?
Solved

Outlook users getting SSL cert warning

Posted on 2011-02-10
5
Medium Priority
?
878 Views
Last Modified: 2012-05-11
We recently installed a brand new Exchange 2010 server in an environment that was (well, is until cutover) using POP3. The clients are a mix of Outlook 2007 and 2010. When opening Outlook for the first time, we get an SSL warning for the FQDN of the server's internal domain name (ex. mail1.internaldomain.org).

We have a valid UCC SSL cert for a few domains, including just the server name itself (ex. mail1, plus mail.externaldomain.org, mail.domainsecond.org, etc). However, we could not add the Subject Alt Name for mail1.internaldomain.org, the INTERNAL Active Directory domain, as "internaldomain.org" was already in use on the Internet and we have no control over accepting the SSL authorization/acceptance requests. This is one reason I don't like using A.D. domains that don't end with .local.

On the Exchange 2010 server, there are 3 certs. Two are default self-signed certs and then there's the 3rd party UCC cert. One of the defaults is for mail1.internaldomain.org.

Anyway, is there any possible way to prevent this SSL warning? We are about to cut this office over to using the internal on-premise Exchange server but this "error" will annoy the end users in a huge way.

Thanks!
0
Comment
Question by:redeyeinc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 10

Expert Comment

by:WayneATaylor
ID: 34864898
Hi

I solved this before by turning off the IIS7 kernel mode windows authentication to resolve the pompting on my server.

Here's the command that needs to be run on the CAS boxes ->
%Windows%\inetsrv\appcmd.exe set config /section ystem.webServ
er/security/authentication/windowsAuthentication /useKernelMode:false

I found the solution here
http://msexchangeteam.com/comments/449053.aspx

Cheers
Wayne
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 34864908
push the cert for the new box to all end users
use a GPO if you want
0
 

Author Comment

by:redeyeinc
ID: 34865267
That blog post seems to be for users getting prompted for username/password using Outlook Anywhere, not an SSL cert issue.

The SSL warning is for the servername.internaldomain.org. Since we do not have control or access to the Internet DNS config for "internaldomain.org", which just happens to match our Active Directory domain name exactly, we'll never be able to get a new UCC SSL cert with servername.internaldomain.org as one of the Subject Alt Names.

I'm looking for a way around this issue. I tried importing the cert manually on a workstation and placing it in the Trusted Root Authority container but that did not resolve.
0
 
LVL 10

Expert Comment

by:WayneATaylor
ID: 34867073
Sorry yes I think you are right that was for the username/password thing....

If your domain has been created incorrectly from the start as an invalid .org address then a self signed cert should work if you add it to the users repository...

If not, what is the exact message you are getting back?

Wayne
 
0
 
LVL 7

Accepted Solution

by:
OctInv earned 2000 total points
ID: 34867100
Unfortunately by default exchange will always select a 3rd party certificate over a self signed one, so I do not think you will have any luck there. What you need to do is ensure that the Autodiscovery site on the CAS (in IIS) matches your external domain name (mail.externaldomain.org), not your internal domain name. Try this article, it is for Exchange 2007, but I am sure it will be the same for 2010 (maybe??):

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this article I discuss my selections of the Top Four free Outlook OST File Viewers available. Open, view and read even damaged OST files by using these tools. They all provide a clear preview of all data such as emails, notes, tasks, calendars, e…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question