• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1274
  • Last Modified:

Install new Equifax Secure Global eBUsiness CA -1, internal clients Exchange problems

I have a new certificate install in server in order to user able to connect to owa without security certificate problem.
The certificate install ok an run rigth for external access to owa.
In the IIS7, I changed the certificate (from internalSERVER.dosimetria.es to externalSERVER.dosimetria.es), in default web site links .
The problem now is in outlook access. Whe the outlook 2003 and 2007 connect to Exchange a security windows appears, saying the internalSERVER.DOSIMETRIA.ES don't is no valid.
Do you know how to change only the link for OWA to new externalSERVER.dosimetria.es? In IIS6 it can easy, select properties of OWA virtual directory, but in IIS7 I don't know how to achive this.
0
imusa
Asked:
imusa
  • 4
  • 3
1 Solution
 
MesthaCommented:
What sort of certificate did you purchase?
Was it a SAN/UC certificate, or a regular certificate?
If it was a regular certificate then you have to make lots of changes. Furthermore the certificate needs to be requested and installed through Exchange, not through OWA.

http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

Simon.
0
 
imusaAuthor Commented:
Ok.
I folowed the steps in several articles and now the certificate is running rith.
From external and internal owa run right
The clients with IMAP also can connect with IMAPSSL.

The problem now is the outlook 2003/2007 internal clients. When outlook opens, the Alert Security appears saying SERS.dosimetria.es is no the same than certificate (correo.dosimetria.es). (I add jpg with error)

I add the get-exchangecertificate and get-WebServicesVirtualDirectory

Thansks for help



[PS] C:\Windows\System32>get-exchangecertificate
 
Thumbprint                                Services   Subject
----------                                --------   -------
86A40FF554C08ED62AF2FDE40C4388A4639A57FE  IP.WS      CN=correo.dosimetria.es...
B8E3F7072FDCEC822C896F0FD9492E7C20068DE8  ....S      CN=SERS
6E7D2C0E2A046628549B94EFA2087890598ABA91  ....S      CN=SERS.DOSIMETRIA.ES
0CFF3929EAA24B2DFF0030C7FB4F232D9AC1BF9F  ...WS      CN=Sites
B5A7885647912734D64FB4B2F4DD8321E0D81D01  .....      CN=DOSIMETRIA-SERS-CA
BD7AE1D4DA2ACBA99215ADCFE337DE92073393E6  .....      CN=WMSvc-WIN-B7UQFQR8CLQ
 
 
[PS] C:\Windows\System32>get-WebServicesVirtualDirectory |format-list
 
 
InternalNLBBypassUrl          : https://correo.dosimetria.es/EWS/Exchange.asmx
Name                          : EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
BasicAuthentication           : False
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://SERS.DOSIMETRIA.ES/W3SVC/1/ROOT/EWS
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\exchweb\EWS
Server                        : SERS
InternalUrl                   : https://correo.dosimetria.es/EWS/Exchange.asmx
ExternalUrl                   : https://correo.dosimetria.es/EWS/Exchange.asmx
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,
                                CN=SERS,CN=Servers,CN=Exchange Administrative G
                                roup (FYDIBOHF23SPDLT),CN=Administrative Groups
                                ,CN=Primera organización,CN=Microsoft Exchange,
                                CN=Services,CN=Configuration,DC=DOSIMETRIA,DC=E
                                S
Identity                      : SERS\EWS (Default Web Site)
Guid                          : b1425dd2-4fa5-4616-a7d4-31c23842fe01
ObjectCategory                : DOSIMETRIA.ES/Configuration/Schema/ms-Exch-Web-
                                Services-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchWebServices
                                VirtualDirectory}
WhenChanged                   : 15/04/2009 18:25:56
WhenCreated                   : 31/03/2009 11:56:36
OriginatingServer             : SERS.DOSIMETRIA.ES
IsValid                       : True
 
 
 
[PS] C:\Windows\System32>

Open in new window

Captura01.JPG
0
 
imusaAuthor Commented:

I put get-exchangecertificate complete.


It possible my 3party SSL certificate don't support SAN?

Thanks
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {correo.dosimetria.es}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure
                     Inc., C=US
NotAfter           : 14/04/2010 13:22:00
NotBefore          : 15/04/2009 13:22:00
PublicKeySize      : 1024
RootCAType         : ThirdParty
SerialNumber       : 0B50E2
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=correo.dosimetria.es, OU=Domain Control Validated - Rap
                     idSSL(R), OU=See www.rapidssl.com/resources/cps (c)09, OU=
                     GT61655898, O=correo.dosimetria.es, C=ES
Thumbprint         : 86A40FF554C08ED62AF2FDE40C4388A4639A57FE
 
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {SERS, SERS.DOSIMETRIA.ES}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=SERS
NotAfter           : 31/03/2010 11:53:18
NotBefore          : 31/03/2009 11:53:18
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 7DD7117B244428B742CECAAD1239EBAE
Services           : SMTP
Status             : Valid
Subject            : CN=SERS
Thumbprint         : B8E3F7072FDCEC822C896F0FD9492E7C20068DE8
 
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERS.DOSIMETRIA.ES}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DOSIMETRIA-SERS-CA
NotAfter           : 24/03/2010 10:58:55
NotBefore          : 24/03/2009 10:58:55
PublicKeySize      : 1024
RootCAType         : Registry
SerialNumber       : 61225C33000000000003
Services           : SMTP
Status             : Valid
Subject            : CN=SERS.DOSIMETRIA.ES
Thumbprint         : 6E7D2C0E2A046628549B94EFA2087890598ABA91
 
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERS.DOSIMETRIA.ES}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DOSIMETRIA-SERS-CA
NotAfter           : 24/03/2011 10:56:07
NotBefore          : 24/03/2009 10:56:07
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 611FCAEC000000000002
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 0CFF3929EAA24B2DFF0030C7FB4F232D9AC1BF9F
 
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {DOSIMETRIA-SERS-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=DOSIMETRIA-SERS-CA
NotAfter           : 24/03/2014 11:05:15
NotBefore          : 24/03/2009 10:55:16
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 390E8497AD6263BE42F728409872D40F
Services           : None
Status             : Valid
Subject            : CN=DOSIMETRIA-SERS-CA
Thumbprint         : B5A7885647912734D64FB4B2F4DD8321E0D81D01
 
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-B7UQFQR8CLQ}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-B7UQFQR8CLQ
NotAfter           : 22/03/2019 9:27:16
NotBefore          : 24/03/2009 9:27:16
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : CD406247F302D58A4846BF016BED584D
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-B7UQFQR8CLQ
Thumbprint         : BD7AE1D4DA2ACBA99215ADCFE337DE92073393E6
 
 
 
[PS] C:\Windows\System32>

Open in new window

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
MesthaCommented:
if it is a RapidSSL certificate then it is not a SAN/UC certificate.
You can use a single name SSL certificate, but your external DNS provider must support SRV records.

Simon.
0
 
imusaAuthor Commented:
Thanks Simon,
In case that my dns provider (telefonica) supports srv records, how configure it?

on the other hand, do you know any ssl provider with support for SAN?

iv
0
 
imusaAuthor Commented:
I readed

http://www.amset.info/exchange/singlenamessl.asp

I think is better to invest some euros in adquire UCC certificate.

I have seen this:
https://domainsforexchange.net/
Standard Multiple Domain (UCC) SSL Up to 5 Domains - 1 year - ¬67.62

Do you know if it is support for exchange2007?

Thanks
0
 
MesthaCommented:
Those certificates are fine for Exchange 2007. They are from GoDaddy and I use them on all of my deployments including my home system.
The blog posting in my first post in this question will go through the full process involved.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now