No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

How many SANs do I need in the SSL certificate for multiple smtp domains in hybrid configuration scenario?

  • 2 Followers
  • 7 Replies |
  • This post has 1 verified answer |
Answered (Verified) This question is answered

Hello,


let's assume the following scenario: we have currently three smtp domains on premise

  • domainA.com
  • domainB.com
  • domainC.com

These domains should be used in a hybrid configuration scenario. How many Subject Alternate Names (SAN) do I have to put in to the SSL certificate for the hybrid configuration wizard? Is one enough for all domains or do I need one SAN for each domain? This is very important for our configuration because we actually have more than 50 smtp domains in use!

This question only refers to the hybrid configuration wizard, not to AD FS. AD FS is working fine with one normal SSL certificate.


Thanks for your help!


Denis

  • Post Points: 35
Verified Answer
  • Hi Denis,

    The autodiscover certificate is working for the federation co-existence feature. For the user who use the different domain on cloud need to query the f/b information on local, the autodiscover service will help to do that. It's not relate to the mail flow.

    Thanks, Neo Zhu

    • Top 25 Contributor
    • Post Points: 0
All Replies
  • Hi Denis,

    Thanks for your post. As I know, if the users have to use the domain1.com or domain2.com as the primary address and also want to use these domains do the federation. You need to use SAN certificate and put autodiscover.domain1.com and autodiscover.domain2.com in. If you just want to use domain1.com and domain2.com to send/receive the emails. It's not necessary.

    As for this case, I'd like to double confirm the information of this case again and get back to you 1-2 days later.

    Thanks, Neo Zhu

    • Top 25 Contributor
    • Post Points: 0
    Suggested by
  • Hi Neo Zhu,

    thanks for your answer! In our scenario all domains are used as primary SMTP addresses by (different) on premise and federated users. So the impact on the number of necessary SANs is very important for us. I suppose the handling of a SSL certificate with so much SANs is organizational nearly impossible and could be show stopper for us.

    I really appreciate your feedback!

    Thanks

    Denis

    • Not Ranked
    • Post Points: 0
  • Hi Denis,

    I get the confirmation information, the autodiscover certificate need including all the domain name (in this case, domaina.com .domainb.com and domainc.com) as the SANs for the certificate .

    Thanks, Neo Zhu

    • Top 25 Contributor
    • Post Points: 0
  • Hello Neo Zhu,

    thanks again for your answer! I understand that it is a requirement to include all domain names (which are used as primary smtp addresses) into the SAN certificate.

    Could you give me some background information why this is a requirement? Is it for the mail routing (SMTP TLS), for autodiscover of the Outlook client or for autodiscover of the hybrid configuration wizard? Which component of Exchange / Office 365 need the SANs in order to work correctly?

    I'm asking because a friend of me got the multiple domains scenario running without using a SAN certificate. He is using a normal SSL certificate without any SANs for three domains. Another friend failed with this scenario and needed to buy a SAN certificate in order to finish the hybrid configuration wizard.

    Thanks

    Denis

    • Not Ranked
    • Post Points: 0
  • Hi Denis,

    The autodiscover certificate is working for the federation co-existence feature. For the user who use the different domain on cloud need to query the f/b information on local, the autodiscover service will help to do that. It's not relate to the mail flow.

    Thanks, Neo Zhu

    • Top 25 Contributor
    • Post Points: 0
  • Hi Denis,

    How are you? I'm writing in just want to ensure that all the information is useful for you. If you have any question, please feel free to post them here.

    Thanks, Neo Zhu

    • Top 25 Contributor
    • Post Points: 0
  • Hi Neo Zhu,

    thanks for your answer again. I think, now I understand the reason for the requirement. As fas as I know there are three different Autodiscover types with Office 365:

    1. Autodiscover for the Hybrid Configuration Wizard
    2. Autodiscover from the Client to detect it's own E-Mail settings
    3. Autodiscover of the Client to detect f/b information of the reciepients

    1 & 2 Are working well with Autodiscover DNS CNAMEs or SRV Recoords pointing to a common used SSL Certificate, but number 3 needs a SSL Certificate (CN or SAN) for the on-premise recipients domain(s).

     

    Thanks for your Help!

     

    Denis

    • Not Ranked
    • Post Points: 0
Page 1 of 1 (8 items)