrains and both AD and Exchange are managed by the same group of people. However, when teams are different this may be troubleshome. Also don't forget that you may need additional range for IP addresses which will also involve networking team with all the joys related to their configuration and you will also need at least one global catalog for your deployment site. The latter can be easily achieved by visualization especially if you are using Windows 2012 as your DC OS, which really befriends AD with visualization.

If for some reason you can't afford configuration of a separate AD site you will need to immediately after installation of Exchange binaries configure Autodiscover along with all the virtual directories used by Outlook. Below is the code that you may use for this purpose. Please note that you will need to replace names of the AD sites as well as URLs with the one that are relevant for your environment.

Also you need to ensure that you have a file with certificate available in the path you have specified in the code for certificate configuration. This will ensure smooth ruining of script.

The sample code is as follows:

$Server = $(Get-WmiObject Win32_Computersystem).name

Set-ClientAccessServer -Identity $Server -AutoDiscoverSiteScope Site1, Site2 -AutoDiscoverServiceInternalUri

Set-OABVirtualDirectory -Identity "$Server\OAB (Default Web Site)" -InternalUrl "" -ExternalUrl "" -RequireSSL:$true

Set-WebServicesVirtualDirectory -Identity "$Server\EWS (Default Web Site)" -InternalUrl "" -ExternalUrl ""

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path D:\Certs\CAS-cert.pfx -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password

Enable-ExchangeCertificate -Thumbprint 1234567890123456789012345678901234567890 -Services IIS,IMAP,POP,SMTP


No comments:

Post a Comment