Despite what SQL Books Online tell you about being able to use IP addresses to specify the failover partner and witness servers, this appears to be not quite true in practice.

I spent almost a day and a half configuring a HA mirroring rig using certificates for authentication (the servers are standalone and not in a domain) and was buggered if I could get the mirror and the witness to connect. Without this there'd be no automatic failover. Manual failover worked just fine, but our project requires Automatic Failover. It all seemed like an exercise in futility.

I even had the FQ domain names of all the machines participating in the Principal, Mirror and Witness rig in their respective HOSTS files, but still no dice.

Eventually I tried setting the PARTNER and WITNESS using the FQ machine names as they appear in the HOSTS files. Suddenly it all started working. Querying sys.database_mirroring on both principal and mirror at last showed the witness as connected.