Federation with wildcard cert

Similar Messages

• Exchange 2010 - Virtual Directory Internal & External URL's with Wildcard Cert

  Hi Guys
  I am trying to determine if my Exchange 2010 server Virtual Directory URL's are setup according to best practice. I'm sure anyone with good Exchange experience will instantly be able to tell me if my Virtual Directory DNS is correct or could cause issues.
  Scenario:
  Hosted Exchange 2010 SP1. Multiple client mail domains hosted
  2x CA, 2x HT, 2x MB, 2x DC
  Wildcard *.example.co.za certificate being used on CA servers
  AD domain is he.example.za.net
  CA Server naming example: ca1.he.example.za.net, ca2.he.example.za.net
  he.example.net DNS is done by DC servers
  External name used by clients: outlook.example.co.za (For Outlook setup and OWA access)
  outlook.example.co.za has two A records pointing to the CA IP's
  PROBLEM/CONCERN:
  We have a random OWA log out issue that we believe might be due to ambiguous DNS names being used.
  If I change the Virtual Directories External URL to be the FQDN of the server, we get a Certificate Error in clients (due to the .co.za Wildcard). The external URL clients use
  must be on .co.za.
  So are the Virtual Directory URL's causing the CA servers to loose track of who is authenticated in where (leading to OWA disconnection)? Is it fine to load balance the CA servers with the DNS the way we are doing currently? Any other issues you see?
  Current Virtual Directory settings:
  Note that they are identical on CA1 and CA2
  [PS] C:>Get-OabVirtualDirectory -server ca2 |fl *url
  InternalUrl : https://outlook.example.co.za/OAB
  ExternalUrl : https://outlook.example.co.za/OAB
  [PS] C:>Get-WebServicesVirtualDirectory -Server ca2 |fl *url
  InternalNLBBypassUrl : https://ca2.he.example.za.net/ews/exchange.asmx
  InternalUrl          : https://outlook.example.co.za/ews/Exchange.asmx
  ExternalUrl          : https://outlook.example.co.za/ews/Exchange.asmx
  [PS] C:>Get-ActiveSyncVirtualDirectory -Server ca2 |fl  *url
  MobileClientCertificateAuthorityURL :
  InternalUrl                         : https://outlook.example.co.za/Microsoft-Server-ActiveSync
  ExternalUrl                         : https://outlook.example.co.za/Microsoft-Server-ActiveSync
  [PS] C:>Get-EcpVirtualDirectory -Server ca2 |fl  *url
  InternalUrl : https://ca2.he.example.za.net/ecp
  ExternalUrl : https://outlook.example.co.za/ecp
  [PS] C:>Get-OwaVirtualDirectory -Server ca2 |fl  *url
  Url             : {}
  Exchange2003Url :
  FailbackUrl     :
  InternalUrl     : https://ca2.he.example.za.net/owa
  ExternalUrl     : https://outlook.example.co.za/owa
  [PS] C:>Get-AutodiscoverVirtualDirectory |fl *url, server
  InternalUrl :
  ExternalUrl :
  Server      : CA1
  InternalUrl : https://outlook.example.co.za/
  ExternalUrl : https://outlook.example.co.za/
  Server      : CA2
  REALLY APPRECIATE SOME EXPERT ADVISE. Thanks.

  Hi Kane,
  Why did not you use cas array to load balance client connectivity?
  If you create a CAS array, you can assign an virtual IP (VIP) for the CAS array FQDN (e.g CASarray.example.za.net), and then point all the Virtual Directories internal URL to CAS array fqdn;
  For external, you can point outlook.example.co.za to VIP which had been assigned to CAS array.
  I recommend you refer to the following article to understand CAS array:
  http://technet.microsoft.com/en-us/library/ee332317(v=exchg.141).aspx#CASarray
  http://blogs.technet.com/b/ucedsg/archive/2009/12/06/how-to-setup-an-exchange-2010-cas-array-to-load-balance-mapi.aspx
  http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx
  Best regards,
  Niko Cheng
  TechNet Community Support

• Help with wildcard cert

  I have been using a self signed cert with 100% success but we are going to start support outside devices. I am looking for a guide or something to help me. I have the PEM format keys from the Certificate Authority but not sure what to do now. RDS appears
  to be looking for pfx keys.
  Can someone point me in the right direction?

  So what i did was complete the certificate request. then exported that key which provided me with the pfx file. I imported that into my RDS under RD Web Access. It says trusted and i get a little green lock.
  We do not have a gateway or plan on using it... All goes through the VPN so this setup should work.

• Front End Services won't start with new cert, SChannel error about hostname

  We have an existing Lync 2013 Enterprise system set up, and many of the servers are using certs issues by our local CA. I want to move several of the certs to third-party certificates so that non-domain machines can connect. The first change I'm making is
  on our Edge pool. However, I'm having an issue. Here are the details:
  Our internal domain space is int.domain.com. Our external domain space is domain.com. Our Lync FE server is LS01.int.pool.com and our FE pool is pool01.int.domain.com. I have generated a CSR and requested a certificate from Globalsign with the following
  characteristics:
  SN: pool01.int.domain.com
  SAN: pool01.int.domain.com
  SAN: domain.com (wildcard)
  SAN: int.domain.com (wildcard)
  After applying the new cert using the topology builder, I've rebooted and the Lync Front-End Server service will no longer start. The following SChannel error is in the event logs:
  The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is ls01.int.domain.com. The SSL connection request
  has failed. The attached data contains the server certificate.
  After reverting back to the original local CA cert, the services start. The local cert has a ton of individual SANs set up but I was under the impression that the wildcard SANs were supported and would be ok for the hostnames.
  Why is it looking for my FE server name and not the pool? Is this an issue with my deployment, or is it with the cert? I'm not sure where to go from here.

  Hey Matt,
  As mentioned above wildcards are only supported for Lync web services such as lyncdiscover, dialin and meeting URL's. It is OK to have wildcards in the certificates SAN, but you must also specifically include the following:
  SN: pool01.int.domain.com (SN must be pool)
  SAN: pool01.int.domain.com (pool must also be included in SAN)
  SAN: lync-fe-001.int.domain.com (the machine name of your front end server)
  This should solve the issue for you.
  Andrew Morpeth
  Lync Server Specialist - Auckland, NZ
  Check out my blog

• ISE 1.2 and WildCard Cert

  hello,
  i"ve found a great post from Aaron Woland about how to make/install/use Wildcard certificate.
  http://www.networkworld.com/community/blog/what-are-wildcard-certificates-and-how-do-i-use-them-ciscos-ise
  but there is something that was not answered by his post.
  Can i use WildCard cert to register node to an ISE deployement? Aka adding a Monitor only node to a admin only node
  create CSR, receiving Cert from CA, adding CA root, binding cert to CA root then exporting key, then importin on Mon node then try to register mon node? my first test didnt go well.
  Any input would be appreciated

  Basant,
  I agree with what you are saying but it seems that your statement contradicts the write up on the Cisco user guide for 1.2, there are no limitations and one of the benefits stated by the doc is that you can use wildcard certs as a cost saving measure which will allow you to install the cert on all ISE nodes.
  I do have a corporate wildcard certificate and I will attempt to register two nodes together and see what the result is.
  Also the true benefit of a wildcard cert is where the CN is *.domain.com, you should not have to generate a CSR where the CN=iseblah.domain.com with a SAN of *.domain.com, I do not think that is a cost effective wildcard cert since the CN has the fqdn of the ISE node.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html
  Tarik Admani
  *Please rate helpful posts*

• Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert

  I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate.  This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD.  The ISE policy is just to match on machine auth.
  The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.
  When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball.  They were, the auth passed.
  I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities.  Retest and the client passes.
  If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed.  ISE reports that my Windows client rejected the server certificate.  Which is odd as it just accepted it.
  If I untick the validate the client passes, if i tick it again it will authenticate fine, once.  The next connection it will fail again with the client rejecting ISE.
  Anyone got any ideas?

  I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.

• Does Convergence + messaging server 6.3 support wildcard cert ?

  Hi all,
  We plan to purchase a wildcard cert to support our convergence & messaging server SSL connection.
  from the messaging guide provide. it stated we need to generate individual private key & sent to vendor to verify
  what if we are using wildcard cert, do it work in this case ?
  Cheer
  ubd

  ubd wrote:
  So means i generate 1 wildcard cert, then apply to all other server ssl connection, or i need to generate individuallyTo use the same CA signed certificate (wildcard or otherwise) with multiple applications (Application Server and Messaging Server in this case) requires that the same private key be used across the applications. To this end you will need to export/import the certificate/keys between the applications using a utility such as pk12util.
  http://docs.sun.com/app/docs/doc/819-3671/ablrh?a=view
  http://docs.sun.com/app/docs/doc/819-4428/bgbbf?a=view
  Regards,
  Shane.

• ISE 1.3 public wildcard cert

  Is it a good idea and common practice to just use public CA for wildcard certificate on each ISE node to avoid any certificate warnings on non-corporate devices? 
  is it ok then to use it also for EAP-TLS authentication? Clients will still have internal CA certs.
  Or should we have a separate internal wildcard cert just for EAP-TLS. In this case, will ISE 1.3 allow me to have to wildcard certs with the same SAN (*.domain.com), one is public, the other is internal. The public one would apply to Web portals, and internal one would apply to EAP-TLS/

  Hi Trevor-
  The use of Wildcard cert is perfectly acceptable for the guest portals. As you said, this will ensure that guest users don't get the certificate trust error. 
  However, for the EAP side of the house, you will need to get a non-wildcard certificate. Many supplicants (including Windows) will NOT accept a wildcard certificate when building an EAP tunnel.
  I hope this helps!
  Thank you for rating helpful posts! 

• RDS 2012 R2 best design possible with wildcard certificate

  Hi!
  I am looking for some guidance for my RDS 2012 R2 design flaw. 
  What I would like to achieve?
  *I would like my users either internal or external to be able to connect to RDWeb via one single webaddress ( remote.mydomain.com)
  What I have in place?
  1x Broker
  1x WebAccess
  1x Gateway (also license server)
  1x SessionHost
  1x Wildcard Certificate
  my internal domain is mydomain.local and external is mydomain.com
  I have tried ( http://msfreaks.wordpress.com/2013/12/23/windows-2012-r2-remote-desktop-services-part-2/) without success.
  Any guidence here will be very helpfull.
  cheers
  Elton

  Hi Elton
  I have a similar configuration working with 2012 R2. However, my config is slightly different, namely:
  2 x RDSH servers
  1 x all other roles (web, gateway etc).
  However, I am using a valid single URL cert on the gateway/web server, which is accessible using remote.domain.com. I did NOT replace the cert on the RDSH servers (using WMI), because you end up with 0x607authentication errors if the certificate is not fully
  valid - corrrect name, trusted, and recovation information available. If you have purchased a  commercial wildcard cert, this should work.
  I did some testing and concluded the following, may be of interest:
  If you are just using the farm for internal connections, you can use an internal CA, and create self signed certs for the gateway, and the RDSH servers. You could use individual
  certificates for the servers, wildcard or SAN certificates. Then you will have no errors when connecting from internal clients. This will not work from external clients however, even if you trust your root or issuing CA  manually on the external client,
  because the revocation information will not be available to clients outside the domain or network, and you will get 0x607 authentication errors.
  If you are connecting from outside your network, you have 3 options:
  Use self signed certs created during the role installation, don't change any RDP certs on RDSH servers. Then manually place the gateway certificate in trusted root authorities on the external
  client.
  Purchase commercial certificates for the gateway, and optionally all of the RDSH servers. This will avoid any warnings. You could either use separate certs, wildcard or SAN. If you replace
  the certificates on the RDSH servers, they must be valid and match the names.
  Purchase just one certificate for the external URL for accessing the gateway, leaving the default self-signed certificates on the RDSH servers. This will mean that there is no warning
  when connecting to RDWeb, but there may be warnings when the connection establishes. I use this option with one free StartSSL certificate.
  To summarise, you can use either commercial or self signed for the RDWeb page. However, if you replace the certificate on the RDSH servers, this MUST be valid commercial for external clients to be able to connect. Otherwise
  just leave it as self signed.
  In my case, I can use remote.domain.com from either outside or inside the network. So, I configure the deployment to use the external URL, and that URL works from inside too. This is because it resolves to the external
  address, so requests go out to the firewall and then back in again. This way you do not have to worry about the internal connections not using a matching URL as on the certs. Or, create an internal DNS record, so that remote.domain.com points to your internal
  address of the RDweb server. This should work as well.

• Ironport email appliance : can i use a wildcard cert for TLS ?

  Hi all,
  We have 2 ironport C170 email appliance. I would like to use a wildcard SSL Cert from Digicert for TLS communication. I have 2 questions about it : 
  1/ Is it possible to use wildcard certificat on ironport ?
  2/ Is there any known problem with wildcard certificat for TLS use ?
  I found 2 (old) post about that :
  https://supportforums.cisco.com/discussion/10479161/tls-support-wildcard-cert
  http://www.symantec.com/connect/forums/someone-wants-enforce-tls-us-and-use-wildcard-cert
  Does someone has experience about it ?
  Thanks.

  My experience is that it works fine.
  If you have multiple domains, you have to make sure that the MX records point to the A record of the box you have certs for.
  eg. something like this:
  mx domain1.com  smtp.domain2.com
  mx domain2.com  smtp.domain2.com
  a smtp.domain2.com  x.x.x.x

• Help! GoDaddy Wildcard Cert

  My organization has finally purchased a wildcard cert from GoDaddy to use on our servers across the board due to how newer browsers are being more vocal about using self signed certs.
  In going through the process of getting the cert issued I keep getting my CSR rejected by GoDaddy by following the instructions from what GoDaddy wants and how to create the CSR. Since I've only really used self signed certs to this point I'm not 100% sure if I am doing things correctly especially given that I'm kind of making some assumptions as my CSR export instructions are a little dated. Are there updated instructions for creating the CSR to a format that GoDaddy will like?
  Thanks!

  For creation these are helpful:
  http://www.digicert.com/csr-creation...consoleone.htm
  http://nl.globalsign.com/en/support/.../generate+csr/
  Example of a "subject name": .CN=*.domain.com.OU=IT.O=Name of your
  Organization.L=City.S=State.C=US
  You did NOT follow the proper steps to import the certificate (I know it
  from experience)
  Your only option now is to restore the certificate object that was used for
  CSR from good backup into eDirectory (I hope you have it...) and then do the
  following (exactly):
  http://www.digicert.com/ssl-certific...consoleone.htm
  Once done you can create new certificate for each NW server & replace public
  & private key with the Godaddy & your wildcard & point each instance of
  Apache to such certificate.
  The setup work beautifully, I have been using it for over 5 years now)
  As you can export .pfx from the certificate object with use of openssl you
  can use it just about anywhere else (but not in APC UPS devices!)
  Seb
  "marklar23" <[email protected]> wrote in message
  news:[email protected]...
  >
  > I made the CSR from NetWare. It looks like the last time that I tried
  > yesterday did take, I had to change the order of the CN and O in the
  > cert string. Now after I imported the certificate and try to validate
  > it, I get Invalid with Certificate Revocation List Invalid. Any
  > suggestions?
  >
  > AndersG;2014252 Wrote:
  >> Marklar23,
  >> > In going through the process of getting the cert issued I keep
  >> getting
  >> > my CSR rejected by GoDaddy by following the instructions from what
  >> > GoDaddy wants and how to create the CSR.
  >> >
  >> And do they say what is wrong wth it? Also: Is this NetWare or Linux?
  >>
  >> - Anders Gustafsson (Sysop)
  >> The Aaland Islands (N60 E20)
  >>
  >>
  >> Novell has a new enhancement request system,
  >> or what is now known as the requirement portal.
  >> If customers would like to give input in the upcoming
  >> releases of Novell products then they should go to
  >> http://www.novell.com/rms
  >
  >
  > --
  > marklar23
  > ------------------------------------------------------------------------
  > marklar23's Profile: http://forums.novell.com/member.php?userid=5123
  > View this thread: http://forums.novell.com/showthread.php?t=419035
  >

• Wildcard cert on WLC 4404 running 5.2

  Hi all
  I have a WLC with a cert on at the moment, it runs out in a few weeks.
  I want to replace the current cert with a wildcard cert.
  Will this be OK ?
  is it a cas     

  Hi,
  As per my exp.: yes it is supported.
  However, it seems there is still a problem with wildcards certificates if they are chained :
  Check this links:
  http://netboyers.wordpress.com/2012/03/06/wildcard-certs-for-wlc/
  Third part cert:
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
  Regards
  Dont forget to rate helpful posts

• CSS11506 - Wildcard cert ??

  We have a need to terminate multiple SSL websites on our CSS. So name1.test.com
  name2.test.com, name3.test.com etc. The problem I have found is that I need to burn 1 public VIP per SSL connection b/c they all need to use tcp 443 inbound and point to their respective cert on the CSS. Is there anyway to possibly generate a wildcard cert that matched only the last part of our domain name ( events.test.com = *.test.com ) and then get away with using only 1 VIP for the multiple sub domains ??
  Thanks for your help.
  Cheers
  Dave

  CSS can use wildcard certificate just as it uses typical server certificates.
  If you are using the CSS to create the CSR, you would use a wildcard common name
  - A "*" wildcard character MAY be used as the left-most name component in the certificate. For example, *.example.com would
  match a.example.com, foo.example.com, etc. but would not match
  example.com.
  Syed

• Importing Wildcard Cert into Web Server???

  Hi all, does anyone know how I can import a wildcard certificate, private key, & CA cert into the Sun Java Web Server ?
  We have a wildcard certificate from DigiCert that I want import into the web server. There are 3 files in total:
  The files are:
  1) The wildcard cert
  2) The DigiCert CA cert
  3) The private key
  I've been playing around with tools like certutil, pk12util, and the web server admin GUI but so far no success.
  Thanks in advance,
  Stewart

  The private key and cert files are in PEM format. The two certs were supplied to us by DigiCert. We are currently using these files with Apache without any problems.
  Now we want to use them with the Sun Java web server.
  I think i've successfully imported them as show below.....
  # /opt/SUNWwbsvr7/bin/certutil -d /var/opt/SUNWwbsvr7/<instance-name>/config -L
  DigiCert Global CA - Entrust.net CT,,
  my-wildcard u,u,u
  # /opt/SUNWwbsvr7/bin/certutil -d /var/opt/SUNWwbsvr7/<instance-name>/config -K
  <0> my-wildcard
  In the web server admin gui, however, no certs are displayed.
  Stewart

• Installing wildcard cert on ISE for HTTP/EAP

  I need to install a wildcard cert on ISE, but have no experience with wildcards.  I have the *.domain certificate, but i am not sure of the process, and the Cisco docs add to the confusion.  Am i supposed to generate a new CSR to give to the CA, do i simply install the *.domain cert?  I have read the install guide and it of course makes the assumption that you know what you're talking about, and when it comes to installing wildcards, i don't know...
  Any assistance would be greatly appreciated

  If you are already in the possession of the wildcard cert and the private key, then you don't need CSR. You can simply import the certificate in ISE:
  1. Go to Administration > Certificates > Local Certificates >  Add > Import Server Certificate
  2. Use the "browse" buttons to point to the certificate file and private key
  3. Check "Allow Wildcard Certificates"
  4. Select the protocol that you want to use it for (EAP or HTTPS or both)
  5. Hit submit
  6. Go to Certificates Store
  7. Import the root CA certificate and Intermediate CA certificate(s) (If any)
  Thank you for rating helpful posts!