Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 716
  • Last Modified:

How to fix SSL error in outlook 2007??

we are running exchange 2007 and outlook 2007.  everytime someone opens outlook 2007 they are getting an SSL certificate error.  see attached document for exact error.  how do i fix this?
ssl-error.docx
0
amoos
Asked:
amoos
  • 15
  • 13
  • 9
  • +1
1 Solution
 
endital1097Commented:
it looks like the certificate you installed is something like
mail.yourdomain.com
which is used for external connections

internally your users are connecting to
exchangeserver2.yourdomain.local
which doesn't match the name on the certificate

there are a couple of options
1. update the certificate to include the url shown in the error
2. update internal url values to use the same fqdn as the external urls (requires split brain dns, where domain.com DNS zones exists internally and externally)
0
 
Gavincr001Commented:
Have you tried adding the url to trusted or local sites on IE?

if that works you could add the site for everyone using Group Policy.
0
 
sunnyc7Commented:
Going along endital's lines you can use this tool to install / reinstall cert's.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html

Run this on exch shell and output the results here

get-exchangecertificate | fl
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
endital1097Commented:
adding the url to trusted or local will help with windows integrated authentication
this is a certificate name issue where the url does not exist within the certificate
0
 
amoosAuthor Commented:
ok there are forward lookup zones in DNS for the internal and external.  now if i change the internal url to the external url will that cause any damage?  what is split brain DNS?
0
 
sunnyc7Commented:
is your local domain name same as external domain name ?

0
 
endital1097Commented:
split brain is when you have an external dns zone for the domain contoso.com that contains all DNS records for external access to contoso.com
you also have an internal dns zone for the domain contoso.com (contents depend on design)

in your instance you would want to have an internal dns zone for contoso.com that includes records with external ip address for systems that are not accessed internally
other records like exchange resources, you would put the internally ip addresses
so here you would create a record for mail.contoso.com (your external url value on virtual directories) and use the internal ip address of your cas server
then update your virtual directories with internal url values that match the external
0
 
amoosAuthor Commented:
our local domain is a .local domain and the external is .org

from your explaination of split brain DNS then i have that already running.  great explaination.

here is the result for the get-exchangecertificate | fl  (i took out our servername)

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.dominicancampus.org, www.mail.dominicancampus.org, m
                     ail.stcecilia.edu, mail.aquinascollege.edu, mail.overbrook
                     .edu}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
                     thority, OU=http://certificates.godaddy.com/repository, O=
                     "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 11/21/2012 10:55:58 PM
NotBefore          : 11/21/2009 10:55:58 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 03F33083A41C69
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=mail.dominicancampus.org, OU=Domain Control Validated,
                     O=mail.dominicancampus.org
Thumbprint         : B09DCA1FF3E7C0B0A9901A6FEEE47980D914EAB0

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {exchangeserver, exchangeserver.ourdomain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=exchangeserver
NotAfter           : 11/20/2010 9:35:18 AM
NotBefore          : 11/20/2009 9:35:18 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 521603D03370D99149D232512351E605
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=exchangeserver
Thumbprint         : 1A2E91367BC29ACB40554BA4FF2D1371BF22A2B1

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-EXCHANGESERVER}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-EXCHANGESERVER
NotAfter           : 11/11/2019 5:31:37 PM
NotBefore          : 11/13/2009 5:31:37 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 71E6123F472A26B141381C1325AB1086
Services           : None
Status             : Valid
Subject            : CN=WMSvc-EXCHANGESERVER
Thumbprint         : 4BD89A54F4C54598739E3F931C4E816068A41460
0
 
endital1097Commented:
you'll want to update your internal url values to match your external
here's an article that goes over it
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
0
 
sunnyc7Commented:
CertificateDomains : {mail.dominicancampus.org, www.mail.dominicancampus.org, m
                     ail.stcecilia.edu, mail.aquinascollege.edu, mail.overbrook
                     .edu}

>>
You have to issue it to

mail.dominicancampus.org (external FQDN - it's already there)
autodiscover.dominicancampus.org (You need to create a DNS entry and then add this to cert)
mailserver.dominicancampus.local (internal server FQDN)
mailserver (exchange server name)

Here's how you can do it
http://help.godaddy.com/article/4976

comments on your existing
www.mail.dominicancampus.org,
>> Not required

mail.stcecilia.edu,
mail.aquinascollege.edu
mail.overbrook.edu
>> Are you hosting multiple domains in exchange. If not - those are not required.
0
 
sunnyc7Commented:
@endital
What do you think about re-keying the cert, instead of split-braining it ?
0
 
endital1097Commented:
@sunnyc7
if you can update the certificate it is the easiest path, and i agree with you on doing it
i've had too many instances where that isn't an option and i have to work around
0
 
amoosAuthor Commented:
mail.dominicancampus.org (external FQDN - it's already there)

autodiscover.dominicancampus.org (You need to create a DNS entry and then add this to cert) Add this to the internal dns?

mailserver.dominicancampus.local (internal server FQDN) already in dns

mailserver (exchange server name)  already in dns


if i do this "you'll want to update your internal url values to match your external" will i be hurting or breaking anything?
0
 
endital1097Commented:
mail.dominicancampus.org is already configured within internal DNS and does it point to the internal ip address of your cas server

it will not break anything as long as name resolution is working
0
 
amoosAuthor Commented:
mail.dominicancampus.org is already configured within internal DNS and does it point to the internal ip address of your cas server

yes it points to the internal IP
0
 
amoosAuthor Commented:
autodiscover.dominicancampus.org (You need to create a DNS entry and then add this to cert)

Add this to the internal dns?

so autodiscover.dominicancampus.org needs to point to the exchangeserver internal ip?
0
 
endital1097Commented:
you can get around not having that record
let's get past this part first
0
 
endital1097Commented:
test the urls by browsing to them

https://mail.dominicancampus.org/owa
https://mail.dominicancampus.org/ews/exchange.asmx
https://mail.dominicancampus.org/autodiscover/autodiscover.xml

you shouldn't get any certificate warnings/errors going to these sites
0
 
amoosAuthor Commented:
test the urls by browsing to them

https://mail.dominicancampus.org/owa
https://mail.dominicancampus.org/ews/exchange.asmx
https://mail.dominicancampus.org/autodiscover/autodiscover.xml

you shouldn't get any certificate warnings/errors going to these sites

this all works great with no errors.

but outlook 2007 clients still have the certificate error.  our exchange server is running on server 2008 if that helps
0
 
endital1097Commented:
you need to update the url settings for your vdirs

set-webservicesvirtualdirectory yourserver\ews* -internalurl https://mail.dominicancampus.org/ews/exchange.asmx

and the other urls used by autodiscover

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
0
 
amoosAuthor Commented:
this is the error i get in powershell when i run the command Set-ClientAccessServer -Identity EXCHANGESERVER2 -AutoDiscoverServiceInternal
Url:  <<<< https://mail.dominicancampus.org/Autodiscover/Autodiscover.xml

Set-ClientAccessServer : A parameter cannot be found that matches parameter nam
e 'AutoDiscoverServiceInternalUrl'.
At line:1 char:82
+ Set-ClientAccessServer -Identity EXCHANGESERVER2 -AutoDiscoverServiceInternal
Url:  <<<< https://mail.dominicancampus.org/Autodiscover/Autodiscover.xml
0
 
endital1097Commented:
it is AutoDiscoverServiceUri
not Url - common mistake
0
 
amoosAuthor Commented:
when i change the l to an i and rerun it i still get an error.  below is everything i typed

[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Get-WebServicesVirtualDirect
ory | Select Name, *url* | fl


Name                 : EWS (Default Web Site)
InternalNLBBypassUrl : https://exchangeserver2.dominicancampus.local/ews/exchan
                       ge.asmx
InternalUrl          : https://exchangeserver2.dominicancampus.local/EWS/Exchan
                       ge.asmx
ExternalUrl          :



[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Set-WebServicesVirtualDirect
ory -Identity "EWS <Default Web Site>" -InternalUri:https://mail.dominicancampus
.org/EWS/Exchange.asmx
Set-WebServicesVirtualDirectory : A parameter cannot be found that matches para
meter name 'InternalUri'.
At line:1 char:81
+ Set-WebServicesVirtualDirectory -Identity "EWS <Default Web Site>" -InternalU
ri:h <<<< ttps://mail.dominicancampus.org/EWS/Exchange.asmx
[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Set-WebServicesVirtualDirect
ory -Identity "EWS <Default Web Site>" -InternalUri:https://mail.dominicancampus
.org/ews/exchange.asmx
Set-WebServicesVirtualDirectory : A parameter cannot be found that matches para
meter name 'InternalUri'.
At line:1 char:81
+ Set-WebServicesVirtualDirectory -Identity "EWS <Default Web Site>" -InternalU
ri:h <<<< ttps://mail.dominicancampus.org/ews/exchange.asmx
0
 
endital1097Commented:
Set-WebServicesVirtualDirectory -Identity Exchangeserver2\EWS* -InternalUrl https://mail.dominicancampus.org/ews/exchange.asmx

only the set clientaccessserver is uri
0
 
sunnyc7Commented:
It will work like this also

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/ews/exchange.asmx"
0
 
amoosAuthor Commented:
this is what i get with the next virtual directory

[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Set-UMVirtualDirectory -Iden
tity: "UnifiedMessaging <Default Web Site>" -InternalUrl:https://mail.dominicanc
ampus.org/UnifiedMessaging/Service.asmx
Set-UMVirtualDirectory : The operation could not be performed because object 'U
nifiedMessaging <Default Web Site>' could not be found on domain controller 'ca
mpusdomaincon.dominicancampus.local'.
At line:1 char:23
+ Set-UMVirtualDirectory  <<<< -Identity: "UnifiedMessaging <Default Web Site>"
 -InternalUrl:https://mail.dominicancampus.org/UnifiedMessaging/Service.asmx
0
 
endital1097Commented:
you always need to put the server name in front

-Identity Exchangeserver2\Unified*
0
 
sunnyc7Commented:
Why are you setting Set-UMVirtualDirectory ?

I thought we were dealing
set-webservicesvirtualdirectory ?
0
 
sunnyc7Commented:
try this one

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/ews/exchange.asmx"
0
 
amoosAuthor Commented:
so then it needs to be?

Set-UMVirtualDirectory -Identity: Exchangeserver2\UnifiedMessaging -InternalUrl:https://mail.dominicancampus.org/UnifiedMessaging/Service.asmx
0
 
amoosAuthor Commented:
try this one

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/ews/exchange.asmx"

i did this one and it worked very nicely.  i was trying to update the unified messaging virtual directory now
0
 
endital1097Commented:
you can use that same format for all
get-umvirtualdirectory | set-umvirtualdirectory
get-oabvirtualdirectory |set-oabvirtualdirectory
0
 
sunnyc7Commented:
Get-UMVirtualDirectory | Set-UMVirtualDirectory InternalUrl:"https://mail.dominicancampus.org/UnifiedMessaging/Service.asmx"

0
 
amoosAuthor Commented:
when i run the below it just sits there

[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Get-UMVirtualDirectory | Set
-UMVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/UnifiedMessag
ing/Service.asmx
>> Get-UMVirtualDirectory | Set-UMVirtualDirectory -InternalUrl:"https://mail.do
minicancampus.org/UnifiedMessaging/Service.asmx"
0
 
endital1097Commented:
you can either press the Enter key to see if it stops or Ctrl+C
0
 
amoosAuthor Commented:
Success!!!!!!!!!!!  you are the best.  i wish i could give you 10000 points.  thank you so much
0
 
endital1097Commented:
I wrote an article today on this subject. Please review and mark as helpful it you find it so. Thanks.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-Service-OOF-and-OAB.html
0
 
sunnyc7Commented:
Dude..
I have been trying to write an article on autodiscover OAB and OOF for about 3/4 weeks now, but never sat down to do that.

will review and send my comments.

thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 15
  • 13
  • 9
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now