Outlook Certificate Issues w/SBS 2008

Hey All-

I'm at my wits end on this one - with every SBS 2008 install we've done we have purchased a custom SSL cert and installed according to the best practice method we've seen over at Sean Daniel's blog.

The problem is - we always end up with those pop-ups stating the cert doesn't match the site name everytime someone opens Outlook. We've scoured everywhere and came across this article that seems to be perfect: http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/

The problem is not everything in this article is possible on SBS 2008. We were able to redirect the autodiscover records but other items like the OAB etc don't work. We keep getting errors saying the site doesn't exist.

Is there someone out there who has resolved this problem? We'd love to get this fix documented and applied once and for all. It's such a minor thing but it's annoying to know there must be a solution.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Did you get a SAN SSL Cert on single-domain?
Did you get a intermediate cert with this, like from godaddy?
Did you download the cert for IIS7?
Here is the process I go through:
Even though in SBS 2008 a Self-Signed Certificate is supported for use with domain-joined Microsoft Office Outlook 2007 clients and Outlook Web Access, I do not recommend long term use of the self-signed certificate for any purpose other than encrypting communications between Exchange 2007 servers within your organization. I recommend that to support many, if not all, of the Client Access server features such as Exchange ActiveSync, Outlook Web Access, and Outlook Anywhere, you obtain a certificate from either a Windows PKI or a trusted third-party CA and make sure that this certificate is imported using the SBS Console SSL Certificate wizard.
When you run the Internet Address Wizard you need to just tell it you already have a domain and you will manage it yourself. This should let the wizard complete and configure exchange with the proper smtp addresses. I also never let the wizard configure my router. I'm usually a wizard guy but this is one area I feel more comfortable in setting up the router myself and it usually fails if the router isn't upnp.
When it asks for your external address i would use the default "externaldomain.com" or "remote.externaldomain.com"
Then create a multi-domain certificate from godaddy or someone like that. The configuration of the Subjective Alternative Names (SAN) would be something like this:
There are others you could use but these are the basics.
You will need to modify your existing external DNS with these records that are externaldomain.com I prefer to use a wildcard * to redirect everything that is not specified. The wizards will configure the rest for internaldomain.local.
This normally takes care of internal issues and external issues.  
Hope this helps.
Your certificate needs to be issued for the subdomain your mail server is on and be installed on your exchange serve. The certificate should not be made for you .yourdomain.com it needs to be mail.exchangeserver.com. substitute mail for the actual subdomain and substitute exchangeserver for your domain name.
Pachoey71Author Commented:

We purchased the certificate from GoDaddy.  It is a single domain cert for remote.customername.com.

It sounds like the issue is that we need the multi-domain certificate - is this correct?

So we should go back to GoDaddy - purchase a multi-domain certificate - and then install this in the same manner we installed the single domain cert.  This new multi-domain would replace our old cert and would respond to the problem sites like sites.internaldomain and autodiscover.internaldomain so we would no longer have the pop-ups.

Is this accurate?  if so - we'll give this a go and come back to flag the solution.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

@Krzyview, I would tend to agree with you but you don't know how I've been chastized for doing that :-). So I now offer both, I personally have never used the domain.com but always the remote.domain.com. But I put it out there because of different points of view :-). Hope this helps.
I know but I don't know if you get a multi domain certificate it will work because of it actually being on a different server unless you run the web interface with a PHP Include by importing it into a web host side function in a way. Did I say that right?
Pachoey71Author Commented:
Guys,  All sites are on the same server since it is SBS 2008.  So autodiscover, remote, sites, netbiosname.internaldomain.local - are ALL on the same box.

Can you guys respond to my comment above?

Yes, go with the SAN it will make your life better.
Yes then go with the multi domain cert and yes install it the same way as you would any other cert.
Pachoey71Author Commented:
Actually found a video on netometer.com that walks you through the process.

The UCC is recommended - BUT - there is a way to do this with one cert.

Testing then I'll come back and assign credit.
Pachoey71Author Commented:
OK - I'll give credit here as the UCC would clearly be a good way to go - BUT - it's hardly required for SBS 2008.  I just made all the adjustments using a single domain cert on SBS 2008/Exchange 2007.

You simply need to configure your internal and external URLs under Get-WebServicesVirtualDirectory so they both respond to the certificate you purchased - remote.customername.com

Then you need Enable-ExchangeCertificate to respond to IMAP,POP,IIS,SMTP

Once this is done you finalize your configuration in the Make changes to Server Configuration, Client Access
Set HUB Transport to Use external URL for OWA
Under OWA, Exchange ActiveSync, OAB - configure internal and external URLs - again to use the single domain

Finally verify IMAP and POP Settings which you actually set in the Enable-ExchangeCertificate above.

This resolved the pop issues and will most likely address the other common problem of Out Of Office functionality not responding.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Yep, seen most of the other concepts before, some say they have made it work I've never been able to do so. Being in the business for my clients I normally do what makes practical sense and recommended best practices. It reminds me of when techs would overclock their cpu's to make 'em go faster, of course until they burned up, the lesson is, just 'cause you can should you?
Hmm, this doesn't seem like a proper solution but hey if you want to spend days figuring that out then go ahead. It's more practical and alot simpler to pay for the multi-domain certificate which will work for all your subdomains rather then bypassing practical real world techniques.
@krzyview, my sentiments exactly. In fact I think I'll go to my favorite warez site and d/l the latest version of sbs 2008 :-). I could say more but I'll hold my tongue ;-).
Well to each his own. He may be trying to spam the world for all we know.
The solution to this question that the original Poster has made for the problem is not a solution. It's a fix that shouldn't be done to follow proper techniques of setting up Exchange Servers. Please use the suggestions from I and @conchcrawl to resolve your problems.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.