Good Morning Tom!
Can you expand on this article with respect to having a site certificate that supports Subject Alternate Names? I noticed in the article that you've chosen two different website IPs with two different digital certificates.
Wouldn't this work with 1 IP and 1 certificate assuming that the certificate supports Subject Alternate Names?
I am not sure I understand why the client wouldn't be able to use SANs. There are 3 providers (probably more) that i know of that will be in the trusted certificate list (Verisign, Thwate, Godaddy, etc).
If I am publishing "mobile.E2K7domain.com" to 184.108.40.206 and "autodiscover.E2K7domain.com" to 220.127.116.11; all while using a wildcard cert, why wouldn't ISA 2006 properly setup the SSL and then pass it on to CAS?
1. I read your article and all other article on msExchangeTeam and msExchangeOrg and technet. To Publish Exchange 2007 with isa 2006, it maks never sense to take a UC Certificate or a Certificate with SAN's. Is this right? The Isa can only consume the first cn in the Cert, it is one Match, like a Normal cheap Webserver Certificate? All other Names in the Cert brakes the Isa. Is there a reason to take a SAN Cert instead to a Normal Cert when i publish ex07 with isa06?
Is a Fix for the ISA 06 SAN Problem in the pipeline? (I know the fix for the Outlook 2007, SRV Record)
2. Would it work when i publish all the Ex07 URL's with the autodiscover.doamin.com/owa ./rpc URL instead owa.doamin.com? With this i only need 1IP 1SSL Cert. It resolves all the problems?
Testing my planned upgrade to Exchange 2007, I've succesfully setup the CAS server. Internally, everything works fine, including the autodiscover function. But (there's always a but, isn't there?), externally, I am running into a weird problem.
Here's the case: The ISA 2006 resides in the 3rd party firewall DMZ, has a properly working SAN certificate and is not a domain member. It connects to the AD using RADIUS (for VPN) and LDAPS-GC (for FB).
What does work:
Outlook Web Access
Autodiscover Test from Outlook
What does not work:
Autodiscover in Outlook wizard
What seems to be the case here?
Having set up an Outlook Anywhere client manually, the clients logs on to the ISA server using Domain\User credentials, which work fine with both RADIUS and LDAP. When consequently testing the Autodiscover function, it runs fine, since the client has already been validated at the ISA server and is thus allowed to access the CASE\Autodiscover directory.
Setting up an Outlook Anywhere client from scratch, the client tries to login with the e-mail address ("email@example.com"), as submitted to the wizard. Easily traced using RADIUS, the domain controller that runs IAS rejects this authentication packages since the user is unknown ("firstname.lastname@example.org" instead of "User"). The client therefore cannot access the CAS\Autodiscover directory and fails to download the autodiscover.xml file.
My question, therefore, is:
How can I ensure the ISA server authenticates a requests from an Autodiscover wizard against RADIUS or LDAP?
Switched to LDAPS/GC, I've locked down the issue to an AD problem. The ISA server simply tries to authenticate to the domain controller using the exact credentials entered by the client. In this case, Outlook sends the e-mail address. I have been unable to solve this issue on the ISA Server.
I requested the hotfix, installed, rebooted the DC and retried - still the same issue. I then manually changed the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\to value 2 and retried: still no luck. Now I realise that the domain I am using to login with (.e.g. domain.com) is not exactly the same as the local domain (domain.local). I guess, therefore, my question has changed: how can I configure AD to accept login requests for a secondary domain?
It refers to here: http://support.microsoft.com/kb/243629, where you are told how to link a custom UPN to domain. Next, using the Exchange 2007 Management Console, you can edit a user's Account Details where you can change his UPN to enable authentication using his primary email-address, if different from the default domain. Please note that login with UPN only works with LDAP, not with RADIUS!
That issue being solved, there appears to be a new one:
Using Outlook wizard, the Autodiscover process runs fine, until it comes to the point where you need to login to the CAS server itself. Some users have laptops that are not domain members (I know, I know) and the Exchange OWA virtual dir allows only basic authentication. It works great in case of manual configuration, but using Outlook wizard, I cannot get beyond the point of authenticating against the CAS. I am running 2003 x64 so it's not an IPv6 issue, as is the case here: http://technet.microsoft.com/en-us/library/cc671176(EXCHG.80).aspx