Solved

We don't own our internal domain

Posted on 2010-09-03
17
341 Views
Last Modified: 2012-05-10
Our internal domain is owned by someone else and they aren't selling.  I've purchased a UNC cert for the external domain but the issue I'm facing is, when we open up outlook we get an alert, "The name on the security certificate is invaild or does not match the name of the site."


I need this to go away, does anyone have a fix?
0
Comment
Question by:Puke Foo
  • 7
  • 6
  • 2
  • +2
17 Comments
 
LVL 24

Accepted Solution

by:
MojoTech earned 250 total points
Comment Utility
It does not really matter what your internal domain is called, what matters is that the url the user types matches the certificate on the exchange server, it is no different really than how most set ups go for example most domain will be called company.local but the email domain will be company.com However if your email domain is owned by someone else that's another story.
0
 
LVL 5

Expert Comment

by:pbeirne
Comment Utility
Configure your certificate to use multiple client access server hostnames:

http://technet.microsoft.com/en-us/library/aa995942.aspx
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 250 total points
Comment Utility
do you use split dns? have an external dns zone for yourdomain.com and an internal zone for yourdomain.com. (this is for your external presence, so the domain users use to access owa)

if you do, you can configure autodiscover and the web services to use a certificate that only uses your external domain presence
0
 
LVL 6

Expert Comment

by:Nuttycomputer
Comment Utility
As MojoTech stated your internal domain is just that internal so it doesn't matter what it is called.

The same goes for certificates in that it appears you went out and bought a public certificate for your external domain and are trying to use it for internal domain which will not work.

I suggest the following to resolve this:

Reference this technet article: http://technet.microsoft.com/en-us/library/bb457160.aspx

Get a version of Enterprise Edition of Windows Server 2003 or 2008 and setup a Stand Alone Root Certificate authority for your internal domain. Also setup a Enterprise Subordinate Certificate Authority. Once you've setup the Stand Alone root and issued a certificate to the Enterprise Subordinate the Root can and should be taken offline. You can then use the Enterprise Subordinate to issue certificates for your internal domain and to users via Active Directory.
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
example:
users access owa by going to https://owa.contoso.com/owa
your internal domain is microsoft.com (obvious you don't own that one :)

if you have an internal dns zone for contoso.com, you can configure your urls to use contoso.com and your certificate does not need the other domain name
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL https://owa.contoso.com/ews/exchange.asmx -ExternalURL https://owa.contoso.com/ews/exchange.asmx
Get-OabVirtaulDirectory | Set-OabVirtualDirectory -InternalURL https://owa.contoso.com/oab -ExternalURL https://owa.contoso.com/oab
Set-ClientAccessServer CASName -AutoDiscoverServiceInternalURI https://owa.contoso.com/autodiscover/autodiscover.xml
Set-OutlookAnywhere -Server CASName -ExternalHostName owa.contoso.com
0
 

Author Comment

by:Puke Foo
Comment Utility
Nuttycomputer,

To be clear you're saying, I should create A records in my external dns zone, (on the internal dns server) for my casarray name/ mail server names and then change the autodiscover to point to the external zone as well as oab, free busy, etc...?

0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
you need to know what dns zones you have internally
you're configuration will depend on dns and the zones you have internally
0
 

Author Comment

by:Puke Foo
Comment Utility
I have an internal dns zone for my external dns, that make sense?
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 
LVL 32

Expert Comment

by:endital1097
Comment Utility
yes, what that means is you can configure all of your url values with the external name used by clients

here is an article
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3585-Exchange-Autodiscover-Service-OOF-and-OAB.html
0
 

Author Comment

by:Puke Foo
Comment Utility
thanks, real quick, will I need to reconfigure my cas array as well?
0
 

Author Comment

by:Puke Foo
Comment Utility
we do not have a split brain domain
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
you said you had an internal dns zone for external dns

you don't need to reconfigure your cas array, that is independent of these web services
0
 

Author Comment

by:Puke Foo
Comment Utility
we do have an internal dns zone for the external dns, but the internal domain name is not ours, we do not own it.  So I can't get a cert for our internal dns domain name.  But I have created an internal zone for the external dns so we can resolve those external addresses internal.
0
 

Author Comment

by:Puke Foo
Comment Utility
to be clear, we have an external dns domain, contoso.com, we have an internal domain for both AD and say it's, windows.com, we don't own windows.com, but I do have an internal zone for it.  But I can't get a cert for it because I don't own it.
0
 

Author Comment

by:Puke Foo
Comment Utility
I meant to say we have an internal domain for both AD and DNS, called windows.com
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
your external domain is contoso.com
do you have an internal dns zone for contoso.com
0
 
LVL 6

Expert Comment

by:Nuttycomputer
Comment Utility
batstrading,

While you can't get a certificate for "windows.com" froma  public issuing authority because the domain is strictly used internally you don't need it to be issued by one.

You can install Certificate Services as I mentioned in my previous post and create the certificate yourself for the server. You can then distribute it to all internal clients.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now