How to Configure Wild Card Certificate in Exchange Server 2013

You may experience certificate warning when using OWA and Outlook after you installed wild card certificate in your exchange organization. There are resolution available if you bing. Examples:

Certificate error message when you start Outlook or create an Outlook profile

SSL/TLS communication problems after you install KB 931125

“The name on the security certificate is invalid or does not match the name of the site”

This certificate with thumbprint 855951C368ECA4FF16AAAA82298E81B3F001BDED and subject ‘*’ cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

This certificate with thumbprint 855951C368ECA4FF16A33D82298E81B3F001BDED and subject ‘*’ cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

But root cause is not addressed in these articles. You are using wild card certificate * or incorrect certificate SAN in Exchange server. You have to configure autodiscover, owa and oab correctly to address these issues. If you are using incorrect SAN then you have to regenerate CSR, re-issue certificate and reconfigure Exchange certificate in Exchange EAC.

Check DNS record. You must have the following DNS record internally and externally for autodiscover to function correctly

Internal record

If your internal domain is domain.local then you must create a DNS zone with in your DNS server. DNS must be set to round-robin. 10.143.8.x Host (A) 10.143.8.y Host (A) 10.143.8.z CNAME 10.143.8.z CNAME

External Record 203.17.18.x Host A 203.17.18.x MX (lowest priority) 203.17.18.x CNAME 203.17.18.x CNAME

Let’s assume you have imported certificates in Exchange Administration Center. Now go to Exchange EAC>Click Servers>Click Certificates>Select Wild card certificate>Click Edit (Pen)>Services>Select IIS and SMTP>Click Save.

Now Open Exchange Management Shell using run as administrator. Copy the following cmdlets and amend per your domain and run these command.

Step1: Setup OWA

Set-OwaVirtualDirectory –Identity “ServerName\owa (Default Web Site)” –InternalUrl –ExternalURL

Setp2: Setup ActiveSync

Set-ActiveSyncVirtualDirectory –Identity “ServerName\Microsoft-Server-ActiveSync (Default Web Site)” –InternalURL –ExternalURL

Step3: Setup Outlook Anywhere

Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –InternalHostname –ExternalHostName –ExternalClientAuthenticationMethod Basic –IISAuthenticationMethods Basic,NTLM


Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –InternalHostname –ExternalHostName

Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –ExternalClientAuthenticationMethod Basic

Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –IISAuthenticationMethods Basic,NTLM

Step4: Setup Web Services Virtual Directory

Set-WebServicesVirtualDirectory –Identity “ServerName\EWS (Default Web Site)” –InternalURL –ExternalURL -BasicAuthentication $true

Step5: Setup Client Access URL

Set-ClientAccessServer –Identity ServerName –AutoDiscoverServiceInternalUri

OR depending on DNS record

Set-ClientAccessServer –Identity ServerName –AutoDiscoverServiceInternalUri

Step6: Setup ECP URL

Set-EcpVirtualDirectory –Identity “ServerName\ecp (Default Web Site)” –InternalURL –ExternalURL

Step7: Setup OAB

Set-OabVirtualDirectory -Identity “SERVERNAME\OAB (Default Web Site)” -ExternalUrl

Step8: Setup Certificate principal name for outlook

Set-OutlookProvider EXCH -CertPrincipalName msstd:*

Step9: Setup POP and IMAP with FQDN/CNAME of Mail Server

set-POPSettings -X509CertificateName

set-IMAPSettings -X509CertificateName

Now validate your settings. Issue the following cmdlets and checks FQDN and URLs are correct as issued earlier.

Get-WebServicesVirtualDirectory | Select InternalUrl, BasicAuthentication, ExternalUrl, Identity | Format-List

Get-OabVirtualDirectory | Select InternalUrl, ExternalUrl, Identity | Format-List

Get-ActiveSyncVirtualDirectory | Select InternalUrl, ExternalUrl, Identity | Format-List

Get-ClientAccessServer | Select Fqdn, AutoDiscoverServiceInternalUri, Identity | Format-List

Now Recycle App Pool. Open IIS Manager>Expand Application Pool>Select MSExchangeAutoDiscoverAppPool>Right Click and Recycle

Reboot exchange Server or issue iisreset command in exchange server to restart services. I have restarted my server. I will prefer a restart after these modifications.

Client side test.

  • Delete outlook profile
  • Make sure you use autodiscover to configure mail client
  • Do not manually configure outlook
  • Close IE. Reopen OWA and test OWA.

Last but not least update all exchange servers to latest Microsoft Windows Patch, Exchange Service pack and Exchange roll ups.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.