Exchange 2010 and Certificates

Exchange 2010 uses secure (SSL) communication for a variety of its key functions – both with clients and inter-operationally (is that a term?).

The MSExchange.org article linked at the bottom describes these functions in detail. Although it focuses on Exchange 2007 much (well, all) of it still applies to version 2010.

Here’s an excerpt:

There are several components in Exchange 2007 that rely on certificates for encryption, authentication or both. In this article I will provide you with an overview of the different Exchange components that use certificates. I will then go deeper into the features of the by-default generated self-signed certificate. In part 2 of this article I will cover the naming requirements of a certificate you need to keep in mind when getting your certificates. To end, in part 3 of this article I will take a closer look at the different Exchange Management Shell cmdlets that are available to create, manage, and remove Exchange certificates.

Full at – MSExchange.org

Certificate Principal Mismatch Errors

I ran the Exchange Best Practices Server Analyzer tool and it reported, among other things, a “Certificate Principal Mismatch” on one the servers in my DAG.

Here’s what Microsoft has to say:

If the common name of the certificate does not match the URL that Analyzer used to access the resource, the tool issues a Certificate Principal Mismatch warning message. This means that users may not be able to connect to their mailboxes by using Microsoft Office Outlook® Web Access for Microsoft Exchange Server 2003, for Outlook Anywhere for Exchange Server 2007, for Exchange Server ActiveSync, or for RPC over HTTP.

In this scenario, user may repeatedly be prompted for credentials when they try to connect to Exchange, or users may receive the following error message when they try to connect to the Exchange resource…

full at Microsoft.com

The gist is that the name used by the Outlook provider setting must match what’s referenced in the cert used by Exchange.

Here are some PowerShell commands:

To view the current setting:

Get-OutlookProvider

To change the setting (note that this is used by Outlook for connectivity to Exchange via Outlook Anywhere):

Set-OutlookProvider EXPR -CertPrincipalName:”msstd:<FQDN used>”

for example:

Set-OutlookProvider EXPR -CertPrincipalName:msstd:email.yourdomain.com