Monday, April 25, 2011

Exchange 2007/2010 with Single Name SSL Certificate

One of the ongoing pain points in implementing Exchange 2007 and Exchange 2010 is the need for a SAN certificate with multiple names in the certificate. Exchange 2007/2010 has web-based services for free/busy searches, offline address book downloads, and autodiscover. By default it is assumed that the name used internally is different from the name used externally. This results in the need for a certificate with multiple names.

From a technical perspective, this is fine. From a cost perspective this is less desirable. A SAN certificate costs in the range of about $350 per year from a Microsoft supported vendor or about $80 per year from GoDaddy.

If you want to use an existing single name SSL certificate, you can. You just need to change the names for the URLs to all match.

First, install your certificate in IIS for the web site hosting the Exchange services. In a standalone install of Exchange Server 2007/2010, these are in the default web site. In SBS 2008, it is  a site named SBS Web Applications.

There are a number of article with the syntax for setting the internal URL for the necessary services to support Outlook with a single label SSL cert. They recommend that you change the internal URL to match your external URL. Something like https://mail.conexion.ca/OAB.

Here is the issue I just had. With the internal URL as https://mail.conexion.ca/OAB on an SBS2008 box, the client credentials were not automatically being passed up to web services. The user was being prompted for a login. I believe this is because a name that is not a single label name is not considered part of the Intranet zone (think IE security zones) and the credentials cannot be automatically passed on. So, we change the URL to http://sites/OAB and all was good.

Two things to note about this:
  • SBS 2008 already had sites set up as a host header for the SBS Web Applications site. Otherwise, you would need to configure at least DNS resolution for your site.
  • HTTP is used on the assumption that SSL is not required internally. We needed to do this to get a single label domain name. If we didn't  the name wouldn't match the certificate and the users would get warnings about certificate errors.
All told, this seemed a bit weird today, but this is what got the job done and the client working properly.

The simple way is to just use a SAN certificate to begin with and avoid the weirdness. GoDaddy is not officially supported, but it does work. Otherwise, Digicert is the cheapest of the officially supported certificate providers.

2 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete