Solved

Exchange 2010 Certificate Security Error

Posted on 2010-11-12
10
1,000 Views
Last Modified: 2012-05-10
I have a similar problem with different complications:

The error presented on starting Outlook internally is:

 SSL Error
Externally my domain is known as redwoodskills.com and my GoDaddy SSL certificate references

redwoodskills.com and
autodiscover.redwoodskills.com

For the external DNS redwoodskills.com is hosted by a 3rd party and autodiscover.redwoodskills.com points to the company's external/internet facing IP Address.

The internal domain name (unfortunately) is redwood.co.uk which actually belongs to another 3rd party company, but as the systems are installed and in production this isn't something I want to change.

The company uses Citrix with a Secure Gateway Server that uses SSL port 443 for securing connections from remote users and the Firewall passes any traffic on 443 to the Secure Gateway Server.

I have configured OWA to use a different port for SSL and that works fine.

My problem started appearing after I had added the 'A' record for autodiscover.redwoodskills.com to my DNS records held externally.

If I view the certificate it is referencing what I believe is the self cert certificate installed when I installed Exchange 2010.

Do I add an extra URL to my GoDaddy SSL certificate?  If so which one?

Do I install the GoDaddy SSL certificate on my Citrix CSG Server?

Can I use the split DNS option and if so can you please give more specific instructions?

Regards

Brian
0
Comment
Question by:3D2K
10 Comments
 
LVL 15

Expert Comment

by:GreatVargas
ID: 34119818
You need that your exchange mail server (the client access server) use the certificate that has as subject name or subject alternative name the autodiscover.domain.com.
tha problem here is that outlook uses the internal CAS url, the autodiscover.domain.com and the domain.com urls to work.
so the client access server needs that names on the certificate he uses.
another sympthom you can be experiencing is out of office not working from outlook. correct?

try testing the outlook connection to check all url outlook uses for autodiscover. test by pressing crtl-right click on outlook system tray icon. and choose test.
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 34119994
You need to have mail/owa/webmail .yourdomain.com name included in your certificate


Exchange 2010 can withhold several exchange certificates, however exchange 2010 may ONLY have one of those certificates enabled on it.

If you are uncertain do the following:

-Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\MyNewExchangeCertificate.cer -Encoding byte -ReadCount 0)) –PrivateKeyExportable $True

-Get-ExchangeCertificate   (remember the thumbprint)

- Enable-ExchangeCertificate Thumbprint -Services "SMTP,IIS,POP,IMAP"
0
 

Author Comment

by:3D2K
ID: 34120704
GreatVargas

Correct, Out-of-Office not working either.

The autodiscover test returned plenty of errors:

Autoconfiguration was unable to determine your settings!

 Test log page 1 Test log page 2 Test log page 3 Test log page 4 Test log page 5 Test log page 6
I'm very wary of changing too much as I don't want to break what's already working.

I thought this autodiscover was easy. Bill Gates is wrong again.  Is this progress?

Thanks

Brian
0
 
LVL 15

Expert Comment

by:GreatVargas
ID: 34122786
remove the use guesssmart and the secure guesssmart checks and test without entering the credentials.

also please remove the proxy on the IE of the machine you are using for testing and test again outlook restarting it.

proxy sometimes make https inspections and is better to remove it (if you have it) for testing
0
 
LVL 3

Expert Comment

by:AnwarS
ID: 34126901
Do I add an extra URL to my GoDaddy SSL certificate?  If so which one?
autodiscover.redwoodskills.com
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:3D2K
ID: 34127337
AnwarS

My GoDaddy SSL certificate already has autodiscover.redwoodskills.com as well as redwoodskills.com.

The autodiscovery works perfectly well externally now, but since I created a DNS 'A' record for autodiscover.redwoodskills.com it has broken the 'internal' Outlook clients.

When I say broken it's not completely broken it just posts the annoying error on each invocation of Outlook.

Brian
0
 

Author Comment

by:3D2K
ID: 34128171
GreatVargas

Here is the log with guesssmart turned off:

 Autodiscover Outlook Log
I can't easily turn off the IE proxy from here as I'm running this through a Citrix Secure Gateway session.

My best guess is that I need RES-EXS.redwood.co.uk adding to my SSL certificate.

Brian
0
 

Author Comment

by:3D2K
ID: 34150668
I'm still requiring some help with this problem.

I'm thinking of adding the internal Exchange Server 2010 RES-EXS.redwood.co.uk as a SAN (SubjectAltName) in my GoDaddy SSL certificate.

However, I'm a bit concerned that GoDaddy may try to validate that name and approach the actual owner of the external domain redwood.co.uk which is a 3rd party who has nothing to do with the company I am working for.

The other issue I have that I'm using the default SSL port 443 for Citrix Secure Gateway traffic and I'm using SSL port 448 for secure traffic into my Exchange environment.  It looks as if the Outlook test may be failing because it is not allowing me to use SSL port 448.
0
 

Accepted Solution

by:
3D2K earned 0 total points
ID: 34170998
Help....

Of course GoDaddy wouldn't allow me to add a SAN that referenced redwood.co.uk as expected.

What I think is going on here is that I am using 443 for my Citrix Secure Gateway implementation and that is causing Exchange to have problems.  I have configured some of Exchange to use port 448 as I can get OWA to work by appending :448 to the URL.

I suspect I may need to configure the whole of Exchange to use a different SSL port for a complete solution.

I am therefore closing this question and opening a new one.

Brian
0
 

Author Closing Comment

by:3D2K
ID: 34195191
I'm closing this question and opening a new one.
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now