• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 532
  • Last Modified:

Exchange 2007 UCC / Internal Domain Name Issue

Ran into an issue requesting a new UCC for a new Exchange 2007 box.  Tried to request the UCC according to directions posted here:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_24324809.html

Getting the UCC approved for "server", "owa.externaldomain.com", and "autodiscover.externaldomain.com" were easy enough.  But I have been unable to get approval for "server.internaldomain.com" because we don't own "www.internaldomain.com".

This is problematic because when I enable the certificate for the IIS service, it becomes active for OWA (which I want) but then returns the following when configuring Outlook on an internal workstation:

***
server.internaldomain.com

Information you exchange with this site cannot be viewed or changed by others.  However, there is a problem with the site's security certificate.

The security certificate is from a trusted certifying authority.

The security certificate date is valid.

The name on the security certificate is invalid or does not match the name of the site.
***

I called our certificate provider for advice, and the tech's suggestion was to change our entire internal domain name to something we could own.  This seems rather extreme to have to rename our entire domain.

Is there a way to get "server.internaldomain.com" onto our certificate?  Alternately, is there a way to trick Outlook to look for just "server" on the certificate rather than "server.internaldomain.com"?  Or lastly, is there a way for the Exchange server to use the self-signed certificate for Outlook connections and the 3rd party certificate for all external connections (OWA, Activesync)?

Thanks!
0
pcamis
Asked:
pcamis
  • 4
1 Solution
 
MesthaCommented:
There are two ways around this.
1. Some certificate providers will issue a certificate for a domain that you do not own, as long as it is NOT the common name. It depends on the provider and your relationship with them. I had a client who had the same problem and they got their certificates issued fine. Entrust I think they were from, but I could be wrong.

2. If your EXTERNAL DNS provider supports SRV records then you can use that method.
http://support.microsoft.com/kb/940881

Simon.
0
 
pcamisAuthor Commented:
Thanks Simon.  I tried to get the certificate issued again, but couldn't because our internal domain ends with a .com and is owned by somebody else.

From another source, I received the suggestion to run the following command from the Exchange shell:

set-clientaccessserver -Identity server -AutoDiscoverServiceInternalUri "https://autodiscover.externaldomain.com/Autodiscover/Autodiscover.xml

It looks as though it's very similar to your second suggestion and seems to be doing the trick.  Instead of having autodiscover.externaldomain.com as a SRV record (which I could do), it's in there as an A record which seems to be working.
0
 
pcamisAuthor Commented:
Accepted solution (from author) does not fully resolve issue and could use further assistance
0
 
pcamisAuthor Commented:
Simon - I've since discovered that the solution I came up is somewhat flawed.  Setting the client access server did allow Outlook to initially accept the security certificate.  But after setting up Outlook and after seemingly random intervals, Outlook would again prompt the user about the invalid name on the security certificate.  I'm trying to figure out how to induce the error to help troubleshooting, but have yet to figure out how to do so.

I'm going to try changing the autodiscover.externaldomain.com record from an A record to a SRV record with our DNS provider as you suggested, but do you think that will affect things within our domain?

Thank you VERY kindly for your assistance!
0
 
pcamisAuthor Commented:
I think I may have the answer... the solution I posted earlier seems to be only part of the full resolution.  See:

http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/

In addition to changing the internal URL for the client access server, I also needed to change a few others (Web Services Virtual Directory, OAB Virtual Directory, & Active Sync Virtual Directory).

Going on 4 hours now, and no cert errors.  Here's hoping!
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now