3D2K
asked on
Exchange 2010 Certificate Security Error
I have a similar problem with different complications:
The error presented on starting Outlook internally is:
Externally my domain is known as redwoodskills.com and my GoDaddy SSL certificate references
redwoodskills.com and
autodiscover.redwoodskills .com
For the external DNS redwoodskills.com is hosted by a 3rd party and autodiscover.redwoodskills .com points to the company's external/internet facing IP Address.
The internal domain name (unfortunately) is redwood.co.uk which actually belongs to another 3rd party company, but as the systems are installed and in production this isn't something I want to change.
The company uses Citrix with a Secure Gateway Server that uses SSL port 443 for securing connections from remote users and the Firewall passes any traffic on 443 to the Secure Gateway Server.
I have configured OWA to use a different port for SSL and that works fine.
My problem started appearing after I had added the 'A' record for autodiscover.redwoodskills .com to my DNS records held externally.
If I view the certificate it is referencing what I believe is the self cert certificate installed when I installed Exchange 2010.
Do I add an extra URL to my GoDaddy SSL certificate? If so which one?
Do I install the GoDaddy SSL certificate on my Citrix CSG Server?
Can I use the split DNS option and if so can you please give more specific instructions?
Regards
Brian
The error presented on starting Outlook internally is:
Externally my domain is known as redwoodskills.com and my GoDaddy SSL certificate references
redwoodskills.com and
autodiscover.redwoodskills
For the external DNS redwoodskills.com is hosted by a 3rd party and autodiscover.redwoodskills
The internal domain name (unfortunately) is redwood.co.uk which actually belongs to another 3rd party company, but as the systems are installed and in production this isn't something I want to change.
The company uses Citrix with a Secure Gateway Server that uses SSL port 443 for securing connections from remote users and the Firewall passes any traffic on 443 to the Secure Gateway Server.
I have configured OWA to use a different port for SSL and that works fine.
My problem started appearing after I had added the 'A' record for autodiscover.redwoodskills
If I view the certificate it is referencing what I believe is the self cert certificate installed when I installed Exchange 2010.
Do I add an extra URL to my GoDaddy SSL certificate? If so which one?
Do I install the GoDaddy SSL certificate on my Citrix CSG Server?
Can I use the split DNS option and if so can you please give more specific instructions?
Regards
Brian
You need to have mail/owa/webmail .yourdomain.com name included in your certificate
Exchange 2010 can withhold several exchange certificates, however exchange 2010 may ONLY have one of those certificates enabled on it.
If you are uncertain do the following:
-Import-ExchangeCertificat e -FileData ([Byte[]]$(Get-Content -Path c:\MyNewExchangeCertificat e.cer -Encoding byte -ReadCount 0)) –PrivateKeyExportable $True
-Get-ExchangeCertificate (remember the thumbprint)
- Enable-ExchangeCertificate Thumbprint -Services "SMTP,IIS,POP,IMAP"
Exchange 2010 can withhold several exchange certificates, however exchange 2010 may ONLY have one of those certificates enabled on it.
If you are uncertain do the following:
-Import-ExchangeCertificat
-Get-ExchangeCertificate (remember the thumbprint)
- Enable-ExchangeCertificate
ASKER
GreatVargas
Correct, Out-of-Office not working either.
The autodiscover test returned plenty of errors:
Autoconfiguration was unable to determine your settings!
I'm very wary of changing too much as I don't want to break what's already working.
I thought this autodiscover was easy. Bill Gates is wrong again. Is this progress?
Thanks
Brian
Correct, Out-of-Office not working either.
The autodiscover test returned plenty of errors:
Autoconfiguration was unable to determine your settings!
I'm very wary of changing too much as I don't want to break what's already working.
I thought this autodiscover was easy. Bill Gates is wrong again. Is this progress?
Thanks
Brian
remove the use guesssmart and the secure guesssmart checks and test without entering the credentials.
also please remove the proxy on the IE of the machine you are using for testing and test again outlook restarting it.
proxy sometimes make https inspections and is better to remove it (if you have it) for testing
also please remove the proxy on the IE of the machine you are using for testing and test again outlook restarting it.
proxy sometimes make https inspections and is better to remove it (if you have it) for testing
Do I add an extra URL to my GoDaddy SSL certificate? If so which one?
autodiscover.redwoodskills .com
autodiscover.redwoodskills
ASKER
AnwarS
My GoDaddy SSL certificate already has autodiscover.redwoodskills .com as well as redwoodskills.com.
The autodiscovery works perfectly well externally now, but since I created a DNS 'A' record for autodiscover.redwoodskills .com it has broken the 'internal' Outlook clients.
When I say broken it's not completely broken it just posts the annoying error on each invocation of Outlook.
Brian
My GoDaddy SSL certificate already has autodiscover.redwoodskills
The autodiscovery works perfectly well externally now, but since I created a DNS 'A' record for autodiscover.redwoodskills
When I say broken it's not completely broken it just posts the annoying error on each invocation of Outlook.
Brian
ASKER
ASKER
I'm still requiring some help with this problem.
I'm thinking of adding the internal Exchange Server 2010 RES-EXS.redwood.co.uk as a SAN (SubjectAltName) in my GoDaddy SSL certificate.
However, I'm a bit concerned that GoDaddy may try to validate that name and approach the actual owner of the external domain redwood.co.uk which is a 3rd party who has nothing to do with the company I am working for.
The other issue I have that I'm using the default SSL port 443 for Citrix Secure Gateway traffic and I'm using SSL port 448 for secure traffic into my Exchange environment. It looks as if the Outlook test may be failing because it is not allowing me to use SSL port 448.
I'm thinking of adding the internal Exchange Server 2010 RES-EXS.redwood.co.uk as a SAN (SubjectAltName) in my GoDaddy SSL certificate.
However, I'm a bit concerned that GoDaddy may try to validate that name and approach the actual owner of the external domain redwood.co.uk which is a 3rd party who has nothing to do with the company I am working for.
The other issue I have that I'm using the default SSL port 443 for Citrix Secure Gateway traffic and I'm using SSL port 448 for secure traffic into my Exchange environment. It looks as if the Outlook test may be failing because it is not allowing me to use SSL port 448.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm closing this question and opening a new one.
tha problem here is that outlook uses the internal CAS url, the autodiscover.domain.com and the domain.com urls to work.
so the client access server needs that names on the certificate he uses.
another sympthom you can be experiencing is out of office not working from outlook. correct?
try testing the outlook connection to check all url outlook uses for autodiscover. test by pressing crtl-right click on outlook system tray icon. and choose test.