Sign up for Office 365
Learn more about Office 365
let's assume the following scenario: we have currently three smtp domains on premise
These domains should be used in a hybrid configuration scenario. How many Subject Alternate Names (SAN) do I have to put in to the SSL certificate for the hybrid configuration wizard? Is one enough for all domains or do I need one SAN for each domain? This is very important for our configuration because we actually have more than 50 smtp domains in use!
This question only refers to the hybrid configuration wizard, not to AD FS. AD FS is working fine with one normal SSL certificate.
Thanks for your help!
Thanks for the feedback.
The autodiscover certificate is working for the federation co-existence feature. For the user who use the different domain on cloud need to query the f/b information on local, the autodiscover service will help to do that. It's not relate to the mail flow.
Thanks, Neo Zhu
Thanks for your post. As I know, if the users have to use the domain1.com or domain2.com as the primary address and also want to use these domains do the federation. You need to use SAN certificate and put autodiscover.domain1.com and autodiscover.domain2.com in. If you just want to use domain1.com and domain2.com to send/receive the emails. It's not necessary.
As for this case, I'd like to double confirm the information of this case again and get back to you 1-2 days later.
Hi Neo Zhu,
thanks for your answer! In our scenario all domains are used as primary SMTP addresses by (different) on premise and federated users. So the impact on the number of necessary SANs is very important for us. I suppose the handling of a SSL certificate with so much SANs is organizational nearly impossible and could be show stopper for us.
I really appreciate your feedback!
I get the confirmation information, the autodiscover certificate need including all the domain name (in this case, domaina.com .domainb.com and domainc.com) as the SANs for the certificate .
Hello Neo Zhu,
thanks again for your answer! I understand that it is a requirement to include all domain names (which are used as primary smtp addresses) into the SAN certificate.
Could you give me some background information why this is a requirement? Is it for the mail routing (SMTP TLS), for autodiscover of the Outlook client or for autodiscover of the hybrid configuration wizard? Which component of Exchange / Office 365 need the SANs in order to work correctly?
I'm asking because a friend of me got the multiple domains scenario running without using a SAN certificate. He is using a normal SSL certificate without any SANs for three domains. Another friend failed with this scenario and needed to buy a SAN certificate in order to finish the hybrid configuration wizard.
How are you? I'm writing in just want to ensure that all the information is useful for you. If you have any question, please feel free to post them here.
thanks for your answer again. I think, now I understand the reason for the requirement. As fas as I know there are three different Autodiscover types with Office 365:
1 & 2 Are working well with Autodiscover DNS CNAMEs or SRV Recoords pointing to a common used SSL Certificate, but number 3 needs a SSL Certificate (CN or SAN) for the on-premise recipients domain(s).
Thanks for your Help!