How to Configure Wild Card Certificate in Exchange Server 2013

You may experience certificate warning when using OWA and Outlook after you installed wild card certificate in your exchange organization. There are resolution available if you bing. Examples:

Certificate error message when you start Outlook or create an Outlook profile

SSL/TLS communication problems after you install KB 931125

“The name on the security certificate is invalid or does not match the name of the site”

This certificate with thumbprint 855951C368ECA4FF16AAAA82298E81B3F001BDED and subject ‘*’ cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

This certificate with thumbprint 855951C368ECA4FF16A33D82298E81B3F001BDED and subject ‘*’ cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

But root cause is not addressed in these articles. You are using wild card certificate * or incorrect certificate SAN in Exchange server. You have to configure autodiscover, owa and oab correctly to address these issues. If you are using incorrect SAN then you have to regenerate CSR, re-issue certificate and reconfigure Exchange certificate in Exchange EAC.

Check DNS record. You must have the following DNS record internally and externally for autodiscover to function correctly

Internal record

If your internal domain is domain.local then you must create a DNS zone with in your DNS server. DNS must be set to round-robin. 10.143.8.x Host (A) 10.143.8.y Host (A) 10.143.8.z CNAME 10.143.8.z CNAME

External Record 203.17.18.x Host A 203.17.18.x MX (lowest priority) 203.17.18.x CNAME 203.17.18.x CNAME

Let’s assume you have imported certificates in Exchange Administration Center. Now go to Exchange EAC>Click Servers>Click Certificates>Select Wild card certificate>Click Edit (Pen)>Services>Select IIS and SMTP>Click Save.

Now Open Exchange Management Shell using run as administrator. Copy the following cmdlets and amend per your domain and run these command.

Step1: Setup OWA

Set-OwaVirtualDirectory –Identity “ServerName\owa (Default Web Site)” –InternalUrl –ExternalURL

Setp2: Setup ActiveSync

Set-ActiveSyncVirtualDirectory –Identity “ServerName\Microsoft-Server-ActiveSync (Default Web Site)” –InternalURL –ExternalURL

Step3: Setup Outlook Anywhere

Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –InternalHostname –ExternalHostName –ExternalClientAuthenticationMethod Basic –IISAuthenticationMethods Basic,NTLM


Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –InternalHostname –ExternalHostName

Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –ExternalClientAuthenticationMethod Basic

Set-OutlookAnywhere –Identity “ServerName\Rpc (Default Web Site)” –IISAuthenticationMethods Basic,NTLM

Step4: Setup Web Services Virtual Directory

Set-WebServicesVirtualDirectory –Identity “ServerName\EWS (Default Web Site)” –InternalURL –ExternalURL -BasicAuthentication $true

Step5: Setup Client Access URL

Set-ClientAccessServer –Identity ServerName –AutoDiscoverServiceInternalUri

OR depending on DNS record

Set-ClientAccessServer –Identity ServerName –AutoDiscoverServiceInternalUri

Step6: Setup ECP URL

Set-EcpVirtualDirectory –Identity “ServerName\ecp (Default Web Site)” –InternalURL –ExternalURL

Step7: Setup OAB

Set-OabVirtualDirectory -Identity “SERVERNAME\OAB (Default Web Site)” -ExternalUrl

Step8: Setup Certificate principal name for outlook

Set-OutlookProvider EXCH -CertPrincipalName msstd:*

Step9: Setup POP and IMAP with FQDN/CNAME of Mail Server

set-POPSettings -X509CertificateName

set-IMAPSettings -X509CertificateName

Now validate your settings. Issue the following cmdlets and checks FQDN and URLs are correct as issued earlier.

Get-WebServicesVirtualDirectory | Select InternalUrl, BasicAuthentication, ExternalUrl, Identity | Format-List

Get-OabVirtualDirectory | Select InternalUrl, ExternalUrl, Identity | Format-List

Get-ActiveSyncVirtualDirectory | Select InternalUrl, ExternalUrl, Identity | Format-List

Get-ClientAccessServer | Select Fqdn, AutoDiscoverServiceInternalUri, Identity | Format-List

Now Recycle App Pool. Open IIS Manager>Expand Application Pool>Select MSExchangeAutoDiscoverAppPool>Right Click and Recycle

Reboot exchange Server or issue iisreset command in exchange server to restart services. I have restarted my server. I will prefer a restart after these modifications.

Client side test.

  • Delete outlook profile
  • Make sure you use autodiscover to configure mail client
  • Do not manually configure outlook
  • Close IE. Reopen OWA and test OWA.

Last but not least update all exchange servers to latest Microsoft Windows Patch, Exchange Service pack and Exchange roll ups.

Why you should not use yourdomain.local domain?

Microsoft recommended use of .local domain when Microsoft released Microsoft Small Business Server. Microsoft also understood that an SBS customer may not have in house expertise to manage Active Directory Domain and Exchange Server. Microsoft understood that SBS user will not have proper firewall. It is obvious that Exchange autodiscovery, single sign on for SharePoint and Lync Server was not in scenario at that time. So Microsoft recommended use of .local domain in Active Directory. Those who worked in SBS environment thought that they could take that concept now and implement .local domain in any organization which is a fundamental design flaw.

You have to understand  that .local domain was a past concept. Moving forward technology has changed a lot since then. You should change yourself when technology changes. But when I visit clients I see that old dog doesn’t learn new trick. Which means their autodiscovery doesn’t work. These clients end up with many issues including blaming Microsoft. You should ask yourself did you design your Active Directory and DNS correctly. Why you expect your autodiscovery to function correctly when your DNS is messy?

When you are promoting a new domain or a new forest, it is highly recommended that you use registered domain name for example Again those who worked in past SBS era they will raise concern of hacking, TLD etc. I would address their concern by putting the question to them, did you design and configure a correct firewall and security in your corporate infrastructure. If not then you should hire a security professional who will address your concern. Simply promoting a yourdomain.local domain will not secure your domain and you will have a false sense of security that your Active Directory is safe. In realty your corporate network might be open and vulnerable to hacking.

Here are why you should use or registered domain in Active Directory.

  • To implement correct Exchange Autodiscovery
  • To discover correct registered domain for SharePoint and Lync Server
  • To implement single sign on
  • To install correct public certificates for Exchange, SharePoint and Lync. Note that Public Certificate Authority no longer issue certificate using .local domain
  • To use correct UPN of your registered domain
  • To setup correct local and public DNS
  • To design correct Active Directory. You shouldn’t use SBS server as your model. Microsoft retired SBS for many reasons. Brutal truth is Microsoft didn’t want to lose poor customer who couldn’t afford an open license or software assurance so most of SBS users got OEM license through hardware vendor or a reseller.
  • To follow the guidelines of IANA and IEEE when you deal with a domain.

What should you do if you already have a .local domain in SBS server?

If your SBS server is 2008, then create an Active Directory DNS zone using registered domain example: then add HOST (A) record with PTR of webmail or mail and autodiscovery in zone. Create public DNS record for and (example registered domain) doesn’t resolve after creating

This happened when is hosted with third party web hoster not internally. There is an easy fix, create a DNS forwarder or conditional forward for your Follow this URL to configure a conditional forwarder. For example: you can forward to Google DNS server or the DNS server of your ISP or your web hoster who is actually hosting To find out who is hosting your website and their DNS record, go to type and hit enter.

Further Study: