Wednesday, September 24, 2008

SSL Certificates and Outlook Anywhere with Exchange 2007 on Windows Server 2008

I have been setting up an Exchange 2007 server on Windows Server 2008. The outright drastic change of Exchange from the previous version both in the administrative user interface and underlying infrastructure is enough to make you second guess your Exchange expertise. Running Exchange 2007 on top of Windows Server 2008 more than doubles the learning curve. Two main points gave me quite the headache that I was able to overcome with lots of research and patience: SSL certificates and Outlook Anywhere.

SSL Certificates

Exchange 2007 introduced a lot of new ways for the Outlook client to be setup and connect quickly and seamlessly…for the end user. For the system administrator however one must purchase expensive, specialized certificates called a Unified Communications Certificate that allow for more than one URL in the certificate (Subject Alternative Names). For example if your exchange server is named “ex2007” you may need to have the following alternate names:

  • ex2007
  • ex2007.domain.local
  • autodiscover.domain.local

Microsoft was kind enough to include a certificate that will allow mail processing and other functions to work internally, but not externally. Generating the certificate also requires you to get your hands dirty in the Exchange Management Shell, a superset of the Power Shell. Since the server I was working on used split DNS I considered getting a wildcard certificate instead of a UCC. Unfortunately I read online that the Exchange 2007 POP3 and IMAP does not support wildcard certificates and neither do Windows Mobile devices. So I was about to give in and purchase a UCC when I saw a post saying that you can use a tricky SRV DNS entry in your public DNS zone to allow you to get away with a regular SSL certificate.

  • _autodiscover._tcp IN SRV 0 100 443

By placing this record in your public DNS zone the Outlook client will redirect the lookup to This allows the OWA webmail, Outlook Anywhere, POP3S, IMAPS, and SMTPS to all use the same simple SSL certificate of

TIP: Here is a tool to generate a EMS command for your certificate request:

Outlook Anywhere

Now that I tackled the overly complicated certificate issue, I ran into an issue in getting Outlook Anywhere to work. Outlook continually prompted me for my credentials and then told me Outlook must be online or connected to complete this action. After reviewing the Exchange configuration settings hundreds of times and making sure it was set according to Microsoft’s specifications I gave up. I assumed the unique setup I was working on just wouldn’t allow Outlook Anywhere to work. Then I noticed a Microsoft KB article highlighted in the newsletter:;en-us;954389&sd=rss&spid=10926. The article described the exact issue I was having in the exact scenario of my setup. I followed method 2 in the article and the issue immediately cleared up.


Microsoft just released Exchange 2007 SP1 Rollup 4 which addresses the wildcard certificate problem (KB948896) as well as the Outlook Anywhere problem.

No comments: