• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1011
  • Last Modified:

Exchange 2010 Certificate Security Error

I have a similar problem with different complications:

The error presented on starting Outlook internally is:

 SSL Error
Externally my domain is known as redwoodskills.com and my GoDaddy SSL certificate references

redwoodskills.com and
autodiscover.redwoodskills.com

For the external DNS redwoodskills.com is hosted by a 3rd party and autodiscover.redwoodskills.com points to the company's external/internet facing IP Address.

The internal domain name (unfortunately) is redwood.co.uk which actually belongs to another 3rd party company, but as the systems are installed and in production this isn't something I want to change.

The company uses Citrix with a Secure Gateway Server that uses SSL port 443 for securing connections from remote users and the Firewall passes any traffic on 443 to the Secure Gateway Server.

I have configured OWA to use a different port for SSL and that works fine.

My problem started appearing after I had added the 'A' record for autodiscover.redwoodskills.com to my DNS records held externally.

If I view the certificate it is referencing what I believe is the self cert certificate installed when I installed Exchange 2010.

Do I add an extra URL to my GoDaddy SSL certificate?  If so which one?

Do I install the GoDaddy SSL certificate on my Citrix CSG Server?

Can I use the split DNS option and if so can you please give more specific instructions?

Regards

Brian
0
3D2K
Asked:
3D2K
1 Solution
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
You need that your exchange mail server (the client access server) use the certificate that has as subject name or subject alternative name the autodiscover.domain.com.
tha problem here is that outlook uses the internal CAS url, the autodiscover.domain.com and the domain.com urls to work.
so the client access server needs that names on the certificate he uses.
another sympthom you can be experiencing is out of office not working from outlook. correct?

try testing the outlook connection to check all url outlook uses for autodiscover. test by pressing crtl-right click on outlook system tray icon. and choose test.
0
 
JuusoConnectaCommented:
You need to have mail/owa/webmail .yourdomain.com name included in your certificate


Exchange 2010 can withhold several exchange certificates, however exchange 2010 may ONLY have one of those certificates enabled on it.

If you are uncertain do the following:

-Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\MyNewExchangeCertificate.cer -Encoding byte -ReadCount 0)) –PrivateKeyExportable $True

-Get-ExchangeCertificate   (remember the thumbprint)

- Enable-ExchangeCertificate Thumbprint -Services "SMTP,IIS,POP,IMAP"
0
 
3D2KAuthor Commented:
GreatVargas

Correct, Out-of-Office not working either.

The autodiscover test returned plenty of errors:

Autoconfiguration was unable to determine your settings!

 Test log page 1 Test log page 2 Test log page 3 Test log page 4 Test log page 5 Test log page 6
I'm very wary of changing too much as I don't want to break what's already working.

I thought this autodiscover was easy. Bill Gates is wrong again.  Is this progress?

Thanks

Brian
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
remove the use guesssmart and the secure guesssmart checks and test without entering the credentials.

also please remove the proxy on the IE of the machine you are using for testing and test again outlook restarting it.

proxy sometimes make https inspections and is better to remove it (if you have it) for testing
0
 
AnwarSCommented:
Do I add an extra URL to my GoDaddy SSL certificate?  If so which one?
autodiscover.redwoodskills.com
0
 
3D2KAuthor Commented:
AnwarS

My GoDaddy SSL certificate already has autodiscover.redwoodskills.com as well as redwoodskills.com.

The autodiscovery works perfectly well externally now, but since I created a DNS 'A' record for autodiscover.redwoodskills.com it has broken the 'internal' Outlook clients.

When I say broken it's not completely broken it just posts the annoying error on each invocation of Outlook.

Brian
0
 
3D2KAuthor Commented:
GreatVargas

Here is the log with guesssmart turned off:

 Autodiscover Outlook Log
I can't easily turn off the IE proxy from here as I'm running this through a Citrix Secure Gateway session.

My best guess is that I need RES-EXS.redwood.co.uk adding to my SSL certificate.

Brian
0
 
3D2KAuthor Commented:
I'm still requiring some help with this problem.

I'm thinking of adding the internal Exchange Server 2010 RES-EXS.redwood.co.uk as a SAN (SubjectAltName) in my GoDaddy SSL certificate.

However, I'm a bit concerned that GoDaddy may try to validate that name and approach the actual owner of the external domain redwood.co.uk which is a 3rd party who has nothing to do with the company I am working for.

The other issue I have that I'm using the default SSL port 443 for Citrix Secure Gateway traffic and I'm using SSL port 448 for secure traffic into my Exchange environment.  It looks as if the Outlook test may be failing because it is not allowing me to use SSL port 448.
0
 
3D2KAuthor Commented:
Help....

Of course GoDaddy wouldn't allow me to add a SAN that referenced redwood.co.uk as expected.

What I think is going on here is that I am using 443 for my Citrix Secure Gateway implementation and that is causing Exchange to have problems.  I have configured some of Exchange to use port 448 as I can get OWA to work by appending :448 to the URL.

I suspect I may need to configure the whole of Exchange to use a different SSL port for a complete solution.

I am therefore closing this question and opening a new one.

Brian
0
 
3D2KAuthor Commented:
I'm closing this question and opening a new one.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now