IT
asked on
Outlook users getting SSL cert warning
We recently installed a brand new Exchange 2010 server in an environment that was (well, is until cutover) using POP3. The clients are a mix of Outlook 2007 and 2010. When opening Outlook for the first time, we get an SSL warning for the FQDN of the server's internal domain name (ex. mail1.internaldomain.org).
We have a valid UCC SSL cert for a few domains, including just the server name itself (ex. mail1, plus mail.externaldomain.org, mail.domainsecond.org, etc). However, we could not add the Subject Alt Name for mail1.internaldomain.org, the INTERNAL Active Directory domain, as "internaldomain.org" was already in use on the Internet and we have no control over accepting the SSL authorization/acceptance requests. This is one reason I don't like using A.D. domains that don't end with .local.
On the Exchange 2010 server, there are 3 certs. Two are default self-signed certs and then there's the 3rd party UCC cert. One of the defaults is for mail1.internaldomain.org.
Anyway, is there any possible way to prevent this SSL warning? We are about to cut this office over to using the internal on-premise Exchange server but this "error" will annoy the end users in a huge way.
Thanks!
We have a valid UCC SSL cert for a few domains, including just the server name itself (ex. mail1, plus mail.externaldomain.org, mail.domainsecond.org, etc). However, we could not add the Subject Alt Name for mail1.internaldomain.org, the INTERNAL Active Directory domain, as "internaldomain.org" was already in use on the Internet and we have no control over accepting the SSL authorization/acceptance requests. This is one reason I don't like using A.D. domains that don't end with .local.
On the Exchange 2010 server, there are 3 certs. Two are default self-signed certs and then there's the 3rd party UCC cert. One of the defaults is for mail1.internaldomain.org.
Anyway, is there any possible way to prevent this SSL warning? We are about to cut this office over to using the internal on-premise Exchange server but this "error" will annoy the end users in a huge way.
Thanks!
push the cert for the new box to all end users
use a GPO if you want
use a GPO if you want
ASKER
That blog post seems to be for users getting prompted for username/password using Outlook Anywhere, not an SSL cert issue.
The SSL warning is for the servername.internaldomain. org. Since we do not have control or access to the Internet DNS config for "internaldomain.org", which just happens to match our Active Directory domain name exactly, we'll never be able to get a new UCC SSL cert with servername.internaldomain. org as one of the Subject Alt Names.
I'm looking for a way around this issue. I tried importing the cert manually on a workstation and placing it in the Trusted Root Authority container but that did not resolve.
The SSL warning is for the servername.internaldomain.
I'm looking for a way around this issue. I tried importing the cert manually on a workstation and placing it in the Trusted Root Authority container but that did not resolve.
Sorry yes I think you are right that was for the username/password thing....
If your domain has been created incorrectly from the start as an invalid .org address then a self signed cert should work if you add it to the users repository...
If not, what is the exact message you are getting back?
Wayne
If your domain has been created incorrectly from the start as an invalid .org address then a self signed cert should work if you add it to the users repository...
If not, what is the exact message you are getting back?
Wayne
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I solved this before by turning off the IIS7 kernel mode windows authentication to resolve the pompting on my server.
Here's the command that needs to be run on the CAS boxes ->
%Windows%\inetsrv\appcmd.e
er/security/authentication
I found the solution here
http://msexchangeteam.com/comments/449053.aspx
Cheers
Wayne