Solved

How to fix SSL error in outlook 2007??

Posted on 2010-08-18
38
696 Views
Last Modified: 2012-05-10
we are running exchange 2007 and outlook 2007.  everytime someone opens outlook 2007 they are getting an SSL certificate error.  see attached document for exact error.  how do i fix this?
ssl-error.docx
0
Comment
Question by:amoos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 13
  • 9
  • +1
38 Comments
 
LVL 32

Expert Comment

by:endital1097
ID: 33466771
it looks like the certificate you installed is something like
mail.yourdomain.com
which is used for external connections

internally your users are connecting to
exchangeserver2.yourdomain.local
which doesn't match the name on the certificate

there are a couple of options
1. update the certificate to include the url shown in the error
2. update internal url values to use the same fqdn as the external urls (requires split brain dns, where domain.com DNS zones exists internally and externally)
0
 
LVL 4

Expert Comment

by:Gavincr001
ID: 33466786
Have you tried adding the url to trusted or local sites on IE?

if that works you could add the site for everyone using Group Policy.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33466817
Going along endital's lines you can use this tool to install / reinstall cert's.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html

Run this on exch shell and output the results here

get-exchangecertificate | fl
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 32

Expert Comment

by:endital1097
ID: 33466822
adding the url to trusted or local will help with windows integrated authentication
this is a certificate name issue where the url does not exist within the certificate
0
 

Author Comment

by:amoos
ID: 33466827
ok there are forward lookup zones in DNS for the internal and external.  now if i change the internal url to the external url will that cause any damage?  what is split brain DNS?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33466845
is your local domain name same as external domain name ?

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33466887
split brain is when you have an external dns zone for the domain contoso.com that contains all DNS records for external access to contoso.com
you also have an internal dns zone for the domain contoso.com (contents depend on design)

in your instance you would want to have an internal dns zone for contoso.com that includes records with external ip address for systems that are not accessed internally
other records like exchange resources, you would put the internally ip addresses
so here you would create a record for mail.contoso.com (your external url value on virtual directories) and use the internal ip address of your cas server
then update your virtual directories with internal url values that match the external
0
 

Author Comment

by:amoos
ID: 33466966
our local domain is a .local domain and the external is .org

from your explaination of split brain DNS then i have that already running.  great explaination.

here is the result for the get-exchangecertificate | fl  (i took out our servername)

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.dominicancampus.org, www.mail.dominicancampus.org, m
                     ail.stcecilia.edu, mail.aquinascollege.edu, mail.overbrook
                     .edu}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
                     thority, OU=http://certificates.godaddy.com/repository, O=
                     "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 11/21/2012 10:55:58 PM
NotBefore          : 11/21/2009 10:55:58 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 03F33083A41C69
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=mail.dominicancampus.org, OU=Domain Control Validated,
                     O=mail.dominicancampus.org
Thumbprint         : B09DCA1FF3E7C0B0A9901A6FEEE47980D914EAB0

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {exchangeserver, exchangeserver.ourdomain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=exchangeserver
NotAfter           : 11/20/2010 9:35:18 AM
NotBefore          : 11/20/2009 9:35:18 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 521603D03370D99149D232512351E605
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=exchangeserver
Thumbprint         : 1A2E91367BC29ACB40554BA4FF2D1371BF22A2B1

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-EXCHANGESERVER}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-EXCHANGESERVER
NotAfter           : 11/11/2019 5:31:37 PM
NotBefore          : 11/13/2009 5:31:37 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 71E6123F472A26B141381C1325AB1086
Services           : None
Status             : Valid
Subject            : CN=WMSvc-EXCHANGESERVER
Thumbprint         : 4BD89A54F4C54598739E3F931C4E816068A41460
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33466991
you'll want to update your internal url values to match your external
here's an article that goes over it
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33467060
CertificateDomains : {mail.dominicancampus.org, www.mail.dominicancampus.org, m
                     ail.stcecilia.edu, mail.aquinascollege.edu, mail.overbrook
                     .edu}

>>
You have to issue it to

mail.dominicancampus.org (external FQDN - it's already there)
autodiscover.dominicancampus.org (You need to create a DNS entry and then add this to cert)
mailserver.dominicancampus.local (internal server FQDN)
mailserver (exchange server name)

Here's how you can do it
http://help.godaddy.com/article/4976

comments on your existing
www.mail.dominicancampus.org,
>> Not required

mail.stcecilia.edu,
mail.aquinascollege.edu
mail.overbrook.edu
>> Are you hosting multiple domains in exchange. If not - those are not required.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33467086
@endital
What do you think about re-keying the cert, instead of split-braining it ?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33467134
@sunnyc7
if you can update the certificate it is the easiest path, and i agree with you on doing it
i've had too many instances where that isn't an option and i have to work around
0
 

Author Comment

by:amoos
ID: 33467372
mail.dominicancampus.org (external FQDN - it's already there)

autodiscover.dominicancampus.org (You need to create a DNS entry and then add this to cert) Add this to the internal dns?

mailserver.dominicancampus.local (internal server FQDN) already in dns

mailserver (exchange server name)  already in dns


if i do this "you'll want to update your internal url values to match your external" will i be hurting or breaking anything?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33467554
mail.dominicancampus.org is already configured within internal DNS and does it point to the internal ip address of your cas server

it will not break anything as long as name resolution is working
0
 

Author Comment

by:amoos
ID: 33467570
mail.dominicancampus.org is already configured within internal DNS and does it point to the internal ip address of your cas server

yes it points to the internal IP
0
 

Author Comment

by:amoos
ID: 33467577
autodiscover.dominicancampus.org (You need to create a DNS entry and then add this to cert)

Add this to the internal dns?

so autodiscover.dominicancampus.org needs to point to the exchangeserver internal ip?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33467608
you can get around not having that record
let's get past this part first
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33467625
test the urls by browsing to them

https://mail.dominicancampus.org/owa
https://mail.dominicancampus.org/ews/exchange.asmx
https://mail.dominicancampus.org/autodiscover/autodiscover.xml

you shouldn't get any certificate warnings/errors going to these sites
0
 

Author Comment

by:amoos
ID: 33467794
test the urls by browsing to them

https://mail.dominicancampus.org/owa
https://mail.dominicancampus.org/ews/exchange.asmx
https://mail.dominicancampus.org/autodiscover/autodiscover.xml

you shouldn't get any certificate warnings/errors going to these sites

this all works great with no errors.

but outlook 2007 clients still have the certificate error.  our exchange server is running on server 2008 if that helps
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33467833
you need to update the url settings for your vdirs

set-webservicesvirtualdirectory yourserver\ews* -internalurl https://mail.dominicancampus.org/ews/exchange.asmx

and the other urls used by autodiscover

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
0
 

Author Comment

by:amoos
ID: 33468144
this is the error i get in powershell when i run the command Set-ClientAccessServer -Identity EXCHANGESERVER2 -AutoDiscoverServiceInternal
Url:  <<<< https://mail.dominicancampus.org/Autodiscover/Autodiscover.xml

Set-ClientAccessServer : A parameter cannot be found that matches parameter nam
e 'AutoDiscoverServiceInternalUrl'.
At line:1 char:82
+ Set-ClientAccessServer -Identity EXCHANGESERVER2 -AutoDiscoverServiceInternal
Url:  <<<< https://mail.dominicancampus.org/Autodiscover/Autodiscover.xml
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33468175
it is AutoDiscoverServiceUri
not Url - common mistake
0
 

Author Comment

by:amoos
ID: 33468322
when i change the l to an i and rerun it i still get an error.  below is everything i typed

[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Get-WebServicesVirtualDirect
ory | Select Name, *url* | fl


Name                 : EWS (Default Web Site)
InternalNLBBypassUrl : https://exchangeserver2.dominicancampus.local/ews/exchan
                       ge.asmx
InternalUrl          : https://exchangeserver2.dominicancampus.local/EWS/Exchan
                       ge.asmx
ExternalUrl          :



[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Set-WebServicesVirtualDirect
ory -Identity "EWS <Default Web Site>" -InternalUri:https://mail.dominicancampus
.org/EWS/Exchange.asmx
Set-WebServicesVirtualDirectory : A parameter cannot be found that matches para
meter name 'InternalUri'.
At line:1 char:81
+ Set-WebServicesVirtualDirectory -Identity "EWS <Default Web Site>" -InternalU
ri:h <<<< ttps://mail.dominicancampus.org/EWS/Exchange.asmx
[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Set-WebServicesVirtualDirect
ory -Identity "EWS <Default Web Site>" -InternalUri:https://mail.dominicancampus
.org/ews/exchange.asmx
Set-WebServicesVirtualDirectory : A parameter cannot be found that matches para
meter name 'InternalUri'.
At line:1 char:81
+ Set-WebServicesVirtualDirectory -Identity "EWS <Default Web Site>" -InternalU
ri:h <<<< ttps://mail.dominicancampus.org/ews/exchange.asmx
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33468375
Set-WebServicesVirtualDirectory -Identity Exchangeserver2\EWS* -InternalUrl https://mail.dominicancampus.org/ews/exchange.asmx

only the set clientaccessserver is uri
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33468440
It will work like this also

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/ews/exchange.asmx"
0
 

Author Comment

by:amoos
ID: 33468448
this is what i get with the next virtual directory

[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Set-UMVirtualDirectory -Iden
tity: "UnifiedMessaging <Default Web Site>" -InternalUrl:https://mail.dominicanc
ampus.org/UnifiedMessaging/Service.asmx
Set-UMVirtualDirectory : The operation could not be performed because object 'U
nifiedMessaging <Default Web Site>' could not be found on domain controller 'ca
mpusdomaincon.dominicancampus.local'.
At line:1 char:23
+ Set-UMVirtualDirectory  <<<< -Identity: "UnifiedMessaging <Default Web Site>"
 -InternalUrl:https://mail.dominicancampus.org/UnifiedMessaging/Service.asmx
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33468461
you always need to put the server name in front

-Identity Exchangeserver2\Unified*
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33468469
Why are you setting Set-UMVirtualDirectory ?

I thought we were dealing
set-webservicesvirtualdirectory ?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33468487
try this one

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/ews/exchange.asmx"
0
 

Author Comment

by:amoos
ID: 33468494
so then it needs to be?

Set-UMVirtualDirectory -Identity: Exchangeserver2\UnifiedMessaging -InternalUrl:https://mail.dominicancampus.org/UnifiedMessaging/Service.asmx
0
 

Author Comment

by:amoos
ID: 33468515
try this one

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/ews/exchange.asmx"

i did this one and it worked very nicely.  i was trying to update the unified messaging virtual directory now
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33468526
you can use that same format for all
get-umvirtualdirectory | set-umvirtualdirectory
get-oabvirtualdirectory |set-oabvirtualdirectory
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33468527
Get-UMVirtualDirectory | Set-UMVirtualDirectory InternalUrl:"https://mail.dominicancampus.org/UnifiedMessaging/Service.asmx"

0
 

Author Comment

by:amoos
ID: 33468621
when i run the below it just sits there

[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Get-UMVirtualDirectory | Set
-UMVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/UnifiedMessag
ing/Service.asmx
>> Get-UMVirtualDirectory | Set-UMVirtualDirectory -InternalUrl:"https://mail.do
minicancampus.org/UnifiedMessaging/Service.asmx"
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 500 total points
ID: 33468646
you can either press the Enter key to see if it stops or Ctrl+C
0
 

Author Comment

by:amoos
ID: 33468656
Success!!!!!!!!!!!  you are the best.  i wish i could give you 10000 points.  thank you so much
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33471393
I wrote an article today on this subject. Please review and mark as helpful it you find it so. Thanks.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-Service-OOF-and-OAB.html
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33471430
Dude..
I have been trying to write an article on autodiscover OAB and OOF for about 3/4 weeks now, but never sat down to do that.

will review and send my comments.

thanks
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question