Solved

Exchange 2010 Security Alert

Posted on 2011-02-10
12
664 Views
Last Modified: 2012-05-11
This morning a couple users out of our ~150 use rbase, opened outlook and got a security alert warning them that the new 2010 server's certificate was from an untrusted source.  Because it was self-signed.

I found guides here: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26706037.html and here: http://support.microsoft.com/kb/940726/en-us

However I cannot follow because we are not ready to transition fully over to the new server.  Other than each client that gets this manually accepting.. is there anything I can do on the back end?  Somehow adding the server name in as an enterprise trusted source or something?

Thanks!
0
Comment
Question by:Ben Hart
  • 6
  • 3
  • 2
12 Comments
 
LVL 11

Accepted Solution

by:
Old User earned 250 total points
ID: 34869053
You can create a GPO and add the trusted root authority i.e. the server that issued the self cert
see this link

http://msdn.microsoft.com/en-us/library/cc738131(v=ws.10).aspx
0
 
LVL 10

Assisted Solution

by:abhijitmdp
abhijitmdp earned 250 total points
ID: 34869785
Better you buy a SAN certificate from GoDaddy or any other certificate provider and implement that certificate in your exchange and assign all services to the new certificate.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 34887624
Christ this stuff gets moved to inactive way too damned fast.


dpreston68/abhijitmdp: Would this issue be resolved once the existing externally verified certificate is moved from the existing Exchange server to this one?  
0
 
LVL 11

Expert Comment

by:Old User
ID: 34887717
Yes if you install non self cert ssl the issue will be resolved as long as the hostnames match.
normally for Exchange 07/10 i would recomend a UCC/SAN ssl with the below subject names

mail.domain.com  (your MX record)
webmail.domain.com  (your OWA url)
autodiscover.domain.com
serverhostname
serverhostname.internaldomain.local

if you are going to buy an externall ssl it will be advisable to go for the suggested UCC/SAN
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 34887771
Your comment is well received,  but my boss-imposed goal is to keep the same external OWA url that we currently use with 2003.  I think I'll need to go with your GPO idea for now dpreston, until we are ready to shut down the old server.. unless there's something else I missed since we are transitioning from 03 to 10, we will be using both servers for at least a short while simultaneously.  Which I still need to determine if OWA will pass through the 2003 to users on 2010.
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34926811
Any update...
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 34944124
Well no change really.  We're still getting that error even after both creating a domain signed cert for the 2010's FQDN, a self-signed for the same, and even trying to set the autodiscover internal URL to the autodiscover URL (matching the external URL) just so the urls in the cert would match.  I've been without time to test over the weekend but a co-worker on Friday did complain about a cert warning I can only assume was the same as I've been trying to fix.
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34963257
You need to use a UCC5 certificate as you'll use multiple cert names.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35018320
We went with a trio of normal SSL certs, one for the new OWA url, one for autodiscover and the last for legacy.mail.  We are also not publishing the autodiscover externally.. the internal Outlook clients are receiving the error and it complains that the cert it's given when requesting autodiscover is the OWA cert.

I just now re-ran the command to set the clientaccessserver autodiscover service internal uri to my autodiscover url, which doesn't seem to have helped since now most of the Outlook client internally error out on attempting to autodiscover.

Clients that are connected internally but not joined to the domain are unable to negotiate an encrypted connection.  Which if you tell Outlook to continue searching (unencrypted) it still bombs out saying how it couldn't find the server settings.

Now a client that is joined to the domain and plugged in internally, Outlook did work.  However in both instances teh mailbox was housed on the 2003 server.  I tried on the internal client with a mailbox housed on the 2010 server and it failed encrypted and unencrypted.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35232290
This issue is still an issue, but because of my companies fault and not anyone else's.  I'll award points to those who have provided insight and advice thus far.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35232312
This issue is still an issue, but because of my companies fault and not anyone else's.  I'll award points to those who have provided insight and advice thus far.  dematzer I'd like to request the question not be auto closed but let me award points to abhijitmdp and dpreston68 for the help they've provided thus far.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
how to add IIS SMTP to handle application/Scanner relays into office 365.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now