Solved

Exchange 2010 Certificate Security Error

Posted on 2010-11-12
10
1,001 Views
Last Modified: 2012-05-10
I have a similar problem with different complications:

The error presented on starting Outlook internally is:

 SSL Error
Externally my domain is known as redwoodskills.com and my GoDaddy SSL certificate references

redwoodskills.com and
autodiscover.redwoodskills.com

For the external DNS redwoodskills.com is hosted by a 3rd party and autodiscover.redwoodskills.com points to the company's external/internet facing IP Address.

The internal domain name (unfortunately) is redwood.co.uk which actually belongs to another 3rd party company, but as the systems are installed and in production this isn't something I want to change.

The company uses Citrix with a Secure Gateway Server that uses SSL port 443 for securing connections from remote users and the Firewall passes any traffic on 443 to the Secure Gateway Server.

I have configured OWA to use a different port for SSL and that works fine.

My problem started appearing after I had added the 'A' record for autodiscover.redwoodskills.com to my DNS records held externally.

If I view the certificate it is referencing what I believe is the self cert certificate installed when I installed Exchange 2010.

Do I add an extra URL to my GoDaddy SSL certificate?  If so which one?

Do I install the GoDaddy SSL certificate on my Citrix CSG Server?

Can I use the split DNS option and if so can you please give more specific instructions?

Regards

Brian
0
Comment
Question by:3D2K
10 Comments
 
LVL 15

Expert Comment

by:GreatVargas
ID: 34119818
You need that your exchange mail server (the client access server) use the certificate that has as subject name or subject alternative name the autodiscover.domain.com.
tha problem here is that outlook uses the internal CAS url, the autodiscover.domain.com and the domain.com urls to work.
so the client access server needs that names on the certificate he uses.
another sympthom you can be experiencing is out of office not working from outlook. correct?

try testing the outlook connection to check all url outlook uses for autodiscover. test by pressing crtl-right click on outlook system tray icon. and choose test.
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 34119994
You need to have mail/owa/webmail .yourdomain.com name included in your certificate


Exchange 2010 can withhold several exchange certificates, however exchange 2010 may ONLY have one of those certificates enabled on it.

If you are uncertain do the following:

-Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\MyNewExchangeCertificate.cer -Encoding byte -ReadCount 0)) –PrivateKeyExportable $True

-Get-ExchangeCertificate   (remember the thumbprint)

- Enable-ExchangeCertificate Thumbprint -Services "SMTP,IIS,POP,IMAP"
0
 

Author Comment

by:3D2K
ID: 34120704
GreatVargas

Correct, Out-of-Office not working either.

The autodiscover test returned plenty of errors:

Autoconfiguration was unable to determine your settings!

 Test log page 1 Test log page 2 Test log page 3 Test log page 4 Test log page 5 Test log page 6
I'm very wary of changing too much as I don't want to break what's already working.

I thought this autodiscover was easy. Bill Gates is wrong again.  Is this progress?

Thanks

Brian
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 34122786
remove the use guesssmart and the secure guesssmart checks and test without entering the credentials.

also please remove the proxy on the IE of the machine you are using for testing and test again outlook restarting it.

proxy sometimes make https inspections and is better to remove it (if you have it) for testing
0
 
LVL 3

Expert Comment

by:AnwarS
ID: 34126901
Do I add an extra URL to my GoDaddy SSL certificate?  If so which one?
autodiscover.redwoodskills.com
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:3D2K
ID: 34127337
AnwarS

My GoDaddy SSL certificate already has autodiscover.redwoodskills.com as well as redwoodskills.com.

The autodiscovery works perfectly well externally now, but since I created a DNS 'A' record for autodiscover.redwoodskills.com it has broken the 'internal' Outlook clients.

When I say broken it's not completely broken it just posts the annoying error on each invocation of Outlook.

Brian
0
 

Author Comment

by:3D2K
ID: 34128171
GreatVargas

Here is the log with guesssmart turned off:

 Autodiscover Outlook Log
I can't easily turn off the IE proxy from here as I'm running this through a Citrix Secure Gateway session.

My best guess is that I need RES-EXS.redwood.co.uk adding to my SSL certificate.

Brian
0
 

Author Comment

by:3D2K
ID: 34150668
I'm still requiring some help with this problem.

I'm thinking of adding the internal Exchange Server 2010 RES-EXS.redwood.co.uk as a SAN (SubjectAltName) in my GoDaddy SSL certificate.

However, I'm a bit concerned that GoDaddy may try to validate that name and approach the actual owner of the external domain redwood.co.uk which is a 3rd party who has nothing to do with the company I am working for.

The other issue I have that I'm using the default SSL port 443 for Citrix Secure Gateway traffic and I'm using SSL port 448 for secure traffic into my Exchange environment.  It looks as if the Outlook test may be failing because it is not allowing me to use SSL port 448.
0
 

Accepted Solution

by:
3D2K earned 0 total points
ID: 34170998
Help....

Of course GoDaddy wouldn't allow me to add a SAN that referenced redwood.co.uk as expected.

What I think is going on here is that I am using 443 for my Citrix Secure Gateway implementation and that is causing Exchange to have problems.  I have configured some of Exchange to use port 448 as I can get OWA to work by appending :448 to the URL.

I suspect I may need to configure the whole of Exchange to use a different SSL port for a complete solution.

I am therefore closing this question and opening a new one.

Brian
0
 

Author Closing Comment

by:3D2K
ID: 34195191
I'm closing this question and opening a new one.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
I Turned Off Shadow Copy & Need to Get Prevois File Versions? 1 55
Exchange 2013 not searching 9 37
Problem to search 5 20
SBS 2008 Standard OEL 2 0
A procedure for exporting installed hotfix details of remote computers using powershell
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now