Solved

New Exchange 2010 setup trying to use OWA cert for the server when you connect with outlook

Posted on 2010-09-18
28
558 Views
Last Modified: 2012-05-10
I'm part way through installing exchange 2010 to my 2003 organization, all good so far except when I connect to my exchange 2010 server with an outlook 2010 client I get a cert error saying the cert name does not match. When I view the cert it is using my OWA IIS cert, not the self signed cert that matches the exchagne server. In the management console it shows the self signed cert as being assigned SMTP, the OWA cert has SMTP, IIS, IMAP and POP assigned to it. Any way to get Outlook clients to use the correct cert?

Thanks,
0
Comment
Question by:nocalerts
  • 12
  • 9
  • 6
  • +1
28 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 33708326
Have you purchased a commercial certificate?

If sinuous need to ensure you have the following names in it:

Owa.domainname.com (your OWA URL)
Autodiscover.domainname.com (where domainname.com is the part after the @ in your email address
Servername.internaldomain.local (the fully qualified internal domain name of your server)
0
 

Author Comment

by:nocalerts
ID: 33708349
no, I did not purchase a commercial cert...but not sure that is the problem, the fact that it is looking at the wrong one is the issue, unless it looks at commercial ones first?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708404
Outlook will use RPC so it will be the certificate that has been assigned to client services that it uses.

It will also be looking for a certificate that contains autodiscover.domainname.com so if you don't have that in your certificate that is why you are receiving the prompts.
0
 

Author Comment

by:nocalerts
ID: 33708456
What would the steps be to get an autodiscover Cert?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708470
You need to generate a certificate request using the new certificate wizard, then purchase a commercial certificate that is a SAN/UCC certificate.

The wizard will generate the correct names as long as you give it the correct information.
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 33708505
The cheaper option is:
1. Install a Microsoft Certificate Server
2. using the command
new-exchangecertificate .....-domainnames "Owa.domainname.com,Autodiscover.domainname.com,servername,server-FQDN"
3. Install and Assign this local SAN cert. on the E2010 server(s)

- You need to move and install the Root Certificate on all the cert.warning/erroring machine once to avoid further prompts
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708535
Define cheaper?
A SAN/UCC certificate can be purchased for as little as $90 how many hours will it take to set up all this and install certs on clients and get it working properly?

In my experience it never works 100% properly and you end up buying a SAN/UCC certificate anyway.
0
 

Author Comment

by:nocalerts
ID: 33708552
Thanks for the replies. I was just going to post what demazter said. We have too many users to install for everyone. We are just going to buy one.

Another question for you Demazter. How will outlook know which cert to use? right now it is just picking the OWA cert. does it know because of the autodiscover prefix.  
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 33708553
Yes, i would love to get the 3rd party SAN Certs for an hassle free life.

As a discussion point this should be *possible* before exhausting all the inhouse methods.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708582
Correct, autodiscover is a web service and will therefore use the IIS certificate which is why you are seeing this on your clients.
0
 

Author Comment

by:nocalerts
ID: 33708596
We are having some trouble generating the Cert request we are new to server 2008. Do you know how to to do it in the new UI?
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 33708609
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708612
0
 

Author Comment

by:nocalerts
ID: 33708638
We have a ssl cert for OWA already. can we generate a new request for just an autodiscover cert. also should this be just autodiscover intranet instead of internet because we only need it for internal installs of outlook?
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 26

Expert Comment

by:e_aravind
ID: 33708652
OWA, Autodiscover, EWS are the virtual directories below the IIS_web-site called "Default Web Site"
So you can either have
a) Single named certificate...good only till E2k3 servers
b) Wild card certificate (*.domain.com...not best for Outlook-Anywhere and mobile devices)
c) SAN Certificate...which is the current recommendation

Note: This will have all the additional names/values in the same single .cer file
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708666
The certificate needs to contain all the names.
Autodiscover.domainname.com must be present in the certificate (whilst there are ways around this it deviates away from the default installation and I wouldn't recommend them)

The virtual directory names have absolutely nothing to do with the requirements here.  Outlook specifically looks for autodiscover.domainname.com
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 33708678
I missed to add a point that
- Web site(s) can have the certificate
- Virtual Directory can't have option to associate with the certificate....so this drives the need for the SAN certificate.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708688
HMC for Exchange 2010 as far as I am aware is not available yet and segregated address lists is also not supported.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708692
Sorry ignore that post wrong thread.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708696
The virtual directories are not relevant for the SAn/UCc certificate, the virtual directories can be called anything the names required in the certificate are quite specific!
0
 

Author Comment

by:nocalerts
ID: 33708947
We are still waiting on the cert, but All of our phones just went into error could this be because of the Activesync part of the cert request. they are saying user authorization failed.
0
 

Author Comment

by:nocalerts
ID: 33708973
We now have the cert and we are still getting the same error. where are we supposed to assign it to client services?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33708984
You just need to assign the exchange services to it.

You will then need to restart the IIS & exchange services.
0
 

Author Comment

by:nocalerts
ID: 33709166
we are still getting the same thing. when we look at the cert in outlook it only has one domain in it eventhough we got a 20 domain san/ucc
0
 

Author Comment

by:nocalerts
ID: 33709218
Nevermind they are all there we just couldnt see them from the standard view. But is is still not working.
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 33709856
Did you placed the SAN cert. @ the "Default Web Site" level?
Can you confirm the correct binding of the cert. from "Default Web Site" > Edit bindings options in IIS7

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33710280
The certificate should be managed with exchange not IIS!
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 33715418
Indeed,

If you have gotten your certificate do the following in order in Exchange Management Shell:

1. Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "Path of your exchange certificate -Encoding byte -ReadCount 0)) -PrivateKeyExportable $True

2. Get-ExchangeCertificate

3.  Enable-ExchangeCertificate "Thumbprint of your new exchange certificate" -Services "SMTP,IIS,POP,IMAP"

4. Remove-ExchangeCertificate "thumbprint of the self signed exchange 2010 certificate which coems by default (if you still had that one)"

hope this helps
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now