Solved

How to fix SSL error in outlook 2007??

Posted on 2010-08-18
38
691 Views
Last Modified: 2012-05-10
we are running exchange 2007 and outlook 2007.  everytime someone opens outlook 2007 they are getting an SSL certificate error.  see attached document for exact error.  how do i fix this?
ssl-error.docx
0
Comment
Question by:amoos
  • 15
  • 13
  • 9
  • +1
38 Comments
 
LVL 32

Expert Comment

by:endital1097
ID: 33466771
it looks like the certificate you installed is something like
mail.yourdomain.com
which is used for external connections

internally your users are connecting to
exchangeserver2.yourdomain.local
which doesn't match the name on the certificate

there are a couple of options
1. update the certificate to include the url shown in the error
2. update internal url values to use the same fqdn as the external urls (requires split brain dns, where domain.com DNS zones exists internally and externally)
0
 
LVL 4

Expert Comment

by:Gavincr001
ID: 33466786
Have you tried adding the url to trusted or local sites on IE?

if that works you could add the site for everyone using Group Policy.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33466817
Going along endital's lines you can use this tool to install / reinstall cert's.
http://www.u-btech.com/products/certificate-manager-for-exchange-2007.html

Run this on exch shell and output the results here

get-exchangecertificate | fl
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33466822
adding the url to trusted or local will help with windows integrated authentication
this is a certificate name issue where the url does not exist within the certificate
0
 

Author Comment

by:amoos
ID: 33466827
ok there are forward lookup zones in DNS for the internal and external.  now if i change the internal url to the external url will that cause any damage?  what is split brain DNS?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33466845
is your local domain name same as external domain name ?

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33466887
split brain is when you have an external dns zone for the domain contoso.com that contains all DNS records for external access to contoso.com
you also have an internal dns zone for the domain contoso.com (contents depend on design)

in your instance you would want to have an internal dns zone for contoso.com that includes records with external ip address for systems that are not accessed internally
other records like exchange resources, you would put the internally ip addresses
so here you would create a record for mail.contoso.com (your external url value on virtual directories) and use the internal ip address of your cas server
then update your virtual directories with internal url values that match the external
0
 

Author Comment

by:amoos
ID: 33466966
our local domain is a .local domain and the external is .org

from your explaination of split brain DNS then i have that already running.  great explaination.

here is the result for the get-exchangecertificate | fl  (i took out our servername)

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.dominicancampus.org, www.mail.dominicancampus.org, m
                     ail.stcecilia.edu, mail.aquinascollege.edu, mail.overbrook
                     .edu}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Au
                     thority, OU=http://certificates.godaddy.com/repository, O=
                     "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
NotAfter           : 11/21/2012 10:55:58 PM
NotBefore          : 11/21/2009 10:55:58 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 03F33083A41C69
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=mail.dominicancampus.org, OU=Domain Control Validated,
                     O=mail.dominicancampus.org
Thumbprint         : B09DCA1FF3E7C0B0A9901A6FEEE47980D914EAB0

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce
                     ssControl.CryptoKeyAccessRule}
CertificateDomains : {exchangeserver, exchangeserver.ourdomain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=exchangeserver
NotAfter           : 11/20/2010 9:35:18 AM
NotBefore          : 11/20/2009 9:35:18 AM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 521603D03370D99149D232512351E605
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=exchangeserver
Thumbprint         : 1A2E91367BC29ACB40554BA4FF2D1371BF22A2B1

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-EXCHANGESERVER}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-EXCHANGESERVER
NotAfter           : 11/11/2019 5:31:37 PM
NotBefore          : 11/13/2009 5:31:37 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 71E6123F472A26B141381C1325AB1086
Services           : None
Status             : Valid
Subject            : CN=WMSvc-EXCHANGESERVER
Thumbprint         : 4BD89A54F4C54598739E3F931C4E816068A41460
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33466991
you'll want to update your internal url values to match your external
here's an article that goes over it
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33467060
CertificateDomains : {mail.dominicancampus.org, www.mail.dominicancampus.org, m
                     ail.stcecilia.edu, mail.aquinascollege.edu, mail.overbrook
                     .edu}

>>
You have to issue it to

mail.dominicancampus.org (external FQDN - it's already there)
autodiscover.dominicancampus.org (You need to create a DNS entry and then add this to cert)
mailserver.dominicancampus.local (internal server FQDN)
mailserver (exchange server name)

Here's how you can do it
http://help.godaddy.com/article/4976

comments on your existing
www.mail.dominicancampus.org,
>> Not required

mail.stcecilia.edu,
mail.aquinascollege.edu
mail.overbrook.edu
>> Are you hosting multiple domains in exchange. If not - those are not required.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33467086
@endital
What do you think about re-keying the cert, instead of split-braining it ?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33467134
@sunnyc7
if you can update the certificate it is the easiest path, and i agree with you on doing it
i've had too many instances where that isn't an option and i have to work around
0
 

Author Comment

by:amoos
ID: 33467372
mail.dominicancampus.org (external FQDN - it's already there)

autodiscover.dominicancampus.org (You need to create a DNS entry and then add this to cert) Add this to the internal dns?

mailserver.dominicancampus.local (internal server FQDN) already in dns

mailserver (exchange server name)  already in dns


if i do this "you'll want to update your internal url values to match your external" will i be hurting or breaking anything?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33467554
mail.dominicancampus.org is already configured within internal DNS and does it point to the internal ip address of your cas server

it will not break anything as long as name resolution is working
0
 

Author Comment

by:amoos
ID: 33467570
mail.dominicancampus.org is already configured within internal DNS and does it point to the internal ip address of your cas server

yes it points to the internal IP
0
 

Author Comment

by:amoos
ID: 33467577
autodiscover.dominicancampus.org (You need to create a DNS entry and then add this to cert)

Add this to the internal dns?

so autodiscover.dominicancampus.org needs to point to the exchangeserver internal ip?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33467608
you can get around not having that record
let's get past this part first
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33467625
test the urls by browsing to them

https://mail.dominicancampus.org/owa
https://mail.dominicancampus.org/ews/exchange.asmx
https://mail.dominicancampus.org/autodiscover/autodiscover.xml

you shouldn't get any certificate warnings/errors going to these sites
0
 

Author Comment

by:amoos
ID: 33467794
test the urls by browsing to them

https://mail.dominicancampus.org/owa
https://mail.dominicancampus.org/ews/exchange.asmx
https://mail.dominicancampus.org/autodiscover/autodiscover.xml

you shouldn't get any certificate warnings/errors going to these sites

this all works great with no errors.

but outlook 2007 clients still have the certificate error.  our exchange server is running on server 2008 if that helps
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Expert Comment

by:endital1097
ID: 33467833
you need to update the url settings for your vdirs

set-webservicesvirtualdirectory yourserver\ews* -internalurl https://mail.dominicancampus.org/ews/exchange.asmx

and the other urls used by autodiscover

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
0
 

Author Comment

by:amoos
ID: 33468144
this is the error i get in powershell when i run the command Set-ClientAccessServer -Identity EXCHANGESERVER2 -AutoDiscoverServiceInternal
Url:  <<<< https://mail.dominicancampus.org/Autodiscover/Autodiscover.xml

Set-ClientAccessServer : A parameter cannot be found that matches parameter nam
e 'AutoDiscoverServiceInternalUrl'.
At line:1 char:82
+ Set-ClientAccessServer -Identity EXCHANGESERVER2 -AutoDiscoverServiceInternal
Url:  <<<< https://mail.dominicancampus.org/Autodiscover/Autodiscover.xml
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33468175
it is AutoDiscoverServiceUri
not Url - common mistake
0
 

Author Comment

by:amoos
ID: 33468322
when i change the l to an i and rerun it i still get an error.  below is everything i typed

[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Get-WebServicesVirtualDirect
ory | Select Name, *url* | fl


Name                 : EWS (Default Web Site)
InternalNLBBypassUrl : https://exchangeserver2.dominicancampus.local/ews/exchan
                       ge.asmx
InternalUrl          : https://exchangeserver2.dominicancampus.local/EWS/Exchan
                       ge.asmx
ExternalUrl          :



[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Set-WebServicesVirtualDirect
ory -Identity "EWS <Default Web Site>" -InternalUri:https://mail.dominicancampus
.org/EWS/Exchange.asmx
Set-WebServicesVirtualDirectory : A parameter cannot be found that matches para
meter name 'InternalUri'.
At line:1 char:81
+ Set-WebServicesVirtualDirectory -Identity "EWS <Default Web Site>" -InternalU
ri:h <<<< ttps://mail.dominicancampus.org/EWS/Exchange.asmx
[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Set-WebServicesVirtualDirect
ory -Identity "EWS <Default Web Site>" -InternalUri:https://mail.dominicancampus
.org/ews/exchange.asmx
Set-WebServicesVirtualDirectory : A parameter cannot be found that matches para
meter name 'InternalUri'.
At line:1 char:81
+ Set-WebServicesVirtualDirectory -Identity "EWS <Default Web Site>" -InternalU
ri:h <<<< ttps://mail.dominicancampus.org/ews/exchange.asmx
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33468375
Set-WebServicesVirtualDirectory -Identity Exchangeserver2\EWS* -InternalUrl https://mail.dominicancampus.org/ews/exchange.asmx

only the set clientaccessserver is uri
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33468440
It will work like this also

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/ews/exchange.asmx"
0
 

Author Comment

by:amoos
ID: 33468448
this is what i get with the next virtual directory

[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Set-UMVirtualDirectory -Iden
tity: "UnifiedMessaging <Default Web Site>" -InternalUrl:https://mail.dominicanc
ampus.org/UnifiedMessaging/Service.asmx
Set-UMVirtualDirectory : The operation could not be performed because object 'U
nifiedMessaging <Default Web Site>' could not be found on domain controller 'ca
mpusdomaincon.dominicancampus.local'.
At line:1 char:23
+ Set-UMVirtualDirectory  <<<< -Identity: "UnifiedMessaging <Default Web Site>"
 -InternalUrl:https://mail.dominicancampus.org/UnifiedMessaging/Service.asmx
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33468461
you always need to put the server name in front

-Identity Exchangeserver2\Unified*
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33468469
Why are you setting Set-UMVirtualDirectory ?

I thought we were dealing
set-webservicesvirtualdirectory ?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33468487
try this one

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/ews/exchange.asmx"
0
 

Author Comment

by:amoos
ID: 33468494
so then it needs to be?

Set-UMVirtualDirectory -Identity: Exchangeserver2\UnifiedMessaging -InternalUrl:https://mail.dominicancampus.org/UnifiedMessaging/Service.asmx
0
 

Author Comment

by:amoos
ID: 33468515
try this one

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/ews/exchange.asmx"

i did this one and it worked very nicely.  i was trying to update the unified messaging virtual directory now
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33468526
you can use that same format for all
get-umvirtualdirectory | set-umvirtualdirectory
get-oabvirtualdirectory |set-oabvirtualdirectory
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33468527
Get-UMVirtualDirectory | Set-UMVirtualDirectory InternalUrl:"https://mail.dominicancampus.org/UnifiedMessaging/Service.asmx"

0
 

Author Comment

by:amoos
ID: 33468621
when i run the below it just sits there

[PS] C:\Users\administrator.DOMINICANCAMPUS\Desktop>Get-UMVirtualDirectory | Set
-UMVirtualDirectory -InternalUrl:"https://mail.dominicancampus.org/UnifiedMessag
ing/Service.asmx
>> Get-UMVirtualDirectory | Set-UMVirtualDirectory -InternalUrl:"https://mail.do
minicancampus.org/UnifiedMessaging/Service.asmx"
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 500 total points
ID: 33468646
you can either press the Enter key to see if it stops or Ctrl+C
0
 

Author Comment

by:amoos
ID: 33468656
Success!!!!!!!!!!!  you are the best.  i wish i could give you 10000 points.  thank you so much
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33471393
I wrote an article today on this subject. Please review and mark as helpful it you find it so. Thanks.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-Service-OOF-and-OAB.html
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33471430
Dude..
I have been trying to write an article on autodiscover OAB and OOF for about 3/4 weeks now, but never sat down to do that.

will review and send my comments.

thanks
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now