ashjuv
asked on
Outlook 2007 clients cannot connect to exchange 2007 after changing the internal urls on the certificates
Hello Experts
After deploying exchange 2007, we were having issues where outlook 2007 clients were getting certificate mismatch error when connecting to exhcange server. So following the mIcrosoft article http://support.microsoft.com/kb/940726 I changed the internal url for the exchange components to externla url and created an appropriate entry in dns.
Now the issue is Outlook 2007 clients cannot connect to exchange 2007, the client seems to not be able to authenticate to the server, they get a login prompt to connect to "mail.contso.com"(as an example) and in the top portion of the windows it says connect to "server. domain.local".
Have any one come across this issue, I have tried researching this issue on internet but didn't find anythign that makes much sense.
Please and thanks
After deploying exchange 2007, we were having issues where outlook 2007 clients were getting certificate mismatch error when connecting to exhcange server. So following the mIcrosoft article http://support.microsoft.com/kb/940726 I changed the internal url for the exchange components to externla url and created an appropriate entry in dns.
Now the issue is Outlook 2007 clients cannot connect to exchange 2007, the client seems to not be able to authenticate to the server, they get a login prompt to connect to "mail.contso.com"(as an example) and in the top portion of the windows it says connect to "server. domain.local".
Have any one come across this issue, I have tried researching this issue on internet but didn't find anythign that makes much sense.
Please and thanks
ASKER
Hello
What exactly did you deploy?
>> Exchange 2007 Standard, ( if that's what you are asking, a single server with everything on it for a handful clients)
Was it a commercial certificate, a self signed certificate?
>> The default self signed Exchange 2007 certificate
Multiple names or a single name?
>> Not sure if it is multiple names or single name, how do I check??
I was getting an error message originally that "The name of the security certificate is invalid or does not match the name of the site". On the first hit on google I found the article I have mentioned above, which basically talks about changing internal url's to the fqdn of the replacement certificate ( the only difference was, I dint' had any replacement certificates or anything. So I am not sure why was I getting that error message in first place).
* The Service Connection Point object for the Autodiscover service
* The InternalUrl attribute of Exchange 2007 Web Service (EWS)
* The InternalUrl attribute of the Offline Address Book Web service
* The InternalUrl attribute of the Exchange unified messaging (UM) Web service
Any how, i decided to give it a whirl and changed the internal url on the certificate to the exernal name of the server, also created a corresponding dns entry. and sure enough now the outlook clients (internal) seem to not even be able to connect to exchange server. They are prompted to authenticate to external name ( that I changed on hte certificates).
I guess things have gone pretty messed up, but nothing that experts can't untangle :)
What exactly did you deploy?
>> Exchange 2007 Standard, ( if that's what you are asking, a single server with everything on it for a handful clients)
Was it a commercial certificate, a self signed certificate?
>> The default self signed Exchange 2007 certificate
Multiple names or a single name?
>> Not sure if it is multiple names or single name, how do I check??
I was getting an error message originally that "The name of the security certificate is invalid or does not match the name of the site". On the first hit on google I found the article I have mentioned above, which basically talks about changing internal url's to the fqdn of the replacement certificate ( the only difference was, I dint' had any replacement certificates or anything. So I am not sure why was I getting that error message in first place).
* The Service Connection Point object for the Autodiscover service
* The InternalUrl attribute of Exchange 2007 Web Service (EWS)
* The InternalUrl attribute of the Offline Address Book Web service
* The InternalUrl attribute of the Exchange unified messaging (UM) Web service
Any how, i decided to give it a whirl and changed the internal url on the certificate to the exernal name of the server, also created a corresponding dns entry. and sure enough now the outlook clients (internal) seem to not even be able to connect to exchange server. They are prompted to authenticate to external name ( that I changed on hte certificates).
I guess things have gone pretty messed up, but nothing that experts can't untangle :)
If it was a self signed certificate that is your problem.
The default self signed certificate is designed as a place holder only. You should switch to a commercial SAN/UC certificate which contains the various name combinations.
You can then change the URLs to match the internal and external URLs for the server as appropriate.
Simon.
The default self signed certificate is designed as a place holder only. You should switch to a commercial SAN/UC certificate which contains the various name combinations.
You can then change the URLs to match the internal and external URLs for the server as appropriate.
Simon.
ASKER
dont' want to spend any more dollars on cer purchase. any other work arounds.????????????
Using a self signed certificate is a false economy.
I don't know how much you are paid, but it doesn't take long before a $60 certificate becomes more cost effective than working out how to get a self signed certificate to work. And that is before you take in to account getting that certificate to be accepted by all clients, and then repeating it when the certificate expires.
If you insist on using a self signed certificate, then I will drop of the question. I don't use self signed certificates in production for any reason whatsoever.
You spent the money on Exchange 2007, and you don't want to spend $60 on finishing the job off properly?
Simon.
I don't know how much you are paid, but it doesn't take long before a $60 certificate becomes more cost effective than working out how to get a self signed certificate to work. And that is before you take in to account getting that certificate to be accepted by all clients, and then repeating it when the certificate expires.
If you insist on using a self signed certificate, then I will drop of the question. I don't use self signed certificates in production for any reason whatsoever.
You spent the money on Exchange 2007, and you don't want to spend $60 on finishing the job off properly?
Simon.
ASKER
unfortunately not my call. it's it the IT management, im a mere tech support. neways, you can move on. I am wondering if this is a techinical support forum or 'best practices' / ' I like IT environments this way only' forum.
anyone else out there who knows if it technically possible or not???
anyone else out there who knows if it technically possible or not???
I would have to agree with Mestha - and so do others in the following question, but read the accepted solution:
https://www.experts-exchange.com/questions/23824495/Self-Signed-SAN-Certificate-for-Exchange-2007.html
To be honest, the hassle that self-signed certs create is not really worth the time spent trying to fix them.
I bought a SAN / UCC cert for my Exchange 2010 rollout and it went without a hitch.
Can't find a useful link on how to go about creating a self-signed SAN / UCC certificate I am afraid.
https://www.experts-exchange.com/questions/23824495/Self-Signed-SAN-Certificate-for-Exchange-2007.html
To be honest, the hassle that self-signed certs create is not really worth the time spent trying to fix them.
I bought a SAN / UCC cert for my Exchange 2010 rollout and it went without a hitch.
Can't find a useful link on how to go about creating a self-signed SAN / UCC certificate I am afraid.
Additionally, clients that are not members of your domain will not trust your certs, so users accessing OWA from personal PCs, public machines, etc will not connect properly. You will also need to install the certificate chain on all mobile devices; no mobile devices will be able to connect at all because they will not trust your certificate.
Microsoft is very specific about using certs from a public CA (http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx):
"However, for external client access from the Internet into the network where Exchange is hosted, traditional certificate trust validation is required. It is a best practice to use a certificate issued by a public CA for trust validation. In fact, when certificate authentication is required, using a self-signed certificate is not a best practice and is strongly discouraged. We recommend that you use a certificate from a public CA for the following:
POP3 and IMAP4 client access to Exchange
Outlook Web Access
Outlook Anywhere
Exchange ActiveSync
Autodiscover
Domain Security
The best practice for all these is to use a public CA that is trusted by all clients by default."
Microsoft is very specific about using certs from a public CA (http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx):
"However, for external client access from the Internet into the network where Exchange is hosted, traditional certificate trust validation is required. It is a best practice to use a certificate issued by a public CA for trust validation. In fact, when certificate authentication is required, using a self-signed certificate is not a best practice and is strongly discouraged. We recommend that you use a certificate from a public CA for the following:
POP3 and IMAP4 client access to Exchange
Outlook Web Access
Outlook Anywhere
Exchange ActiveSync
Autodiscover
Domain Security
The best practice for all these is to use a public CA that is trusted by all clients by default."
There is no way to create a self signed certificate that covers all of the relevant names.
You could use a Windows CA, but that doesn't get you any further because it will not be trusted by the clients.
So, while it could be done, there is little point. If you look to the right you will see that I have amassed in excess of 8 million points in less than 12 months. I am a deployment specialist, an Exchange architect. I do deployments all the time. My experience tells me that trying to do anything with self signed certificates for the sake of saving $60 is a false economy.
If you choose to ignore my advice which is based on real life experience then there is nothing more that I can say or do.
Exchange 2007 is designed to be deployed with a commercial SSL certificate.
Outlook Anywhere and Exchange ActiveSync are not supported when used with a self signed certificate.
Simon.
You could use a Windows CA, but that doesn't get you any further because it will not be trusted by the clients.
So, while it could be done, there is little point. If you look to the right you will see that I have amassed in excess of 8 million points in less than 12 months. I am a deployment specialist, an Exchange architect. I do deployments all the time. My experience tells me that trying to do anything with self signed certificates for the sake of saving $60 is a false economy.
If you choose to ignore my advice which is based on real life experience then there is nothing more that I can say or do.
Exchange 2007 is designed to be deployed with a commercial SSL certificate.
Outlook Anywhere and Exchange ActiveSync are not supported when used with a self signed certificate.
Simon.
Can't really argue with that!
Well put Simon.
Well put Simon.
Please read the section about the limitations of self-signed certificates from Microsoft if you are still convinced that you don't need a 3rd party SSL certificate:
http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx
Extract (in case of link failure):
The following list describes some limitations of the self-signed certificate.
http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx
Extract (in case of link failure):
The following list describes some limitations of the self-signed certificate.
- Expiration Date: The self-signed certificate expires 12 months after Exchange 2007 is installed. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
- Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
- Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
- Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.
ASKER
sorry can't use third party cert even if it cost 0 dollars. how do i fix self signed cert??
ASKER
and oh, no one uses exchange active sync or outlook anywhere.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
bravo!!! :)
As I said, "nothing that experts can't resolve" .........
As I said, "nothing that experts can't resolve" .........
Was it a commercial certificate, a self signed certificate?
Multiple names or a single name?
Exchange is designed to be used with UC/SAN certificates, which will contain all of the required names. I have instructions on my blog here:
http://blog.sembee.co.uk/archive/2008/05/30/78.aspx
Otherwise it isn't clear what exactly you have done, so further advice isn't possible.
Simon.