Before I begin, I've been all over TechNet and other forums in an attempt to understand our specific certificate problem and ultimately, to find resolution. Unfortunately, given the conflicting information I'm receiving between BPA and PowerShell with regard to the certificate problem and because I'm still learning our configuration, I'm unable to find anything definitive.
To offer some background on our environment. Currently we have a coexistence configuration, Exchange 2007 and Exchange 2010. The obvious end goal here is to fully migrate to Exchange 2010. I won't go into our 2007 environment as it holds no merit to the current issue. To that end, our Exchange 2010 client access is configured as follows:
6 Client Access Severs (all virtual). Each of these servers are load balanced via third party hardware. We have several array URLs. 3 of these URLs share the same IP address, 2 share another IP address, and 1 has a dedicated IP address.
mail.maindomain.com, activesync.maindomain.com, activesync.secondarydomain.com - shared IP
mail2.maindomain.com, mail2.secondarydomain.com - shared IP
mail.secondarydomain.com - dedicated IP
Each of these addresses are included in our SSL certificate. The primary subject name is mail.maindomain.com and each of the aforementioned are SANs.
The problem we seem to be facing ends with Autodiscover not functioning. We must manually enter mailbox information in Outlook 2007/2010 and mobile devices. According to PowerShell, the current autodiscoverserviceinteral URI for each client access server is as follows:
https://mail2.maindomain.com/autodiscover/autodiscover.xml
The Conflicting Information:
When I test Outlook Autodiscover Connectivity via PowerShell, I receive an error stating:
"The certificate for URL https://servername.maindomain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate needs to have a subject of servername.maindomain.local, but the subject that was found is mail.secondarydomain.com. Consider correcting service discovery or installing a correct SSL certificate."
The way I understand this is that I need to correct the autodiscoveryserviceinternaluri to match the URL provided in the self-signed certificate (https://servername.maindomain.local/autodiscover/autodiscover.xml). Am I crazy here? That's a pretty straight forward message, right? Apparently not.
When I run Exchange BPA I receive the following error:
"The subject alternative name of SSL certificate for https://casservername.maindomain.local/owa does not appear to match the host address. Host address: casservername.maindomain.local. Current SAN: DNS Name=main.secondarydomain.com, DNS Name=mail2.secondarydomain.com, DNS Name=activesync.secondarydomain.com, DNS Name=mail.maindomain.com, DNS Name=mail2.maindomain.com, DNS Name=activesync.maindomain.com"
This one is a little confusing. On one hand I feel it's attempting to cite the same error from PowerShell and on the other hand, it's telling me that the SSL certificate needs to match the host address. I'm simply at a loss.
I feel there are one of few things I need to do here:
1) Change the current autodiscoverinternaluri to https://casservername.maindomain.local/autodiscover/autodiscover.xml (match the self-signed certificate. Although that feels to completely go against the idea of autodiscover)
2) Change the current autodiscoverinternaluri to https://mail.maindomain.com/autodiscover/autodiscover.xml (to match the primary subject name in the SSL certificate)
3) Continue to research and find a better solution (this is where you guys come in).
Any help would be greatly appreciated!