Announcement

Collapse
No announcement yet.

Certs, FQDNs, and weirdness

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certs, FQDNs, and weirdness

    Hey guys.

    We have exchange 2003 server running on mail.ourdomain.com. Internally, when you browse to mail.ourdomain.com/exchange, you are prompted to login and all is well. If you browse to ourdomain.com/exchange internally, you are prompted to login once, then you are prompted to login to mail.ourdomain.com, then you are in owa (two logins...i dont understand where this comes from)

    I have configured both mail.ourdomain.com and ourdomain.com to point to our mail server in our external dns records.

    My problem is that, when i assign a public certificate to our root domain in IIS, if I assign it mail.ourdomain.com, it is valid internally, but not externally. If i just assign it to ourdomain.com, it is valid externally but not internally. Even when you browse to mail.ourdomain.com externally, and are directed to our mailserver, the certificate appears invalid.

    Internally, when you browse to ourdomain.com/exchange, you eventually end up at mail.ourdomain.com (after that first phantom sign-in), and thus the certificate for ourdomain.com appears invalid.

    What is the best solution to this so that I can have one certificate valid internally and externally?

    Thanks for your time.

  • #2
    Re: Certs, FQDNs, and weirdness

    domain.com should really be pointing to your public web site, not to Exchange. More and more people don't bother with the www part of the domain (about a third of the hits to my web site are on the domain only without the www).
    Therefore your commercial certificate should be on host.domain.com and the DNS setup appropriately internally and externally for that to resolve.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Certs, FQDNs, and weirdness

      That works for me - internal and external dns records are already setup to resolve mail.ourdomain.com to the exchange server so that is little work to accomplish.

      When IE checks to see if our certificate is valid, does it look at the dns lookup used to arrive at the page? For instance, if I were to make monkeys.ourdomain.com externally resolve to our exchange server and installed a certificate on that exchange server for monkeys.ourdomain.com, would that be seen as a valid certificate? Or does it need to be based on the actual name of the server?

      Comment


      • #4
        Re: Certs, FQDNs, and weirdness

        You are correct. The "friendly" name of the certificate has to match the FQDN of the URL.

        CERT = mail.mydomain.com
        URL = https://mail.mydomain.com

        Comment


        • #5
          Re: Certs, FQDNs, and weirdness

          Thanks joe...but do the name on the cert and the url have to match the hostname of the server? or can i give the cert name and dns record an arbitrary name (that still resolves to that server) and still have a valid cert? I guess the question is - does the server identify its name in some way that the certificate must match?

          Comment


          • #6
            Re: Certs, FQDNs, and weirdness

            The real name of the server has no involvement in the name on the certificate with Exchange 2003. As long as it resolves and the clients are putting the correct name in to the browse to match the common name on the certificate, then all will be well.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: Certs, FQDNs, and weirdness

              Awesome. Thank you. That is what i was looking for.

              Comment

              Working...
              X