Solved

Exchange 2010 Certificate Security Error

Posted on 2010-11-12
10
1,002 Views
Last Modified: 2012-05-10
I have a similar problem with different complications:

The error presented on starting Outlook internally is:

 SSL Error
Externally my domain is known as redwoodskills.com and my GoDaddy SSL certificate references

redwoodskills.com and
autodiscover.redwoodskills.com

For the external DNS redwoodskills.com is hosted by a 3rd party and autodiscover.redwoodskills.com points to the company's external/internet facing IP Address.

The internal domain name (unfortunately) is redwood.co.uk which actually belongs to another 3rd party company, but as the systems are installed and in production this isn't something I want to change.

The company uses Citrix with a Secure Gateway Server that uses SSL port 443 for securing connections from remote users and the Firewall passes any traffic on 443 to the Secure Gateway Server.

I have configured OWA to use a different port for SSL and that works fine.

My problem started appearing after I had added the 'A' record for autodiscover.redwoodskills.com to my DNS records held externally.

If I view the certificate it is referencing what I believe is the self cert certificate installed when I installed Exchange 2010.

Do I add an extra URL to my GoDaddy SSL certificate?  If so which one?

Do I install the GoDaddy SSL certificate on my Citrix CSG Server?

Can I use the split DNS option and if so can you please give more specific instructions?

Regards

Brian
0
Comment
Question by:3D2K
10 Comments
 
LVL 15

Expert Comment

by:GreatVargas
ID: 34119818
You need that your exchange mail server (the client access server) use the certificate that has as subject name or subject alternative name the autodiscover.domain.com.
tha problem here is that outlook uses the internal CAS url, the autodiscover.domain.com and the domain.com urls to work.
so the client access server needs that names on the certificate he uses.
another sympthom you can be experiencing is out of office not working from outlook. correct?

try testing the outlook connection to check all url outlook uses for autodiscover. test by pressing crtl-right click on outlook system tray icon. and choose test.
0
 
LVL 11

Expert Comment

by:JuusoConnecta
ID: 34119994
You need to have mail/owa/webmail .yourdomain.com name included in your certificate


Exchange 2010 can withhold several exchange certificates, however exchange 2010 may ONLY have one of those certificates enabled on it.

If you are uncertain do the following:

-Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\MyNewExchangeCertificate.cer -Encoding byte -ReadCount 0)) –PrivateKeyExportable $True

-Get-ExchangeCertificate   (remember the thumbprint)

- Enable-ExchangeCertificate Thumbprint -Services "SMTP,IIS,POP,IMAP"
0
 

Author Comment

by:3D2K
ID: 34120704
GreatVargas

Correct, Out-of-Office not working either.

The autodiscover test returned plenty of errors:

Autoconfiguration was unable to determine your settings!

 Test log page 1 Test log page 2 Test log page 3 Test log page 4 Test log page 5 Test log page 6
I'm very wary of changing too much as I don't want to break what's already working.

I thought this autodiscover was easy. Bill Gates is wrong again.  Is this progress?

Thanks

Brian
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 15

Expert Comment

by:GreatVargas
ID: 34122786
remove the use guesssmart and the secure guesssmart checks and test without entering the credentials.

also please remove the proxy on the IE of the machine you are using for testing and test again outlook restarting it.

proxy sometimes make https inspections and is better to remove it (if you have it) for testing
0
 
LVL 3

Expert Comment

by:AnwarS
ID: 34126901
Do I add an extra URL to my GoDaddy SSL certificate?  If so which one?
autodiscover.redwoodskills.com
0
 

Author Comment

by:3D2K
ID: 34127337
AnwarS

My GoDaddy SSL certificate already has autodiscover.redwoodskills.com as well as redwoodskills.com.

The autodiscovery works perfectly well externally now, but since I created a DNS 'A' record for autodiscover.redwoodskills.com it has broken the 'internal' Outlook clients.

When I say broken it's not completely broken it just posts the annoying error on each invocation of Outlook.

Brian
0
 

Author Comment

by:3D2K
ID: 34128171
GreatVargas

Here is the log with guesssmart turned off:

 Autodiscover Outlook Log
I can't easily turn off the IE proxy from here as I'm running this through a Citrix Secure Gateway session.

My best guess is that I need RES-EXS.redwood.co.uk adding to my SSL certificate.

Brian
0
 

Author Comment

by:3D2K
ID: 34150668
I'm still requiring some help with this problem.

I'm thinking of adding the internal Exchange Server 2010 RES-EXS.redwood.co.uk as a SAN (SubjectAltName) in my GoDaddy SSL certificate.

However, I'm a bit concerned that GoDaddy may try to validate that name and approach the actual owner of the external domain redwood.co.uk which is a 3rd party who has nothing to do with the company I am working for.

The other issue I have that I'm using the default SSL port 443 for Citrix Secure Gateway traffic and I'm using SSL port 448 for secure traffic into my Exchange environment.  It looks as if the Outlook test may be failing because it is not allowing me to use SSL port 448.
0
 

Accepted Solution

by:
3D2K earned 0 total points
ID: 34170998
Help....

Of course GoDaddy wouldn't allow me to add a SAN that referenced redwood.co.uk as expected.

What I think is going on here is that I am using 443 for my Citrix Secure Gateway implementation and that is causing Exchange to have problems.  I have configured some of Exchange to use port 448 as I can get OWA to work by appending :448 to the URL.

I suspect I may need to configure the whole of Exchange to use a different SSL port for a complete solution.

I am therefore closing this question and opening a new one.

Brian
0
 

Author Closing Comment

by:3D2K
ID: 34195191
I'm closing this question and opening a new one.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question