Solved

We don't own our internal domain

Posted on 2010-09-03
17
364 Views
Last Modified: 2012-05-10
Our internal domain is owned by someone else and they aren't selling.  I've purchased a UNC cert for the external domain but the issue I'm facing is, when we open up outlook we get an alert, "The name on the security certificate is invaild or does not match the name of the site."


I need this to go away, does anyone have a fix?
0
Comment
Question by:Puke Foo
  • 7
  • 6
  • 2
  • +2
17 Comments
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 250 total points
ID: 33597263
It does not really matter what your internal domain is called, what matters is that the url the user types matches the certificate on the exchange server, it is no different really than how most set ups go for example most domain will be called company.local but the email domain will be company.com However if your email domain is owned by someone else that's another story.
0
 
LVL 5

Expert Comment

by:pbeirne
ID: 33597339
Configure your certificate to use multiple client access server hostnames:

http://technet.microsoft.com/en-us/library/aa995942.aspx
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 250 total points
ID: 33597345
do you use split dns? have an external dns zone for yourdomain.com and an internal zone for yourdomain.com. (this is for your external presence, so the domain users use to access owa)

if you do, you can configure autodiscover and the web services to use a certificate that only uses your external domain presence
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33597349
As MojoTech stated your internal domain is just that internal so it doesn't matter what it is called.

The same goes for certificates in that it appears you went out and bought a public certificate for your external domain and are trying to use it for internal domain which will not work.

I suggest the following to resolve this:

Reference this technet article: http://technet.microsoft.com/en-us/library/bb457160.aspx

Get a version of Enterprise Edition of Windows Server 2003 or 2008 and setup a Stand Alone Root Certificate authority for your internal domain. Also setup a Enterprise Subordinate Certificate Authority. Once you've setup the Stand Alone root and issued a certificate to the Enterprise Subordinate the Root can and should be taken offline. You can then use the Enterprise Subordinate to issue certificates for your internal domain and to users via Active Directory.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33597381
example:
users access owa by going to https://owa.contoso.com/owa
your internal domain is microsoft.com (obvious you don't own that one :)

if you have an internal dns zone for contoso.com, you can configure your urls to use contoso.com and your certificate does not need the other domain name
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL https://owa.contoso.com/ews/exchange.asmx -ExternalURL https://owa.contoso.com/ews/exchange.asmx
Get-OabVirtaulDirectory | Set-OabVirtualDirectory -InternalURL https://owa.contoso.com/oab -ExternalURL https://owa.contoso.com/oab
Set-ClientAccessServer CASName -AutoDiscoverServiceInternalURI https://owa.contoso.com/autodiscover/autodiscover.xml
Set-OutlookAnywhere -Server CASName -ExternalHostName owa.contoso.com
0
 

Author Comment

by:Puke Foo
ID: 33598307
Nuttycomputer,

To be clear you're saying, I should create A records in my external dns zone, (on the internal dns server) for my casarray name/ mail server names and then change the autodiscover to point to the external zone as well as oab, free busy, etc...?

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598480
you need to know what dns zones you have internally
you're configuration will depend on dns and the zones you have internally
0
 

Author Comment

by:Puke Foo
ID: 33598486
I have an internal dns zone for my external dns, that make sense?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598547
yes, what that means is you can configure all of your url values with the external name used by clients

here is an article
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-Service-OOF-and-OAB.html
0
 

Author Comment

by:Puke Foo
ID: 33598558
thanks, real quick, will I need to reconfigure my cas array as well?
0
 

Author Comment

by:Puke Foo
ID: 33598649
we do not have a split brain domain
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598720
you said you had an internal dns zone for external dns

you don't need to reconfigure your cas array, that is independent of these web services
0
 

Author Comment

by:Puke Foo
ID: 33598739
we do have an internal dns zone for the external dns, but the internal domain name is not ours, we do not own it.  So I can't get a cert for our internal dns domain name.  But I have created an internal zone for the external dns so we can resolve those external addresses internal.
0
 

Author Comment

by:Puke Foo
ID: 33598795
to be clear, we have an external dns domain, contoso.com, we have an internal domain for both AD and say it's, windows.com, we don't own windows.com, but I do have an internal zone for it.  But I can't get a cert for it because I don't own it.
0
 

Author Comment

by:Puke Foo
ID: 33598806
I meant to say we have an internal domain for both AD and DNS, called windows.com
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598822
your external domain is contoso.com
do you have an internal dns zone for contoso.com
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33599688
batstrading,

While you can't get a certificate for "windows.com" froma  public issuing authority because the domain is strictly used internally you don't need it to be issued by one.

You can install Certificate Services as I mentioned in my previous post and create the certificate yourself for the server. You can then distribute it to all internal clients.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question