Certificate error with Outlook 2007 clients to Exchange 2007 server

Hi,
I've got the following problem.

I'm currently migrating to an Exchange 2007 server. Whenever one of my Outlook 2007 clients connect to their mailbox on the Exchange 2007 server he gets the following message:

"Name on the Security Certificate is Invalid or Does Not Match the Name on the Certificate".

I've done some searching and I found the following article:

http://www.sembee.co.uk/archive/2007/01/21/36.aspx

In this article they recommend creating a new website with new virtual directories and assign it to a second IP-adress which you assign to your Exchange server. On this new website you can assign a certificate with the correct name and route your internal clients to it.

Now the following problem occurs: My Exchange 2007 server is also a domain controller. And you know what they say! Don't use a multihomed domain controller in your domain, because this means trouble!

So, does anybody have any idea how I can make my Outlook 2007 clients connect to their Exchange 2007 mailboxes without breaking down my Outlook web access and Mobile Access clients?

Kind regards,

Aico
LVL 3
AicoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SembeeCommented:
That is my article.

You are aware that it is not best practises to run Exchange on a domain controller? It should be run on a member server.

The method I have outlined is not dual homing. It is a second IP address on the server. Dual homing a DC is where there are two network cards connected to two different subnets. Running two IP addresses on the same domain controller when they are connected to the same LAN is not a problem, I have been doing it for years.

Simon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BusbarSolutions ArchitectCommented:
Well,
I disagree with Sembee because you can use the following cmdlet to change the internal SCP and external SCP using the following cmdlet:
Set-WebServicesVirtualDirectory -Identity "EWS*" -ExternalUrl "Https://Contoso.mail.com/EWS/Exchange.asmx" -InternalUrl "Https://Contoso.mail.com/EWS/Exchange.asmx"

we used commercial Certificates and internal O12 and xternal O12 and IE users were able to connect with noe warning
if you are worry about the autodiscovery service only you can use the following cmdlet:
Set-ClientAccessServer -Identity <ClientAccessServerIdParameter> [-AutoDiscoverServiceInternalUri <Uri>] [-AutoDiscoverSiteScope <MultiValuedProperty>] [-DomainController <Fqdn>]  to set the internal URL to match the certificate
SembeeCommented:
If you are using the same URL inside and outside then it is fine.
However the problem is that Outlook 2007 tries to connect to https://servername/ 
where servername is the real name of the server. You then get the error.

The blog posting was heavily researched and discussed with some of my other MVP peers. If your domain uses .local then the solution I have outlined is the only way I have found to get round all the issues with SSL, as I have not found anyone who will issue a certificate with a subject alternative name that contains a .local domain name.

Simon.
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

BusbarSolutions ArchitectCommented:
I know that this issue raised and i discussed it also with some MS consultants and MVP as well, and this drags us to the point, how O12 client locate the service point it is from AD?.
i will refer to the autodiscovery architecture in the following link:
http://msdn2.microsoft.com/en-us/library/bb204047.aspx
So if i updated the SCP in the AD to the external name and used properly managed split DNS infrastructure then i will be able to solve the problem because internal clients will be able to connect to the auto-discovery SCP using the external FQDN and will use the certificate bound to IIS (which contains external FQDN which users connect to it).
i used instructions and concepts explained in the following links:
·How to Configure the Availability Service for Network Load Balanced Computers
http://technet.microsoft.com/en-us/library/aa997237.aspx
·Deployment Considerations for the Autodiscover Service
http://technet.microsoft.com/en-us/library/aa997633.aspx
unless you want to use 2 certificates (1 for internal names and 1 for external names)
i used this configuration in my test and production environment and works great under Microsoft supervision unless there is something missing and i can't see it so i will kindly ask from you to explain it further from me.

Regards...
AicoAuthor Commented:
Thank you very much for all your input. Due to some time limitations I've chosen to follow Sembee's article (great article by the way!), despite of the fact that Exchange is running on a DC.

I've configured a second IP-address on the NIC and created the second website as described in your article and everything seems to be working fine uptill now. Even after a few reboots. Let's hope it stays that way.

Sembee, thank you for helping. The points will come your way!
AicoAuthor Commented:
Ok, guys. I did some more research and found that the following article solved all my problems, without having to assign a second IP-address or create a second website:

http://technet.microsoft.com/en-us/library/04284d82-b1cf-4582-b784-f5aaed5b23c9.aspx

It discusses how to assign multiple Host Names to 1 certificate. It works like a charm!
BusbarSolutions ArchitectCommented:
Yes AICO
but you can't use commercial certificate with multiple names i think that verisign don't allow that.
so this is why me and Sembee used our approches
pboustaniCommented:
We almost had it working this way, except we ran into the problem that the server would keep re-registering itself to our DNS. This server was a DC, not the PDC, but we have 4 DC in our org.

Anyways, it would keep registering the second IP address into dns. So we would have 2 entries in our DNS for the same IP address. And when Outlook 2007 would query the name of the server, it would randomly get one of the 2 IPs. If it got the wrong one, we got an SSL error as the second IP has a certificate with a different name than the host.

So now we're going the real way and getting a SAN certificate.
rimba_Commented:
you present some smarts solutions here.
I got the same problem and i found this solution more easy to apply:
First you create a new DNS zone in your DNS server using the address configured in your commercial certificate, lets say: mail.supermail.com
Then you create a  Host (A) type to point to your mail server´s IP : mail.supermail.com  192.168.0.5
Then you just change the following values thru the Exchange shell console:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.supermail.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.supermail.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.supermail.com/oab

Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.supermail.com/unifiedmessaging/service.asmx 

*please note that you must change: "CAS_Server_Name" to your exchange server name and mail.supermail.com with the correct address.

I hope this helps.
slypig61Commented:
Just wanted to add that the solution posted by rimaba worked like a charm.

Thanks!
rimba_Commented:
You re welcome!
scsiCommented:
This worked great for me also. I was getting two certificate errors though and still get an autodiscover.domainname.com certificate error, as i have multiple domains on my exchange server.
vit-joeCommented:
rimba solution worked for me! thanks
rimba_Commented:
np ;)
BMRTCommented:
Hi rimba,
Thanks for your solution.
How do I create a new DNS zone in  DNS server using the address configured in commercial certificate if :
my domain: location.supermail.com  (mail server looks like : servername.location.supermail.com)
on certificate : mail.supermail.com

thanks.
rimba_Commented:
The new DNS zone have to be using the Certificate DNS name, regarding order internals subdomains. If they dont mach (certificate domain and new DNS Zone) you will get a certificate mismatch error.
keithdarlCommented:
We're in the process of trying Rimba's solution, just wanted to clarify, should we delete the default Microsoft certificate once the Commercial certificate has been applied?

thanks
rimba_Commented:
I believe only one cetifiticate can be used per domain, there fore it will be replaced on exchange configuration but it wont be deleted itself, I dont think it is neccesary tho
ZulanCommented:
Thanks Rimba!
Brigh-GuyCommented:
Rimba's solution looks pretty straight forward and matches MS's KB on the matter.  My one big question, though, is how will these changes affect Outlook clients that are currently pointing to the netbios name?  Will they automatically adjust or will each Outlook client have to be touched?  While the cert pop-up is annoying, it's not nearly as bad as a few hundred people without Outlook access would be.

Thanks,
Gabe
rimba_Commented:
the netbios shouldnt be afected by these changes since it is not ip related, the changes are for the http connection of aoutlook to the Exchange server not to resolver the server´s name itself.

I hope it helps

Rimba
Brigh-GuyCommented:
Rimba,

Maybe Netbios wasn't the best term for me to use.  What I'm getting at is:  All the Outlook 07 clients are pointing to hostname.domain.local.  If I make all the changes above to mail.domain.com, will this break all the currently set up Outlooks?

Thanks,
Gabe
rimba_Commented:
Actually both dns ll point to the same ip anyways.... :) so u can use the actual or the new dns name. (you are not deleting the old dns, only adding a new zone)
John LewisCommented:
I found this worked great.

http://support.microsoft.com/kb/940726
UAVCommCommented:
Thank you Rimba - It worked great!
rimba_Commented:
you are welcome :)
jasonhooksCommented:
rimba_ 's solution also outlined here worked like a charm, thanks!
http://support.microsoft.com/kb/940726
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.