Announcing Microsoft Exchange Server vNext!

Some really exciting Exchange Server news was announced for on premises customers at the Microsoft Ignite virtual conference today! 

Microsoft will be releasing the next versions of Exchange Server, SharePoint Server, and Skype for Business Server the second half of 2021.  These new on-premises server versions will only be available with the purchase of a subscription license, using a similar subscription model to Microsoft 365.

The name for these new on-premises server products has yet to be announced, but it is likely that Microsoft will drop the year from the version name since the new subscription server will be evergreen. Pricing and availability will be announced closer to the release date.

It's important for on-premises customers to know and stay on top of the Exchange Server product lifecycle policies for support and planning.

Product	End of Mainstream Support	End of Extended Support
Exchange Server 2010	01/13/2015	10/03/2020
Exchange Server 2013	04/10/2018	04/11/2023
Exchange Server 2016	10/13/2020	10/14/2025
Exchange Server 2019	01/09/2024	10/14/2025

As mentioned in the article, Exchange Server 2016 and the End of Mainstream Support, CU19 is the last planned update for Exchange Server 2016 and is due in December 2020. After December 15, 2020, only CU19 or its successors will receive critical updates.

Exchange Server Upgrade Planning

In the near-term, customers who plan to stay on-premises should upgrade to Exchange Server 2019 ASAP to maintain both critical security and non-critical feature updates. This will also put your organization in the best position for when Exchange Server vNext is released in the second half of 2021.

You'll be able to install Exchange Server vNext into an org with Exchange Server 2013, 2016 or 2019. That's one more version than they used to support. And for the first time ever, you'll be able to perform an in-place upgrade from Exchange Server 2019 to Exchange Server vNext. Even in the same DAG. This will make it the easiest Exchange upgrade ever!

The bottom line is, if you're going to be staying on-premises long term - start planning and installing Exchange Server 2019 today!

New hybrid customers or customers who plan to keep some mailboxes on-premises should definitely upgrade to Exchange 2019 and later, Exchange Server vNext when it's released.

Hybrid customers who have completed migrating all their mailboxes to Exchange Online can continue to use their existing Exchange 2016 server for hybrid management. Microsoft hopes to deliver a serverless management solution soon, but it will later than the CU19 release.

Other Exchange and Exchange Online News

Another important bit of news on hybrid is that the new HCW will support establishing a one-to-many on-premises to cloud tenant configuration. This is helpful for divestments and customers with multiple tenants. Just be aware it only works for Exchange 2016/2019 and Hybrid Modern Auth only works with one tenant.

Microsoft is also opening the distribution of the Exchange Server 2019 Capacity Calculator. It previously was available only to Volume License customers. You can get it from https://aka.ms/ExCalc. 

"Plus Addressing" is now GA in Exchange Online. This lets users create "disposable" email addresses based on their primary email address. This lets users know where their email addresses are being leaked and create Inbox rules to handle them.

View the on-demand session, Exchange, Here, There and Everywhere, delivered by the ever-so-suave Greg Taylor.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 

EXPTA Consulting provides professional upgrade, migration, and hybrid services for on-premises customers of all sizes. We specialize in Exchange, Microsoft 365, Active Directory, and identity solutions and pride ourselves on customer satisfaction.

Examples where we provide turn-key solutions or can work with your IT staff include:

• Exchange and Active Directory Health Checks
• Exchange on-premises upgrades and configuration
• Exchange hybrid configuration and migrations to Exchange Online
• Hybrid Modern Authentication (MFA) for Exchange on-premises
• Public Key Infrastructure (PKI) design and deployment

Contact us today for a free consultation.

Read more ...

HCW Organization Configuration Transfer breaks Outlook connectivity to Office 365

5/16/2019 Update -- The latest version of the HCW (version 16.0.3054.9 ) no longer syncs the OAuth2ClientProfileEnabled property, which caused the issue. Thanks to the Exchange product group for fixing this so quickly.

Recent versions of the Office 365 Hybrid Configuration Wizard (HCW) offer a feature called Organization Configuration Transfer, which is documented here. Organization Configuration Transfer (OCT) copies the organization policy objects from on-premises to Exchange Online (EXO), and updates values in EXO with the values from on-premises.

OCT is an option when running the HCW, not a requirement. It is designed to reduce the number of policies and objects that need to be configured in EXO by copying them from on-prem. Admins can also occasionally re-transfer settings using OCT in order to update EXO with new or updated on-prem policies and configurations.

OCT was updated to OCT-V2 on November 2018 to include several additional objects that were not previously synced, including the Organization Config object. This poses a problem if your on-prem environment is not configured for hybrid modern authentication because it will turn off access to EXO from Outlook and Skype for Business. This happens when the OCT overwrites the OAuth2ClientProfileEnabled property using Set-OrganizationConfiguration. On-prem environments without hybrid modern auth have this property set to false, where online it is always true (unless you want to deny modern auth).

Review the objects that OCT will transfer

The OCT will update the OAuth2ClientProfileEnabled property to FALSE

Turning the OAuth2ClientProfileEnabled property to false disables modern authentication for clients like Outlook and Skype for Business, and users will be continuously prompted for authentication and will be unable to connect to Exchange Online. Hilarity does not ensue.

This happened in my own environment. I discovered using Admin Audit Logging that the OAuth2ClientProfileEnabled property in the Organization Config was set to false the Friday before the problem started on Sunday morning. That date/time corresponded to the HCW logs. I had re-run the HCW and the Org Transfer Friday afternoon, which set the property to false.

Fiddler showed the same error described in the Auth_URI Failures section of the HMA article (https://blogs.technet.microsoft.com/exchange/2017/12/06/announcing-hybrid-modern-authentication-for-exchange-on-premises/):

HTTP/1.1 401 Unauthorized

Cache-Control: private​

Server: Microsoft-IIS/10.0​

request-id: 3e5472dd-320e-4378-85e1-e22f00b53d38​

X-CalculatedBETarget: dm6pr04mb6185.namprd04.prod.outlook.com​

X-RUM-Validated: 1​

X-UserType: Business​

x-ms-diagnostics: 4000000;reason="Flighting is not enabled for domain 'cloud@expta.com'.";error_category="oauth_not_available"​

X-DiagInfo: DM6PR04MB6185​

X-BEServer: DM6PR04MB6185​

X-AspNet-Version: 4.0.30319​

Set-Cookie: X-BackEndCookie2=cloud@expta.com=u56Lnp2ejJqByMzPms7OyJ3Sz5rNntLLnczJ0sbMz8rSm5qdm8vOy8uezcmegcfMycrGmc3L0sjMx5vSy8/JnNLHnpzM0prMypnMzcabz5vPxoHNz87G0s/K0s3Gq83NxcrIxcvMgZGeko+Nm8/L0Y+NkJvRkIqLk5CQlNGckJKBzw==; expires=Wed, 29-May-2019 22:57:43 GMT; path=/autodiscover; secure; HttpOnly​

Set-Cookie: X-BackEndCookie=cloud@expta.com=u56Lnp2ejJqByMzPms7OyJ3Sz5rNntLLnczJ0sbMz8rSm5qdm8vOy8uezcmegcfMycrGmc3L0sjMx5vSy8/JnNLHnpzM0prMypnMzcabz5vPxoHNz87G0s/K0s3Gq83NxcrIxcvMgZGeko+Nm8/L0Y+NkJvRkIqLk5CQlNGckJKBzw==; expires=Wed, 29-May-2019 22:57:43 GMT; path=/autodiscover; secure; HttpOnly​

X-Powered-By: ASP.NET​

X-FEServer: BYAPR02CA0010​

WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0000-0000-c000-000000000000@*", token_types="app_asserted_user_v1 service_asserted_app_v1", authorization_uri="https://login.windows.net/common/oauth2/authorize", error="invalid_token",Basic Realm=""​

Date: Mon, 29 Apr 2019 22:57:42 GMT​

Content-Length: 0​

Tenants who have modern authentication enabled in EXO or any tenant created after August 2018 would normally have this enabled.

To easily check if this is affecting your Exchange Online environment run the following cmdlet in EXO PowerShell:

(Get-OrganizationConfig).OAuth2ClientProfileEnabled

Tenants who have modern authentication enabled in EXO or any tenant created after August 2018 would normally have this value set to True. If it isn't, run the following cmdlet:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Note that it takes up to 30 minutes before the change becomes effective.

I've been working with the product team to remove this property transfer from OCT, since no one can think for a good reason for this property to sync in the first place. In the meantime, if you use OCT in the HCW you should remove the checkbox for Organization Config on the right-hand side.

Read more ...

Don't miss Comms vNext 2019!

For those of you who were fortunate enough to attend the MEC conferences, you understand what it's like to be a part of a wonderful blend of community and awesome technical content.

If you work with Teams or Skype for Business that experience is happening again with the Comms vNext conference in Denver, CO June 5-6th 2019.

This two-day conference promises to be a spectacular event with 36 sessions devoted to Teams and Skype for Business. Sessions will cover voice and voicemail, end-user adoption, development and much more. And all sessions will be led by the superheroes of the industry including 9 Microsoft product group members, 18 MVPs and MCMs from around the world. The keynote will be held on Wednesday, June 5th, by Heidi Gloudemans.

In my view, the most valuable part of a conference like this is the opportunity to develop business relationships with the speakers and attendees. Folks who work with these technologies every day, just like you. With a limit of only 300 attendees, this conference promises to bring everyone together in a way that can't be matched in other huge conferences.

The cost of this two-day event is only $299 for both days and access to all sessions. Even better, you can get a hotel-included package for $525, which includes a two-night stay at the Denver Renaissance Stapleton where the conference will be held. Register today before this conference sells out!

Read more ...

Clearing up confusion about Office 365 Equivalency Use Rights

You may have heard about "Office 365 equivalency rights" or "dual use rights". These rights allow users to access on premises servers, such as Windows Server, Exchange Server, SharePoint Server, and Skype for Business Server using their Office 365 E3 or E5 licenses.

Office 365 equivalency licenses only provide user use rights, not server rights. In other words, O365 licenses are equivalent to Exchange Server Client Access Licenses (both Standard and Enterprise) and Windows Server CALs, but you still need server licenses to run Exchange Server on Windows Server on premises.

One exception to this rule is that your Office 365 subscription let's you use the free hybrid key to run an Exchange hybrid management server. An important caveat here is that the hybrid server cannot be used to host user mailboxes or Public Folders, and you may still need a server license for Windows Server. The free hybrid key is available to all Enterprise Office 365 customers, even if they get their license from the CSP channel which says it's "Not On Premises Capable -- Cloud only rights".

Microsoft used to have an authoritative website called, "Licensing How To: Using Office 365 user licenses to meet CAL requirements" that described how these equivalency rights work, but it became a casualty when Microsoft moved most documentation to docs.microsoft.com. Fortunately, you can still read a cached copy of that website from the web archive (for now, at least -- who knows how long that will last).

A suitable replacement for the now-gone licensing website is the Licensing Office 365 document. I include a copy of that PDF document here on my blog, just in case it falls to the same fate. ;)

Notable extracts from this document include the following about equivalent use rights:

• “Office 365 E3 provides your users with the latest full Office across most devices, plus a wide range of integrated collaboration services coupled with advanced compliance features and full IT power. Office 365 Enterprise includes Office 365 ProPlus for up to five PCs or Macs, five tablets, and five smartphones. It also includes Exchange Online, SharePoint Online, Lync Online, and Yammer Enterprise—along with access rights to equivalent on-premises server workloads.” (Page 3)
• “Note that all Microsoft 365 E3 and E5 USL license a user for access to Windows Server, but does not include a license for the Windows Server product itself.” (Page 2)

Note that the title of the section is "On-premises server rights", but it should really be "On-premises user rights" since it only applies to the User Subscription License (USL).

Hopefully, this will help you answer some of your user CAL questions when you have an Office 365 subscription. I've seen some licensing providers say that you still need to buy user CALs, even when you have an Office 365 subscription that includes these equivalency rights.

Read more ...

Announcing the 11th Annual UC Roundtable at Microsoft Ignite!

I'm pleased to announce the 11th Annual UC Roundtable at Microsoft Ignite 2018 in Orlando!

A one-of-a-kind conference deserves a one-of-a-kind opportunity to network with your peers.

The purpose of the UC Roundtable is to gather Exchange, Office 365, and Skype for Business/Teams admins, MCMs, MVPs, Exchange product group members, architects, and experts for a free-flowing discussion about issues, questions, and experiences related to collaboration. If you work with these technologies you need to be here!

Monday, September 24th from 7:00PM to 8:30PM EDT

Download the event to your calendar

We'll be meeting in the outdoor area of Marlow's Tavern at 9101 International Dr, Lower Level -- just a short 10 minute walk from the Ignite convention center.

The UC Roundtable is going old school again this year! This will be a no-host event. Order your own beer or a bite to eat before you leave for the evening's parties. Please RSVP to jguillet@expta.com so I can tell them how many people to expect.

Help spread the word on Twitter and I hope to see you there!

Read more ...

Say Bye-Bye to Exchange Unified Messaging in Exchange Server 2019

Exchange Unified Messaging was first introduced in Exchange Server 2007 and has been in every version of Exchange server since - until now. In the Exchange Server 2019 Public Preview announcement it was revealed that UM is being dropped in Exchange Server 2019.

Exchange UM provides the following features and functionality:

• Access a full set of voicemail features from Internet-capable mobile phones, Microsoft Office Outlook (2007 and later), and Outlook on the web (OWA).
• Auto Attendants allow you to create sophisticated calling trees using both speech and keypad controls.
• Play on Phone lets you play voice messages on a telephone.
• The Outlook and OWA voicemail form includes the controls for actions such as playing, stopping, or pausing voice messages, playing voice messages on a telephone, and adding and editing notes.
• Call Answering Rules allow users to decide how incoming calls are answered.
• Voice Mail Preview provides (sometimes humorous) email transcriptions of voicemails which allow users to get a sense of the urgency of a recorded voicemail.
• Outlook Voice Access (OVA) allows users to access and manage their voicemails using voice or keypad controls.
• Protected Voice Mail enables users to send private voicemails protected by Active Directory Rights Management Services (AD RMS).
• For a full set of Exchange UM features see the article, Introduction to Microsoft Exchange Unified Messaging.

Exchange Server 2019 no longer includes Exchange Unified messaging. If your organization wants to migrate to Exchange 2019 and uses Exchange UM for company voicemail, you'll need to implement a new voicemail solution. Read on for some options.

The simplest option, of course, is to migrate everyone from on-premises to Office 365. Not only will you get Cloud Voicemail (aka Azure Voicemail), but you'll get all the hotness that only comes from the Office 365 -- Exchange Online, Teams, SharePoint Online, etc.

Organizations with no intention of using Office 365 will either need to implement a new voicemail system, or upgrade to or remain on Exchange 2016, the last Exchange Server version to support UM. In case it isn't obvious, this is because Cloud Voicemail runs in Office 365. Of course, upgrading to or staying on Exchange 2016 only buys you time. Mainstream support for Exchange 2016 is expected to end on October 13, 2020.

As announced on the EHLO Blog last year, Microsoft is discontinuing support for Session Border Controllers in Exchange Online in July 2018. Recently, they extended this deadline to April 30, 2019 due to customer feedback. This decision was surely a precursor of things to come (or not come, as it turns out) to Exchange Server 2019. Without SBC support, Cloud Voicemail will require Skype for Business Server as your on-prem PBX. You will not to be able to connect any other on-prem PBX, such as Cisco Call Manager or Avaya, to Cloud Voicemail.

Microsoft has received a lot of feedback from enterprise organizations about the removal of UM from Exchange and Exchange Online, as seen in the forum feedback above. It appears they may have misjudged how much this change will cost organizations and its impact to their customers. In an effort to reduce some of the cost, they have created a path to use Cloud Voicemail almost for free.

Customers running Exchange 2019 with Skype for Business Server 2019 with Enterprise Voice will be able to use Cloud Voicemail natively, as long as they have a tenant with at least one license that includes Skype for Business Online. No other licensing, gateways, or SBCs are required, but it will require implementing Azure AD Connect to sync your AD to your Azure AD for your tenant.

Customers running Exchange 2019 with Skype for Business Server 2015 with Enterprise Voice, or customers who cannot/will not have an Office 365 tenant, will have no other option than to use a third-party voicemail system. All voicemail support must come from the third-party provider.

I put together the following table that shows the different voicemail scenarios for Skype for Business and Exchange, both on-prem and in Office 365.

Enterprise Voice	Mailbox	Exchange UM	EXO UM	Cloud Voicemail
Skype for Business 2015	Exchange 2016	Yes	No	No
Skype for Business 2015	Exchange 2019	No	No	No
Skype for Business 2015	Exchange Online	No	Yes	No
Skype for Business 2019	Exchange 2016	Yes	No	No
Skype for Business 2019	Exchange 2019	No	No	Yes
Skype for Business 2019	Exchange Online	No	No	Yes
Skype for Business Online	Exchange 2016	No	No	Yes
Skype for Business Online	Exchange 2019	No	No	Yes
Skype for Business Online	Exchange Online	No	No	Yes
Skype for Business Online (No EV)	Exchange 2016	No	No	No
Skype for Business Online (No EV)	Exchange 2019	No	No	No
Skype for Business Online (No EV)	Exchange Online	No	No	No

Cloud Voicemail requires that the tenant has at least one license that includes Skype for Business Online to provide Cloud Voicemail capabilities for everyone in the tenant. It should be noted that in the preview Cloud Voicemail won't work if the organization is configured with Exchange hybrid, but this is expected to be fixed before General Availability. As a reminder, this is a preview, folks. Only try this stuff out in a lab.

An important feature for most companies is Auto Attendants. Currently, Auto Attendants in Phone System are rudimentary, but investments are being made to bring them up to feature parity previously available in Exchange UM. The biggest missing feature is the inability to invoke outbound calls from an Auto Attendant.

Cloud Voicemail features include simple voicemail, voicemail transcription with an MP3 attachment sent to the user's Inbox, ability to record personal greetings, message waiting indicator (MWI), and reply with call. It does not include Outlook integration like visual voicemail, Play on Phone, call answering rules, text notifications, or any Outlook Voice Access features. For further information on how to access Cloud Voicemail features, read Check Skype for Business voicemail and options.

So what do you think? Is this a big deal for your organization? Comments or questions? Leave a comment below.

Special thanks to fellow Office Servers & Apps MVP Adam Ball for help with the licensing aspects of this article.

EXPTA Consulting helps small, medium, and enterprise customers with their Exchange on-prem and Office 365 needs. We offer design, planning and migration services, identity and security solutions, and other IT services. Past customers include higher education, SAS providers, ITAR organizations, and insurance brokers. Contact us today to see how we can help you!

Read more ...

Updated Microsoft MVP Award Categories

From time-to-time Microsoft reorganizes the MVP Award Program to better align it with their business goals. This year is no different. Today, Microsoft announced that the Office Servers and Services MVP Group, my previous award category, is being renamed to Office Apps & Services. With this change they are moving OneDrive, Microsoft Stream, and Project into this category.

The Office Apps & Services category now contains over 582 MVPs awarded across 16 contribution areas.

With these enhancements to the MVP Award, MVPs and Microsoft are in an even better position to help people and companies around the world make the most of their technologies. If you think someone you know should be a Microsoft MVP you can nominate them to become an MVP member!

Read more ...

Congratulations 2018-2019 Microsoft MVP!

I'm very pleased to announce that I have been given the Office Servers and Services Microsoft MVP Award again for 2018-2019. I have been awarded every year since 2009, so this will be my 10th consecutive year.

The MVP Award is an important recognition to me and I'm honored to receive it. It includes several benefits, but the most important one to me are all the interactions with the great product groups at Microsoft. These relationships allow me to reach out to specific product team members to provide feedback and get clarification on product features and behaviors.

It's a mutually beneficial partnership -- under NDA, Microsoft is able to talk with MVPs about product futures, provide access to technology adoption programs (TAPs) to test new software, and solicit our MVP feedback. As MVPs, we are able to provide important and honest feedback to the product teams about how new features and behaviors will affect our customers, beta test new software and file bug reports, and be advocates for you, the customer.

This has been somewhat of a nerve-racking award cycle. As Microsoft truly morphs into a cloud services company, its priorities are changing faster than ever before. Longtime MVPs have been notified that they were not going to be awarded this year because their community events do not align with Microsoft's vision. Entire groups that focus on on-premises technologies have been cut from the MVP program. I understand why, but I am sorry to see them go.

Another program change is that the re-award cycle changed from quarterly to yearly. I used be awarded on April 1 every year (I always worried that my award email was an April Fool's joke), but now all MVPs are awarded the same date, July 1. That means that the MVP leads have to review hundreds or thousands of MVPs at the same time. That takes a lot of work by them and I appreciate it.

If you think that you or someone you know deserves to be an MVP, you can learn what it takes to be an one and nominate them from the Microsoft MVP Site. Microsoft reviews and awards new MVPs every month, with a renewal cycle on July 1.

The MVP Award adds value to my IT consulting business, EXPTA Consulting. It's evidence that Microsoft values my leadership in the community and real-world experience, which I bring to each and every engagement. Customers know that I provide the best results as their trusted advisor.

I feel great!

Read more ...

Announcing the 10th Annual UC Roundtable at Microsoft Ignite!

I'm pleased to announce the 10th Annual UC Roundtable at Microsoft Ignite 2017 in Orlando!

A one-of-a-kind conference deserves a one-of-a-kind opportunity to network with your peers.

The purpose of the UC Roundtable is to gather Exchange, Office 365, and Skype for Business admins, MCMs, MVPs, Exchange product group members, architects, and experts for a free-flowing discussion about issues, questions, and experiences related to Exchange, Office 365, and Skype for Business. If you work with these technologies you need to be here!

Wednesday, September 27th from 6:00PM to 7:30PM EDT

The UC Roundtable is going old school this year! This will be a no-host event. Order your own beer or a bite to eat before you leave for the evening's parties. Please RSVP to jguillet@expta.com so I can tell them how many people to expect.

We'll be meeting in the outdoor area of Marlow's Tavern at 9101 International Dr, Lower Level -- just a short 10 minute walk from the Ignite convention center.

Download the event to your calendar.

Help spread the word on Twitter and I hope to see you there!

Read more ...

New article: What to Do When the Office 365 Portal Goes Down

I published a new article to the ENow Exchange & Office 365 Solutions Engine Blog (ESE), "What to Do When the Office 365 Portal Goes Down".

This article talks about recent availability failures in the Office 365 portal and provides direct URL links to Office 365 features and admin portals. Bookmark this page for reference the next time the portal becomes unavailable for your tenant!

Read more ...

Congratulations 2017-2018 Microsoft MVP!

I'm pleased to announce that I have been given the Office Servers and Services Microsoft MVP award again for 2017-2018. I have been awarded every year since 2009, so this will be my ninth consecutive year.



The MVP Award is an important recognition to me and I'm very pleased to receive it. It includes several benefits, but the most important one to me are all the interactions with the great product groups at Microsoft. These relationships allow me to reach out to specific product team members to provide feedback and get clarification on product features and behaviors.

It's a mutually beneficial partnership -- under NDA, Microsoft is able to talk with MVPs about product futures, provide access to technology adoption programs (TAPs) to try out new software, and solicit our feedback. As MVPs, we are able to provide important and honest feedback to the product teams about how new features and behaviors will affect our customers, beta test new software and file bug reports, and be advocates for you, the customer.

This also adds value to my IT consulting business, EXPTA Consulting. It's evidence that Microsoft values my technical leadership and real-world experience, which I bring to each and every engagement, and customers know that I provide the best results as their trusted advisor.

I feel great!

Read more ...

Fix for Certificate Error in Chrome - NET::ERR_CERT_COMMON_NAME_INVALID

It amuses me when Google dictates security policy.

Beginning with Chrome 58, the Chrome browser no longer uses the Common Name (CN) field to validate an SSL certificate. Instead, it only uses the Subject Alternative Name field.

This is in violation of RFC 2828 which states,

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

So someone in Google security said, "Hey! If RFC 2828 says the Common Name is deprecated, we should start making Chrome ONLY use the Subject Alternative Name! Existing practice, be damned." Never mind the fact that the RFC was written May 2000, and every other browser and app on the planet uses the Common Name field for single-name certificates.

Therein lies the problem. Most single name certificates and some wildcard certificates only have a Common Name and don't have use Subject Alternative Names. This causes Chrome 58 and later to display the following (incorrect) error. It even goes so far as to blame it on a server misconfiguration.

NET::ERR_CERT_COMMON_NAME_INVALID [missing_subjectAltName]

This same website (in this case, OWA) displays properly in all other browsers. If we look at the certificate, we see this is a wildcard cert for *.contoso.com issued by an internal certification authority (CA). The Details tab shows there is no Subject Alternative Name field for this cert.

Wildcard certificate details with only a Common Name (CN) field

To fix the error for your Chrome users, you'll need to regenerate the certificate to include a Subject Alternative Name. Here's how to do that using the Certificates MMC when you have an internal Certification Authority (CA).

From the web server, open MMC and add the Certificates snap-in, managing the Computer account. Then expand Certificates (Local Computer) > Personal > Certificates.

Right-click Certificates > All Tasks > Request New Certificate.

Choose Active Directory Enrollment Policy to use your existing internal CA.

Select the Web Server certificate template and click the link below it to enter more information.

Add the Common Name for the Subject Name, and the DNS name for the Alternative Name. They can be the same value. Chrome 58 and later only uses the DNS alternative name.

Enter a Friendly Name on the General tab.

Optionally, make the private key exportable on the Private Key tab and click OK.

Click Enroll to generate the new cert from the CA and install it on the web server.

The certificate will be installed. Click Details to view the new certificate.

On the Details tab we see the Subject Alternative Name is on the new cert.

Now you'll either need to configure IIS to use the new certificate (Web Site - Bindings) or reconfigure Exchange web services using the Enable-ExchangeCertificate cmdlet.

Read more ...