Accepted domains in Exchange SAN certificate

Similar Messages

• Exchange SAN Certificate Help!

  Hello,
  I need some help in troubleshooting a problem I have with a customers’ Exchange 2007 server.
  I installed a new SSL SAN cert on their only Exchange server yesterday, and today users are receiving certificate name mismatch prompts when opening their Outlook 2007 clients.
  The previous cert had the local host name in the SAN cert, but given the changes around using local host names in certs soon to be implemented, I Ieft these entries out this time around with the new cert.
  I already have a split horizon DNS zone within the local domain, which contains an A record for Autodiscover.
  So, the setup is as follows:-
  New SSL SAN cert:
  CN= mail.domain.co.uk
  SAN= autodiscover.domain.co.uk, owa.domain.co.uk
  Split horizon DNS zone: (within domain.local AD domain)
  autodiscover.domain.co.uk
  A record: autodiscover.domain.co.uk = IP of Exchange server
  The output from an Outlook client auto configuration test are listed below:
  <LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=TestUser1</LegacyDN>
        <DeploymentId>64a06c34-547e-44d8-8885-aa8fd530e2a1</DeploymentId>
      </User>
      <Account>
        <AccountType>email</AccountType>
        <Action>settings</Action>
        <Protocol>
          <Type>EXCH</Type>
          <Server>EXCHSRV01.domain.local</Server>
          <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHSRV01</ServerDN>
          <ServerVersion>72038053</ServerVersion>
          <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHSRV01/cn=Microsoft Private MDB</MdbDN>
          <PublicFolderServer>EXCHSRV01.domain.local</PublicFolderServer>
          <AD>EXCHSRV01.domain.local</AD>
          <ASUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</ASUrl>
          <EwsUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</EwsUrl>
          <OOFUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</OOFUrl>
          <UMUrl>https://EXCHSRV01.domain.local/UnifiedMessaging/Service.asmx</UMUrl>
          <OABUrl>http://EXCHSRV01.domain.local/OAB/5642c2e4-e31e-4ab8-89e7-d4590570249b/</OABUrl>
        </Protocol>
        <Protocol>
          <Type>EXPR</Type>
          <Server>mail.domain.co.uk</Server>
          <SSL>On</SSL>
          <AuthPackage>Ntlm</AuthPackage>
          <ASUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</ASUrl>
          <EwsUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</EwsUrl>
          <OOFUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</OOFUrl>
          <OABUrl>http://mail.domain.co.uk/OAB/5642c2e4-e31e-4ab8-89e7-d4590570249b/</OABUrl>
        </Protocol>
        <Protocol>
          <Type>WEB</Type>
          <External>
            <OWAUrl AuthenticationMethod="Fba">https://mail.domain.co.uk/owa</OWAUrl>
            <Protocol>
              <Type>EXPR</Type>
              <ASUrl>https://mail.domain.co.uk/EWS/Exchange.asmx</ASUrl>
            </Protocol>
          </External>
          <Internal>
            <OWAUrl AuthenticationMethod="Basic, Fba">https://EXCHSRV01.domain.local/owa</OWAUrl>
            <Protocol>
              <Type>EXCH</Type>
              <ASUrl>https://EXCHSRV01.domain.local/EWS/Exchange.asmx</ASUrl>
            </Protocol>
          </Internal>
        </Protocol>
      </Account>
    </Response>
  </Autodiscover>
  As the SCP was originally pointing to the local fqdn of the Exchange server, I have amended the binding in ADSS so that the SCP now points to the autodiscover.domain.co.uk A record instead.
  I took this step because even with the internal URL for Autodiscover's virtual directory set to https://autodiscover.domain.co.uk/Autodiscover/autodiscover.xml this path was ignored and Outlook defaulted to the fqdn of the local server.
  I thought this might rectify the issue but to no avail.
  The security prompt when opening Outlook still references the fact that the EXCHSRV01.domain.local does not match the CN of the cert mail.domain.co.uk.
  Can anyone assist in troubleshooting this further?
  Regards
  Matt
  Matt

  Hi Matt,
  We can run the following command to check your certificate settings in your Exchange server:
  Get-ExchangeCertificate | FL
  If your SAN certificate is assigned with IIS service, please change your internal URLs to match your SAN certificate names with IIS service. We can refer to the following KB to achieve Internal URLs changes:
  http://support.microsoft.com/kb/940726
  Thanks,
  Winnie Liang
  TechNet Community Support

• SAN for accepted domain

  I'm absorbing a company into our exchange and added them as an accepted domain.  There current certificate is pretty standard mail and autodiscover SAN names.  Currently RPC over http is not working correctly and that is to be expected since I
  pointed there DNS record for autodiscover to my server.  I don't have autodiscover.theircompany.com in my certificate, so it's trying to resolve a name that doesn't exist.  My question is should I add a SAN name for autodiscover.theircompany.com
  to get RPC over HTTP to work correctly?
  My SAN names would then look like this: 
  mail.mycompany.com
  autodiscover.mycompany.com
  legacy.mycompany.com
  autodiscover.theircompany.com
  Would this be accurate or is there a better method?
  Thanks!

  Hi minor,
  you do not need to worry about SAN if you used the SRV record for autodiscover.
  http://blogs.technet.com/b/rmilne/archive/2014/10/02/how-to-check-exchange-autodiscover-srv-record-using-nslookup.aspx
  So if you already had
  mail.mycompany.com
  autodiscover.mycompany.com
  legacy.mycompany.com
  on your certificate I suggest to not add another  SAN entry, just create a new SRV record _autodiscover._tcp.theirdomain.com in your DNS zone with the following information:
  Service_autodiscover
  Protocol_tcp
  Name   theirdomain.com
  priority 10
  Port443
  Targetmail.mycompany.com
  TTL   10
  Priority and TTL need to be adjusted to your needs. So you can use your existing certificate also for the new domain.
  Regards,
  Martin

• Routing Email to Un-Accepted Domain Internally

  Hi All,
  This is a bit peculiar. But it’s been bugging me for some time now. Its nothing like I need to implement or need this, but just a concern to understand mail routing.
  I was able to route email to
  [email protected]
  back in Exchange 2003 to a mailbox hosted inside mydomain.com. I didn’t add the email domain to accepted domain as we say now.
  As per the reading and available information from MS for Exchange 2013, it is possible to route emails only if we add the email domain to the accepted domains list.
  Even the email policy will not let you save information if the domain is first not added in accepted domain.
  If you delete an accepted domain that's used in an email address policy, the policy is no longer valid, and recipients with email addresses in that SMTP domain will be unable to send or receive email.
  However adding
  [email protected]
  allowed as an additional SMTP address to MAILBOX ENABLED local user (I’m not talking about external contact or Mail Enabled user here)
  We typing
  [email protected]
  new email GAL resolves it and lets me send email to the local user. (Even if I hide the user I believe it will work)
  I’m trying to understand what is happening here and why it is accepting the email addressed to gmail.com(delivering it to local mailbox) instead of routing it out to internet.
  Any reference to this in MS article.
  Doing this in a accepted domain scenario makes sense, by how it works without the domain in accepted domain list works. How does categorizer works.
  My Findings:
  *The categorizer resolves the message sender by searching for the address in the ‘proxyAddresses’ attribute in Active Directory.
  *The categorizer also resolves the message recipients by searching for the addresses in the ‘proxyAddresses’ attribute in Active Directory.
  *The categorizer also checks to verify that the mail attribute exists in Active Directory, and stamps the mail attribute as the SMTP address.
  *For local delivery, the categorizer marks the recipient as local by setting a per-recipient property on a message indicating the destination server for each recipient.
  So,
  Q:If we don’t have domain mentioned in accepted domain, is exchange going to accept email for it at all?
  A: NO (Microsoft says)
  What I think what MS means is Accepted Domain basically refers to emails coming from outside the exchange, which will not be accepted.
  That would refer to the ‘SMTP Receive’ process of submission (
  From SMTP Receive through a Receive connector).  But internal would be process of submission (Through a transport agent and would bypass the Accepted Domain check.)
  Let me know your views and test results if you happen to test it.
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

  Hi Ed,
  Thanks for the clarification.
  This however gives arise to another doubt.
  How is NDR generated for non-existent internal email. Let me know if my understanding is correct.
  [email protected]
  1.Email is searched in AD for matching  EmailAddresses attribute. (Non found)
  2.Next It goes to Accepted Domain list and checks if its authoritative for this domain (Yes, Generates NDR, NO goes next)
  3. Next Its routed to the Send Conenctors for possible match and sent; else If nothing matched it sent via the * Send Connector
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• How to create a SHA256 SAN Certificate for Exchange

  Dear.
  When using the command as described below to create a SAN Certificate for Exchange, only SHA1 certificate requests are created. How can I create the same request but for SHA256?
  It seems that it's not possible to do this through the New-exchangecertificate.
  Do you know the alternative command when using certreq for the following Exchange command:
  New-ExchangeCertificate -PrivateKeyExportable:$true -FriendlyName 'mail.domain.com' -SubjectName 'C=NL,S="aaaa",L="bbbb",O="cccc",OU="dddd",CN=mail.domain.com' -DomainName @('mail.domain.com','exchange.wps.domain.com','webmail.domain.com','ews.domain.com','as.domain.com','oa.domain.com','oab.domain.com','ps.wps.domain.com','autodiscover.domain.com')
  -RequestFile '\\10.0.6.151\c$\temp\certificate_Request.req' -GenerateRequest:$true -KeySize '2048' 
  Thanks for the feedback.
  Regards.
  Peter
  Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

  Hi Peter,
  There is no parameter in New-ExchangeCertificate to select the Algorithm type (Secure Hash Algorithm (SHA)) to generate request. Personal opinion, we can create the certificate signing request using the Certificates MMC and then creating a custom request
  as follows:
  1. Open MMC.exe. Click File >
  Add/Remove snap in…
  2. In the Available snap-ins tab, select Certificates >
  Add > Computer account > Local computer >
  Finish.
  3. Expand Certificates (Local Computer) > Personal > Certificates.
  4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.
  5. click Next > Proceed without enrollment policy > Next > Next.
  6. In Certificate Information page, click Details > Properties.
  7. Then you can fill in the needed information for your request.
  8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to
  sha256.
  9. Click OK > Next. Fill in File Name and select the request location.
  10. Finish it and send this request to the certificate authority.
  Regards,
  Winnie Liang
  TechNet Community Support

• Exchange 2010 accepted domain and email address policy

   So I need some help as to which accepted domain is right for us. We are a single forest single domain that is subbed to a parent domain.
  sub.domain.com
  We run our own exchange 2010 separate from domain.com.  We want all mail to show up as @domain.com for our users.  The @domain.com will be configured to forward to @sub.domain.com.  This is free Linux mail server that is separate from us.
  In order to configure an email address policy for @domain.com I need to pick from the 3 types.  I am pretty sure we are not authoritative for @domain.com (they are the parent).  So it is either an internal relay or external relay.  We all
  use the same networking, and our DNS servers point to domain.com as forwarders and they host a secondary copy of our DNS.
  It is a little unclear as to which to use.  I have gone to each account individually to test, and that works perfectly, but I would like to set this Globally.
  Thanks
  Tim

  Hello,
  Thank you for your post.
  This is a quick note to let you know that we are performing research on this issue.
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• How to force Outlook's Junk email fitler to not filter Exchange 2010 SP1 accepted domains?

  Hello,
  I wonder if there really is no way how to reach the result described in the title question. Because
  http://support.microsoft.com/kb/2458522 says:
  This issue occurs because of a functionality change that is introduced in Exchange Server 2010 SP1. In Exchange Server 2010 SP1, domains that are configured as accepted domains are no longer allowed in the junk email lists of a mailbox.
  So please tell us Microsoft how can we force Outlook to accept internal domain as a trusted senders and not apply Junk email filter on it?
  There was already a long discussion about the steps here
  http://social.technet.microsoft.com/Forums/en-US/outlook/thread/15f857c6-0ed4-4004-9d90-cb5d16361752 so please don't offer anything described there.
  Thank you,

  Trying to deal with the Outlook Junk Email Filter is not very easy and had been a pain in the butt.
  The ONLY way to ensure the Outlook 2010 Junk Email filter honors "white listed" emails is to stamp the email with SCL -1. Setting a transport rule will do that but it is not very flexible. 
  I was able to resolve these issues by simply enabling the Exchange 2010 Anti-Spam agents on each hub transport server. We have no Edge Server but we use a couple of Ironports at the gateway which provide the bulk of AntiSpam. We didn't think we would
  need the Exchange AntiSpam so we hadn't initially enabled. After months of trying to resolve people's complaints of emails from internal system ending up in Junk, this solution worked for us.
  This is the order in which it was done.
  1. We set the receive connectors for the internal systems for bypassing Anti Spam. We basically have 2 receive connectors, one for internal system with no relay, and one for internal systems who are allowed external relay.
  Get-ReceiveConnector "server\name of the recieve connector" | Add-ADPermission -User "“NT Authority\Anonymous Logon”  -AccessRights ExtendedRight
  -ExtendedRights ms-exch-bypass-anti-spam
  Note: If you use SMTP Authentication, Exchange will only mark the emails as "Internal" and not assign a SCL of -1. It can only be on anonymous connections.
  Note: We have a separate receive connector for the Ironports delivering external email that will not bypass Anti-Spam. These emails will receive a SCL rating of 0-9
  2. We set the global SCL to 6 (default is 4). You can set it to whatever you want.
  Set-OrganizationConfig -SCLJunkThreshold 6
  So basically, any email tagged with SCL 7-9 will be moved to Junk by Exchange.
  3. Set-ContentFilterConfig -SCLQuarantineEnabled $False -SCLDeleteEnabled $False -SCLRejectEnabled $False
  We don't want delete, reject or quarantine anything on Exchange. Just move email to Junk folder if SCL 7-9 and have user deal with it.
  4. Set the Internal SMTP Servers by adding each Exchange server's IP Address to the Global Transport Settings. I used EMC, Organization Config, Global Settings, Transport Settings properties, Message Delivery tab. Do NOT add any other "internal" servers
  here, only the Exchange servers.
  5. Then we installed the AS agents on each HT Server.
  Starting with the first server
  Stop MSExchange Transport service
  D:\Program Files\Microsoft\Exchange Server\V14\Scripts>.\install-AntispamAgents.ps1
  After installation, disable all the agents except for Content Filtering Agent. This agent has to be enabled for Exchange to stamp the email with SCL -1. I used EMC, Organization Config, Hub Transport. You will see a new tab called Anti-Spam. Disable everything
  except Content Filtering.
  Start MSExchange Transport service.
  Repeat on each HT server. (You won't have to repeat the disabling of the agents as that is a global setting)
  6. You can add global safe senders by doing the following.
  $list = (Get-ContentFilterConfig).BypassedSenders
  $list
  $list.add("[email protected]")
  $list.add("[email protected]")
  Set-ContentFilterConfig -BypassedSenders $list
  The message headers are stamped with
  For emails sent through the Internal connector
  X-MS-Exchange-Organization-Antispam-Report: MessageSecurityAntispamBypass
  X-MS-Exchange-Organization-SCL: -1
  OR
  For external emails from a safe sender
  X-MS-Exchange-Organization-Antispam-Report: ContentFilterConfigBypassedSender
  X-MS-Exchange-Organization-SCL: -1
  OR
  For all other external emails
  X-MS-Exchange-Organization-SCL: 0
  Good Luck. This has basically stopped all the calls about "legitimate" email in Junk Email folder.

• Mail Receive from outside in Exchange server 2010 (Accepted Domain)

  Hello All
  Two Exchange 2010 server running existing environment. in front of two exchange server have McAfee firewall. This McAfee Firewall receive the mail from outside and send it to Exchange 2010 server.
  for example abc.com is working well to send and receive mail using exchange server. recently i have add
  Accepted Domain which is bcd.com.   But this Accepted Domain can not receive mail from outside. I have configure MX record, Accepted Domain and also mail point. but the problem is that mail cannot receive from outside
  domain. i have also several time modify the receive connector but abc.com work but bcd.com not work
  Please suggest.
  Error:
  firewall.abc.com rejected your message to the following email addresses:
  [email protected] ([email protected])
  firewall.abc.com gave this error:
  <[email protected]>... Relaying denied
  Your message wasn't delivered due to a permission or security issue. The address may only accept email from certain senders or another restriction may be preventing delivery. For more tips to resolve this issue see
  DSN code 5.7.1 in Exchange Online. If the problem continues contact your help desk.

  Have you checked the SMTP protocol log on the Exchange server? Do you see the 5xx status code in the log when a message is sent to the @bcd.com domain?
  If you see the 5xx status code for that domain, check the "Accepted domains" and verify that you didn't make any typos in the domain name. If it looks okay then stop and start the transport service on the Exchange servers and retest.
  If you don't see the 5xx status message for that domain you should check the machine firewall.bcd.com and verify that it's configured to accept e-mail for the @bcd.com domain. I'm guessing that the firewall.bcd.com machine is acting as a SMTP proxy and not
  as a SMTP relay. However, if there are SMTP log files on that machine you should check them and see which IP address is returning the 5xx status message.
  --- Rich Matheisen MCSE&I, Exchange MVP

• Remove various accepted domains (exchange 2007) from a list file via powershell

  hello!
  i'm a newbie with powershell and i'm trying to find if is it possible to remove a lot of exchange 2007 accepted domains from a csv file using powershell.
  I want to delete accepted domains contained in a csv, it has only domains name and powershell requires the name , that is different from the domain.
  example of accepted domain in my organization:
  Name                           DomainName                DomainType            Default
  Domain0001        
  domain1.com     Authoritative         False 
  Domain0002 hello1.com
  Authoritative False
  I've only a csv with domains name:
  domain.csv:
  Domain
  domain1.com
  hello1.com
  Deleting an accepted domain via powershell requires the name so I need to extract first the name of , i've tried with this command and it works:
  Get-AcceptedDomain | Where{$_.DomainName -eq 'domain1.com'}
  This works only for 1 domain, I've a lot of domains to delete so it's inviable
  Now, i'm trying to launch this command without success:
  import-csv domain.csv | foreach {Get-AcceptedDomain | Where{$_.DomainName -eq '$_.Domain'}}
  Probably there is a syntax error, or maybe I just can't do it. 
  Any help? 
  Many thanks in advance!!

  Don't know what to tell you, then.  If I create a test file with that data, the Import-CSV works for me:
  Domain
  3414257440.domain.com
  domain1.domain.com
  '@ | set-content c:\testfiles\domain.csv
  $DomainNames =
  Import-CSV 'c:\testfiles\domain.csv' |
  Select -ExpandProperty Domain
  $DomainNames
  3414257440.domain.com
  domain1.domain.com
  [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

• Exchange Server 2010 Accepted Domain

  Dear,
  I have the following environment:
  The company bought the company dominioA.com dominioB.com.
  Both companies have mail system.
  Company A wants to standardize the environment and wants only the mail platform remains in Exchange 2010 mail servers Company A.
  to have many users, and also change the MX ip address, the company does not want to do all of one.
  As I raise the following:
  One Accepted Domain was created with the dominioB.com
  An email policy which I think I will do that by creating the accounts you create them in an organizational unit and change them to dominioB.com SMTP.
  Send mail testing was made from those accounts to accounts dominioA.com and there were no problems.
  Send mail testing was done from the dominioB.com account to an external account and it worked.
  Send test mail dominioA.com to DominioB.com and began to bounce post is made. because the mail server is in the domainB, and server Only the domain was created. for this to work one must change the MX, but the company wants to do it gradually.
  As I can do ????
  Waiting for your comments
  Thank You,
  Edwin Duran Ospina

  Hi,
  According to your description, I notice that you have two company, Company A and Company B. Then want to deploy only one Exchange server for mail flow.
  If I misunderstand your concern, please do not hesitate to let me know.
  If you want to deploy Only one Exchange server SMTP name for two company, I suggest we can deploy forest trust and linked mailbox for Company B’s user.
  More details about Deploy Exchange 2010 in an Exchange Resource Forest Topology, for your reference:
  https://technet.microsoft.com/en-us/library/aa998031(v=exchg.141).aspx
  Best Regards,
  Allen Wang

• Use Different mailbox or same mailbox if setup two accepted domains in one Exchange Server 2010

  Hi,
  I want to know if I setup two accepted domain in one Exchange Server 2010, will it have another mailbox or use same mailbox?

  Hi,
  Based on my knowledge, to add a new name in the accepted domain list is to add a SMTP address suffix for the mailboxes. Thus, it uses the same mailbox if you setup two accepted domain in one Exchange Server 2010.
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Best Migration Method for Exchange 2007 with multiple accepted domains

  We are trying to determine which method would be best for us as we migrate to O365.  Scenario as follows:
  1) Multiple accepted domains (each in their own OU in AD); example: domainA.com, domainB.com
  2) Exchange is 2007; clients will be upgrading the Outlook 2013
  3) Would like to be able to sync mailboxes starting anytime but be able to cut over a domain at a time.
  Tested so far with staged migration but it appears that with this, there is a change in the TargetAddress sending all mail to the O365.  Even changing MXs didn't redirect the message as it reaches the Exchange box and immediately goes to O365.
  We haven't tried the cutover as we're only able to test with the production box and if that somehow cutover the entire box, we'd be .. well, it wouldn't be good.  
  Anyone had any experience so that our #3 point would be doable, that would be great.  
  Thx
  George

  Hi George,
  According to your description, I understand that the issue is related to Exchange migration from Exchange 2007 to Exchange Online for Office 365. This forum focuses on some general discussion about Office 365 ProPlus which
  is the version of Office that comes with many Office 365 plans. Therefore, I suggest we can post the issue in Microsoft Exchange Online (Office 365) forum for more professional suggestions:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=onlineservicesexchange
  Hope you can find the solution soon.
  Regards,
  Winnie Liang
  TechNet Community Support

• Configure Outlook Anywhere with 2 Accepted Domains?

  Hello everybody,
  I want to configure outlook anywhere for exchange organization, I have 2 accepted domains: domain1.com and domain2.com, can you guide me the best practice procedure to enable it? How many certificates? What are the SANs sghould be included in the certificate?
  And how to publish it?
  Thanks
  Regards

  hi Anas...ok to start with ..the way i do this is mentioned in below points. Please check.
  1. configure the second domain in my AD (domains and trust) for users to login with their respective domain instead of all login to OWA or outlook anywhere from the parent domain
  2. configure internal DNS
  3. configure accepted domains
  4. external DNS - public MX and A records
  5. SSL would need autodiscover for sure.. and if you want to protect other domain-2 then i would do it in below manner.
  autodiscover.domain1.com
  mail.domain1.com
  mail.domain2.com   (for both domains to have their own OWA or ECP)
  Let me know if this helps. where you want to publish.. firewall or CAS...?? CAS would be easy for firewall let me know which firewall.
  ****EDITED as per ED and MAS comments.. :)  thanks guys
  Mark as useful or answered if my replies helped you solving your query.
  Thanks, Happiness Always
  Jatin
  Skype: jatider2jatin, Email: [email protected]

• Why SharePoint 2013 Hybrid need SAN certificates and what SAN needs ?

  I've read this article of technet, but I couldn't undarstand requied values of SubjectAltname.
  https://technet.microsoft.com/en-us/library/b291ea58-cfda-48ec-92d7-5180cb7e9469(v=office.15)#AboutSecureChannel
  For example, if I build following servers, what SAN needs ?
  It is happy to also tell me why.
  [ServerNames]
   AD DS Server:DS01
   AD FS Server:FS01
   Web Application Proxy Server:PRX01
   SharePoint Server(WFE):WFE01
   SharePoint Server(APL):APL01
   SQL Server:DB01
  [AD DS Domain Name]
   contoso.local
   (Please be assumed that above all servers join this domain)
  [Site collection strategy]
   using a host-named site collection
  [Primary web application URL]
   https://sps.contoso.com
  Thanks.

  Hi,
  From your description, my understanding is that you have some doubts about SAN.
  If you have a SAN, you can leverage it to make SharePoint
  a little easier to manage and to tweak SharePoint's performance. From a management standpoint, SANs make it easy to adjust the size and number of SharePoint's hard disks. What you could refer to this blog:
  http://windowsitpro.com/sharepoint/best-practices-implementing-sharepoint-san. You could find what SAN needs from part “Some
  SAN Basics” in this blog.
  These articles may help you understand SAN:
  https://social.technet.microsoft.com/Forums/office/en-US/ea4791f6-7ec6-4625-a685-53570ea7c126/moving-sharepoint-2010-database-files-to-san-storage?forum=sharepointadminprevious
  http://blogs.technet.com/b/saantil/archive/2013/02/12/san-certificates-and-sharepoint.aspx
  http://sp-vinod.blogspot.com/2013/03/using-wildcard-certificate-for.html
  Best Regard
  Vincent Han
  TechNet Community Support

• Standard or UUC/SAN certificate for RDS

  I successfully deployed RemoteApp using self-assigned certificate.
  Now is the time to replace it with Trusted one.
  From what I found UUC/SAN certificate will allow to secure subdomains, unique domains and websites.
  My RDS deployment is limited to one domain only.
  Does wildcard certificate means that during certificate creation on Trusted site (ex GoDaddy) I will have an option to enter:
  *.my_domain.com for a subject and then use it for any RDS server?
  So it will be just a standard certificate with wildcard.
  &quot;When you hit a wrong note it's the next note that makes it good or bad&quot;. Miles Davis

  Hi,
  If you plan to have RD Connection Broker, RD Gateway, RD Web Access all on the
  same server you can purchase a single-name certificate, which is much cheaper than a wildcard. 
  If you need a wildcard then you would purchase a wildcard certificate from the public authority, create your certificate request with a Common Name of *.domain.com, submit this to the authority, and then complete the request with the response.
  For example, on your RD Web Access server you could open IIS Manager, select the server name in the left pane, double-click on Server Certificates in the middle, click Create Certificate Request.  Fill out the information, select 2048 bits, etc., save
  as a file.  Open the file in Notepad, copy the request, then paste it into the appropriate box in the trusted authorities web site.
  The public certificate providers have step by step instructions for creating a request for an IIS website and installing the resulting response.  You can usually follow those if you are unsure.
  Once you have your certificate installed on your RD Web server, open up certlm.msc, navigate to Personal store, right-click on the certificate and export it and its Private key as a .pfx file.  This is what you will use to apply the certificate in Server
  Manager -- RDS -- Overview -- Tasks -- Deployment Properties -- Certificates tab.  You apply the certificate to 1 purpose at a time until you have all four purposes set to your new wildcard certificate.
  -TP