Certificate on Exchange 2007 OWA causes Security Alert in Outlook 2007

We installed a Network Solutions SSL security certificate to our Exchange Server in order to get rid of the security alert on our OWA connections, and achieved what we set out to do. As a result of the process, however, our Outlook clients now receive a Security Alert when opening Outlook 2007: "The name on the security certificate is invalid or does not match the name of the site." After clicking "Yes" a couple of times in order to proceed, we work fine in Outlook, but it is an extreme annoyance. Hwo do we fix it?
VillaVerdeAguaAsked:
Who is Participating?
 
Glen KnightConnect With a Mentor Commented:
You need a SAN/UCC Certificate (http://www.godaddy.com) with the following names in:

autodiscover.domainname.com
owa.domainname.com (or whatever your OWA URL is)
servername.domainname.local (internal FQDN of your server)
SERVERNAME (NETBIOS name of your server)

You will also need to configure an A record for autodiscover to point to the same IP address as your webmail address in the DNS that controls your external domain name.
0
 
lastlostlastConnect With a Mentor Commented:
Check MS KB http://support.microsoft.com/kb/940726

It is a know issue if you install a single name certificate on Exchange 2007. You will need to modify the Internal URL's for Autodiscover, EWS, OAB, UM...

Also make sure that the external URL that you have is resolvable in the Internal DNS.

Let us know how it goes.
0
 
Satya PathakConnect With a Mentor Lead Technical ConsultantCommented:
Unlike Outlook 2003, Outlook 2007 connects not only to your Client Access Server "external.company.com" but also connects to webservices running on your CAS for "Offline Addressbook, Availability Service and Unified Messaging"

Please go through.
http://www.pro-exchange.eu/modules.php?name=News&file=article&sid=345
http://www.folin.se/index.php/2008/09/04/outlook-2007-security-alert-the-name-of-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site/michaelfolin
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Glen KnightCommented:
Please don't modify the internal URL, the correct way to do this is to gat a SAN/UCC certificate.

They are about $60 per year and it's not worth not doing it, it will cost you more than that in lost time trying to resolve all the issues.
0
 
lastlostlastCommented:
It is not necessary to have a SAN/UCC certificate... If he has already made a purchase of the single name certificate why waste more $$ on SAN/UCC Certs??

I agree that with a single name certificate there is a little more administrative task but then it is a one-time configuration... We can always configure autodiscover using an SRV record in the Public DNS...
apart from that I don't think there are any other modifications to do...

Following 2 simple articles would be better than to waste extra $$$ on a SAN/UCC certificate.
0
 
Glen KnightCommented:
There are very few public DNS that will allow you to or support the creation of SRV records.

For $60 a year it really is a no brainer. If you start changing settngs that shouldnt be changed you are then moving away from the "standard" and why would you want to?
0
 
VillaVerdeAguaAuthor Commented:
These answers conflict with each other, but one (or both) is, or will, be the correct answer. Points mostly awarded for pointing us in the right direction. Detailed directions would have merited an A.
0
 
Glen KnightCommented:
Perhaps if you had come back and advised what you were not sure about we could have helped you more?
0
 
VillaVerdeAguaAuthor Commented:
No complaints on this end, demazter. It's just that we haven't uncovered a real solution yet, in light of larger priorities to try your solutions out, and in also in light of EE's typical impatience to slam shut these highly technical Q&As in all haste. My comments were directed toward a "fuzziness" of the answers in relation to our circumstances (for example, telling us to purchase a certificate from one place when it was noted we already had one; or proposing we change our DNS provider, etc), besides it appearing to be unclear that there isn't some angle to correct this problem within Exchange itself. The solutions are good and sound, and are much appreciated.
0
 
Glen KnightCommented:
Apologies that the comments from some of the other experts made things fuzzy, the first comment I provided was correct.

I merely stated your certificate needed to be a SAN/UCC certificate and gave an example of where to get this from because you didn't make it clear if you had one that was a SAN/UCC

It's all moot now anyway.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.