Exchange Hybrid Question...

  • Last Post 08 January 2016
kebabfest posted this 07 January 2016

Hi Guys,
I know this is a bit off topic, but I would put good money on a few people knowing whether I am on the correct path here.Turned up at a client site yesterday with a Hybrid Setup in which no outlook clients were working.All users have been migrated to Office365 with ADFS being used for SSO, so I was going to keep one Exchange Server for Administration Purposes. On closer inspection it looks like the original 3rd Exchange Certificate was expired.There had been another wildcard setup , but it obviously hadn't kicked in or something was wrong with it as the certificate chain could not be validated.In order to get them back up and running via their outlook clients (all currently using OWA)  I was going to do the following.

  • Setup new SSL Exchange Certificate with 3rd Party Certificate Provider
  • Refresh Hybrid Configuration with new Exchange Certificate
  • Refresh ADFS Setup
  • Add new Certificate to Federated Service and Proxy Server
  • Verify Auto discover
If there are any problems at this stage I will probably update the existing call with Microsoft.
Does anybody think I am missing anything and\or know any good easy to understand reference guides for Certificates as I don't know much about certs ?
Kind Regards,

Order By: Standard | Newest | Votes
SamErde posted this 07 January 2016

It sounds like you're on the right track, Eoin. 
A good first step might be to find out why a new certificate was created instead of renewing the original cert. What differences are there between the two (different subject names, possibly?) and also importantly, why is the new one not validating?
For troubleshooting the new cert, you might want to try a free tool that is available on DigiCert's web site. It will troubleshoot and can sometimes automatically fix certificate installation issues for you. It actually helped me solve a problem when I had to do my own first Exchange certificate change. 
It can't hurt to renew the old one, but you will still have to tell Exchange Server which very to use for each service, which brings us back to the first question. 


kebabfest posted this 07 January 2016

Thanks for your input Sam. I'll definitely use that tool.


kebabfest posted this 08 January 2016

Eventually found the problem which was an expired wildcard which had been used for the proxy.
I  could have got away with redoing the federated service and proxy with a third party cert.