Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 812
  • Last Modified:

OWA / Outlook Anywhere (http over rpc) Certificate

Hi,
I recently purchased a UCC certificate from GoDaddy to service autodiscover.domain.com and mail.domain.com. (primarily for http over rpc from external).

I installed the certificate through certficate magament, and installed/enabled through exchange powershell. (Enable-exchangecertificate –services IIS, SMTP –thumbprint D75305BEF8175570EB6E03BA6FF4372D05ACE39F4

All went on fine. I am now having issues with my setup, (primarily the services to which the certificates apply). When I apply to SMTP and IIS, Outlook Anywhere then works perfectly from remote devices but fails on OWA in the local domain (certificate error - names do not match - http://sites.owa is being serviced by mail.domain.com).

I have applied various my internal/ucc certificates to services, but something always fails. Any advice on how I should configure this so everything is serviced correctly. Maybe I should be looking at hosts files on my internal netwotk??

Many Thanks
Steven

I am running exchange 2007 SP2. Half of my internal network is using OWA as the main
0
noooodlez
Asked:
noooodlez
  • 6
  • 6
  • 3
2 Solutions
 
thetimeCommented:
Just a thought. You only have two names on there. and none of them specify the internal names for your server. You should name all variables of the server (local and external domain names) on the one cert.

We also made the mistake on the first godaddy cert and had similar if not the same problems.

Ours now list all internal and external possibilities and since then we have not had any problems.

eg:

mail.domain.com
autodiscover.domain.com
mail.domain.local
autodiscover.domain.local

Might have negelected a entry or two but you get the picture
0
 
Alan HardistyCo-OwnerCommented:
The names you need in a SAN / UCC certificate are:
maildomain.com (or whatever you want to use that resolves in DNS to the server)
autodiscover.domain.com
internalservername.internaldomain.local
internalservername
With those added and all services assigned to the certificate (SMTP / POP3 / IIS / IMAP) you should have everything working.
You should be able to generate a new Certificate Signing Request by visiting:
https://www.digicert.com/easy-csr/exchange2007.htm
Then copy the output to your server, run the command from the Exchange Management Shell, then copy the CSR request file contents to GoDaddy and re-key the certificate.
Once re-keyed, download the new certificate, import it, then repair the certificate (it won't have the private key) in the a command prompt:
certutil -repairstore my "Certificate Thumbprint"
Then enable the certificate:
Enable-ExchangeCertificate -Thumbprint Certificate_Thumbprint -Services "POP, IMAP,IIS,SMTP"
All should then be well.
0
 
noooodlezAuthor Commented:
Thanks for the responses.

 I have the option of changing the alt names on my existing cert by managing it through the godaddy website, so dont think that re-keying will be necessary. I have added servername.domain.local and servername to my existing cert and am now awaiting it being issued (understandable they have a manual checking process).

I'm not sure that they will be happy to issue to just servername though as this could resolve to anywhere. I might just be being paranoid!!!?
I will report back when I know more.
Assuming that all is well with the certificate, what address would my internal clients use to connect to my SBS sites? I assume that the default http://sites/owa and http://servername/owa would be in?
Cheers
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Alan HardistyCo-OwnerCommented:
That's fine - they will send the Administrator of the domain an email for approval - then you just click on the link in the email to approve and then they will re-issue the certificate.
Clients will access via whatever FQDN you have added to the certificate and that resolves in DNS to the IP Address of your server, as long as the configuration of the server is correct.
0
 
thetimeCommented:
Thx alanhardisty for giving him the right names.
0
 
thetimeCommented:
*Assuming that all is well with the certificate, what address would my  internal clients use to connect to my SBS sites? I assume that the  default http://sites/owa and http://servername/owa would be in?

The http://servername/owa would be correct, not so sure about the other one.
0
 
noooodlezAuthor Commented:
Right, got my certificate, installed/repaired/enabled my certificate throgh exchange powershell.

Http over RPC works fine (without cert error)
OWA works fine (I had to change the URL we use to match the cert)

Outlook is now giving a certificate error (name mismatch), although SERVERNAME and SERVERNAME.domainname.com are valid alt names on my cert.

I'm further on than I was, only now the situation is worse as the warning message is now appearing on my MDs PC!!

Any more suggestions?

Many Thanks
Steven
0
 
Alan HardistyCo-OwnerCommented:
Is this with locally configured Outlook clients?

If so, how are the clients configured?
0
 
noooodlezAuthor Commented:
Yes, this is locally connecting clients. One more thing I have noted.

The certificate is failing because Outlook is attempting to connect to "sites" which is the cname that SBS 2008 sets up for accessing it's iis apps. This is not included in my certificate alt names.

The message comes up twice. Http over RPC is not configured on my connection and I have deleted my sharepoint lists,
0
 
thetimeCommented:
Your MD's PC. Does it it ever leave the office? (if he leaves it at the office don't use the HTTP/rpc methods just use your standard network)

Go to email accounts then edit the exchange accouts
go to more settings
go to enable proxy settings

URL to connect to proxy for exchange.

Is that one pointing to your "Sites" mentioned above or to "mail.domain.com"?
Is "Only connect to proxy server that have this principle name in their cert" ticked?
the principle name that you supply should look like this: "msstd:mail.domain.com"
0
 
noooodlezAuthor Commented:
Hi, I may have sent you on a bit of a wild goose chase here. Every PC in the office the same, connecting directly to our exchange server (including my MD).

Http over rpc is not checked on any.

I suspect that exchange is delivering data linked over http somewhere (eg. http://sites/owa).

For the idiot over here (I do not profess to be an expert on certification), what is the relevance of msstd.xzxxxx.xxxxxx.com???

0
 
thetimeCommented:
ok ... (just checking if I can post or not - seems to be a problem with submitting here))
0
 
thetimeCommented:
It's "msstd:xxxx.xxxxxx.com" - see the colon.


Author:saku99Date:16/05/10 08:00 PMAccepted Solution

MSSTD stands for Microsoft Standard form, don't know why it works both ways but I've also noticed that, although I had some instances where outlook did not work without the prefix.

as a side note I had trouble remembering this stupid prefix so now I remember it as :

MicroSoft Sexually Transmitted Disease :)




More Information here about MSSTD
0
 
noooodlezAuthor Commented:
OK, I'm going to create a new post on here as I think my original question was answered, the problems I am experiencing now are knock on problems.

You guys feel free to jump in on my new post if you think you can help me further.

Thanks for your time guys, I will distribute points between you accordingly.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 6
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now