Outlook Anywhere and Wildcard Certificates

Exchange 2007 brought about a change in the way Exchange uses certificates and introduced us to the concept of a Unified Communications Certificate which makes use of Subject Alternative Names (SAN). While this is the recommended way to secure Exchange services, every now and then I come across a customer that already owns a wildcard certificate for their entire domain (eg. *.cgoosen.com) and would like to use this certificate instead.

One of the problems with wildcard certificates is that they don’t always play nicely with Outlook Anywhere. If the principle name on the certificate is not the same as the mail server FQDN Outlook may not authenticate correctly. When testing Outlook Anywhere connectivity with Exchange Server Remote Connectivity Analyzer (ExRCA) you may see something like this:

d1

Additional Details would be similar to this:

The certificate common name *.domain.com doesn't validate against the mutual authentication string that was provided: msstd:mail.domain.com

The easiest way to correct this problem is to use Autodiscover to send the correct principle name to your Outlook clients. Use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet

You can check the existing configuration by issuing the Get-OutlookProvider cmdlet

The command should look something like this:

Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com

d2