Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

We don't own our internal domain

Posted on 2010-09-03
17
Medium Priority
?
402 Views
Last Modified: 2012-05-10
Our internal domain is owned by someone else and they aren't selling.  I've purchased a UNC cert for the external domain but the issue I'm facing is, when we open up outlook we get an alert, "The name on the security certificate is invaild or does not match the name of the site."


I need this to go away, does anyone have a fix?
0
Comment
Question by:Puke Foo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
  • +2
17 Comments
 
LVL 24

Accepted Solution

by:
Mike Thomas earned 1000 total points
ID: 33597263
It does not really matter what your internal domain is called, what matters is that the url the user types matches the certificate on the exchange server, it is no different really than how most set ups go for example most domain will be called company.local but the email domain will be company.com However if your email domain is owned by someone else that's another story.
0
 
LVL 5

Expert Comment

by:pbeirne
ID: 33597339
Configure your certificate to use multiple client access server hostnames:

http://technet.microsoft.com/en-us/library/aa995942.aspx
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 1000 total points
ID: 33597345
do you use split dns? have an external dns zone for yourdomain.com and an internal zone for yourdomain.com. (this is for your external presence, so the domain users use to access owa)

if you do, you can configure autodiscover and the web services to use a certificate that only uses your external domain presence
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33597349
As MojoTech stated your internal domain is just that internal so it doesn't matter what it is called.

The same goes for certificates in that it appears you went out and bought a public certificate for your external domain and are trying to use it for internal domain which will not work.

I suggest the following to resolve this:

Reference this technet article: http://technet.microsoft.com/en-us/library/bb457160.aspx

Get a version of Enterprise Edition of Windows Server 2003 or 2008 and setup a Stand Alone Root Certificate authority for your internal domain. Also setup a Enterprise Subordinate Certificate Authority. Once you've setup the Stand Alone root and issued a certificate to the Enterprise Subordinate the Root can and should be taken offline. You can then use the Enterprise Subordinate to issue certificates for your internal domain and to users via Active Directory.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33597381
example:
users access owa by going to https://owa.contoso.com/owa
your internal domain is microsoft.com (obvious you don't own that one :)

if you have an internal dns zone for contoso.com, you can configure your urls to use contoso.com and your certificate does not need the other domain name
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL https://owa.contoso.com/ews/exchange.asmx -ExternalURL https://owa.contoso.com/ews/exchange.asmx
Get-OabVirtaulDirectory | Set-OabVirtualDirectory -InternalURL https://owa.contoso.com/oab -ExternalURL https://owa.contoso.com/oab
Set-ClientAccessServer CASName -AutoDiscoverServiceInternalURI https://owa.contoso.com/autodiscover/autodiscover.xml
Set-OutlookAnywhere -Server CASName -ExternalHostName owa.contoso.com
0
 

Author Comment

by:Puke Foo
ID: 33598307
Nuttycomputer,

To be clear you're saying, I should create A records in my external dns zone, (on the internal dns server) for my casarray name/ mail server names and then change the autodiscover to point to the external zone as well as oab, free busy, etc...?

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598480
you need to know what dns zones you have internally
you're configuration will depend on dns and the zones you have internally
0
 

Author Comment

by:Puke Foo
ID: 33598486
I have an internal dns zone for my external dns, that make sense?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598547
yes, what that means is you can configure all of your url values with the external name used by clients

here is an article
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-Service-OOF-and-OAB.html
0
 

Author Comment

by:Puke Foo
ID: 33598558
thanks, real quick, will I need to reconfigure my cas array as well?
0
 

Author Comment

by:Puke Foo
ID: 33598649
we do not have a split brain domain
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598720
you said you had an internal dns zone for external dns

you don't need to reconfigure your cas array, that is independent of these web services
0
 

Author Comment

by:Puke Foo
ID: 33598739
we do have an internal dns zone for the external dns, but the internal domain name is not ours, we do not own it.  So I can't get a cert for our internal dns domain name.  But I have created an internal zone for the external dns so we can resolve those external addresses internal.
0
 

Author Comment

by:Puke Foo
ID: 33598795
to be clear, we have an external dns domain, contoso.com, we have an internal domain for both AD and say it's, windows.com, we don't own windows.com, but I do have an internal zone for it.  But I can't get a cert for it because I don't own it.
0
 

Author Comment

by:Puke Foo
ID: 33598806
I meant to say we have an internal domain for both AD and DNS, called windows.com
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33598822
your external domain is contoso.com
do you have an internal dns zone for contoso.com
0
 
LVL 6

Expert Comment

by:Nuttycomputer
ID: 33599688
batstrading,

While you can't get a certificate for "windows.com" froma  public issuing authority because the domain is strictly used internally you don't need it to be issued by one.

You can install Certificate Services as I mentioned in my previous post and create the certificate yourself for the server. You can then distribute it to all internal clients.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question