Improve company productivity with a Business Account.Sign Up

x
?
Solved

Certificate error on Outlook 2007 with new Exchange 2007 server

Posted on 2009-05-04
6
Medium Priority
?
555 Views
Last Modified: 2012-08-13
I just deployed a new Exchange 2007 server on a Windows 2008 platform. I have installed my SSL certificate from Verisign. When Outlook 2007 clients attach to the new server, they receive the following warning: "The name on the security certificate is invalid or does not match the name of the site."

Users can click through the warning and attach fine with Outlook 2007. Outlook users coming in with OWA or Outlook 2003 do not get this error.

I've researched and know my issue has something to do with not using a "SAN certificate", but I am under the impression I can get this fixed using my standard SSL certificate.

I currently have the SSL certificate issued to "mail.mydomain.org." My internal server name is MAIL01. If I reissue my SSL certificate and use a simple name of mail01.mydomain.org and change my external DNS to point mail01.mydomain.org correctly, do you think I can solve this error with Outloot 2007?

In the end the SSL certificate would be registered to mail01.mydomain.org, which is the internal name of my mail server. Outlook 2007 should no longer complain and give the warning would it? I then could just tell users who want to use OWA to go to https://mail01.mydomain.org.

Please let me know if my thinking is logical to fix this problem, or if there is something else I should do. I would like your feedback before I go and get a reissue from Verisign. Thanks.
0
Comment
Question by:EvilPeppard
6 Comments
 
LVL 2

Accepted Solution

by:
Debug-Exchange earned 2000 total points
ID: 24296881
i belive this might resolve your issue
http://support.microsoft.com/kb/940726
0
 

Expert Comment

by:JOWEN_NCRC
ID: 24297215
First post so I'm not sure about the formatting.
Just bear with me.

I read all the articles and just could not get it right.  I threw in the towel and I spent the money for a support incident with M$ for this same issue.  

This is what I did with help from the Exchange Tech.  Keep in mind I want to eventually convert my Laptop users from VPN sync to Outlook via the web.

Added a SRV record for "AutoDiscover" to my External DNS.  http://support.microsoft.com/kb/940881

Then I followed the KB referenced in the post above. http://support.microsoft.com/kb/940726

The KB was a bit confusing for me so here is an example of the Exchange Management Shell commands.  



Set-ClientAccessServer -Identity internal-exchange-server-name -AutodiscoverServiceInternalUri https://owa.your-external-domain.com/autodiscover/autodiscover.xml 
 
Set-WebServicesVirtualDirectory -Identity "internal-exchange-server-name\EWS (Default Web Site)" -InternalUrl 
 
Set-OABVirtualDirectory -Identity "internal-exchange-server-name\oab (Default Web Site)" -InternalUrl https://owa.external-domain.com/oab
 
iisreset

Open in new window

0
 

Author Closing Comment

by:EvilPeppard
ID: 31577628
This solution worked for me.

I was a little sketchy on where to add spaces in the commands, specifically around the (Default Web Site) sections, but once I did, the commands completed fine.

My error is now gone on internal Outlook 2007 clients and my external OWA all work with no warnings. I did not have to have my certificate reissued.

Thank you for the help.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 4

Expert Comment

by:aletjolly
ID: 24297583
Hello,

The link: "http://technet.microsoft.com/en-us/library/bb332063.aspx" explains all about the Exchange 2007 Autodiscover.
You kinda have a single name Certificate and to resolve your issue there are like 4 scenario's which you can read through and implement the best which suits you.

Hope I have addressed your concerns
<>
0
 

Expert Comment

by:mariaworld
ID: 26096893
I have the exact same scenario. I followed the instructions in: http://support.microsoft.com/kb/940726. Basically, I changed all internal URLs to my externally certified site: https://webmail.mypublicdomain.com. Once I completed those steps and restarted the AppPool, I closed and re-launched outlook on my machine and at startup it asked me for my username and password, and any combination thereof (ie. domain/username, just username, etc) would not log me into outlook.

Am I just impatient? Should I have waited longer for settings to take effect, or should I have restarted some other services?

For the time being, Id rather my users have the certificate error, than not be able to log on at all.

M

0
 

Expert Comment

by:mariaworld
ID: 26097232
Sorry. Never mind. I reissued the commands per 940726, and now it works like a champ. I had cut and pasted them, so I know I didnt have a typo, but after re-entering them at the cmd shell, the certificate errors went away and i had no problems logging into outlook.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Are you in the migration process of your Exchange to Exchange Online? Be aware of customized solutions developed on the transport role on your old Exchange server. They might not be convertible to Exchange Online!
Microsoft has decided to launch the Exchange Server 2019 this year for its on-premise users. What’s new now Microsoft is going to serve its users? How good is it going to be on the current Exchange Server 2016? This blog is going to answer all queri…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question