• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 571
  • Last Modified:

New Exchange 2010 setup trying to use OWA cert for the server when you connect with outlook

I'm part way through installing exchange 2010 to my 2003 organization, all good so far except when I connect to my exchange 2010 server with an outlook 2010 client I get a cert error saying the cert name does not match. When I view the cert it is using my OWA IIS cert, not the self signed cert that matches the exchagne server. In the management console it shows the self signed cert as being assigned SMTP, the OWA cert has SMTP, IIS, IMAP and POP assigned to it. Any way to get Outlook clients to use the correct cert?

Thanks,
0
nocalerts
Asked:
nocalerts
  • 12
  • 9
  • 6
  • +1
1 Solution
 
Glen KnightCommented:
Have you purchased a commercial certificate?

If sinuous need to ensure you have the following names in it:

Owa.domainname.com (your OWA URL)
Autodiscover.domainname.com (where domainname.com is the part after the @ in your email address
Servername.internaldomain.local (the fully qualified internal domain name of your server)
0
 
nocalertsAuthor Commented:
no, I did not purchase a commercial cert...but not sure that is the problem, the fact that it is looking at the wrong one is the issue, unless it looks at commercial ones first?
0
 
Glen KnightCommented:
Outlook will use RPC so it will be the certificate that has been assigned to client services that it uses.

It will also be looking for a certificate that contains autodiscover.domainname.com so if you don't have that in your certificate that is why you are receiving the prompts.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
nocalertsAuthor Commented:
What would the steps be to get an autodiscover Cert?
0
 
Glen KnightCommented:
You need to generate a certificate request using the new certificate wizard, then purchase a commercial certificate that is a SAN/UCC certificate.

The wizard will generate the correct names as long as you give it the correct information.
0
 
e_aravindCommented:
The cheaper option is:
1. Install a Microsoft Certificate Server
2. using the command
new-exchangecertificate .....-domainnames "Owa.domainname.com,Autodiscover.domainname.com,servername,server-FQDN"
3. Install and Assign this local SAN cert. on the E2010 server(s)

- You need to move and install the Root Certificate on all the cert.warning/erroring machine once to avoid further prompts
0
 
Glen KnightCommented:
Define cheaper?
A SAN/UCC certificate can be purchased for as little as $90 how many hours will it take to set up all this and install certs on clients and get it working properly?

In my experience it never works 100% properly and you end up buying a SAN/UCC certificate anyway.
0
 
nocalertsAuthor Commented:
Thanks for the replies. I was just going to post what demazter said. We have too many users to install for everyone. We are just going to buy one.

Another question for you Demazter. How will outlook know which cert to use? right now it is just picking the OWA cert. does it know because of the autodiscover prefix.  
0
 
e_aravindCommented:
Yes, i would love to get the 3rd party SAN Certs for an hassle free life.

As a discussion point this should be *possible* before exhausting all the inhouse methods.
0
 
Glen KnightCommented:
Correct, autodiscover is a web service and will therefore use the IIS certificate which is why you are seeing this on your clients.
0
 
nocalertsAuthor Commented:
We are having some trouble generating the Cert request we are new to server 2008. Do you know how to to do it in the new UI?
0
 
e_aravindCommented:
0
 
nocalertsAuthor Commented:
We have a ssl cert for OWA already. can we generate a new request for just an autodiscover cert. also should this be just autodiscover intranet instead of internet because we only need it for internal installs of outlook?
0
 
e_aravindCommented:
OWA, Autodiscover, EWS are the virtual directories below the IIS_web-site called "Default Web Site"
So you can either have
a) Single named certificate...good only till E2k3 servers
b) Wild card certificate (*.domain.com...not best for Outlook-Anywhere and mobile devices)
c) SAN Certificate...which is the current recommendation

Note: This will have all the additional names/values in the same single .cer file
0
 
Glen KnightCommented:
The certificate needs to contain all the names.
Autodiscover.domainname.com must be present in the certificate (whilst there are ways around this it deviates away from the default installation and I wouldn't recommend them)

The virtual directory names have absolutely nothing to do with the requirements here.  Outlook specifically looks for autodiscover.domainname.com
0
 
e_aravindCommented:
I missed to add a point that
- Web site(s) can have the certificate
- Virtual Directory can't have option to associate with the certificate....so this drives the need for the SAN certificate.
0
 
Glen KnightCommented:
HMC for Exchange 2010 as far as I am aware is not available yet and segregated address lists is also not supported.
0
 
Glen KnightCommented:
Sorry ignore that post wrong thread.
0
 
Glen KnightCommented:
The virtual directories are not relevant for the SAn/UCc certificate, the virtual directories can be called anything the names required in the certificate are quite specific!
0
 
nocalertsAuthor Commented:
We are still waiting on the cert, but All of our phones just went into error could this be because of the Activesync part of the cert request. they are saying user authorization failed.
0
 
nocalertsAuthor Commented:
We now have the cert and we are still getting the same error. where are we supposed to assign it to client services?
0
 
Glen KnightCommented:
You just need to assign the exchange services to it.

You will then need to restart the IIS & exchange services.
0
 
nocalertsAuthor Commented:
we are still getting the same thing. when we look at the cert in outlook it only has one domain in it eventhough we got a 20 domain san/ucc
0
 
nocalertsAuthor Commented:
Nevermind they are all there we just couldnt see them from the standard view. But is is still not working.
0
 
e_aravindCommented:
Did you placed the SAN cert. @ the "Default Web Site" level?
Can you confirm the correct binding of the cert. from "Default Web Site" > Edit bindings options in IIS7

0
 
Glen KnightCommented:
The certificate should be managed with exchange not IIS!
0
 
JuusoConnectaCommented:
Indeed,

If you have gotten your certificate do the following in order in Exchange Management Shell:

1. Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "Path of your exchange certificate -Encoding byte -ReadCount 0)) -PrivateKeyExportable $True

2. Get-ExchangeCertificate

3.  Enable-ExchangeCertificate "Thumbprint of your new exchange certificate" -Services "SMTP,IIS,POP,IMAP"

4. Remove-ExchangeCertificate "thumbprint of the self signed exchange 2010 certificate which coems by default (if you still had that one)"

hope this helps
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 12
  • 9
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now