• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 713
  • Last Modified:

Exchange 2010 Security Alert

This morning a couple users out of our ~150 use rbase, opened outlook and got a security alert warning them that the new 2010 server's certificate was from an untrusted source.  Because it was self-signed.

I found guides here: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26706037.html and here: http://support.microsoft.com/kb/940726/en-us

However I cannot follow because we are not ready to transition fully over to the new server.  Other than each client that gets this manually accepting.. is there anything I can do on the back end?  Somehow adding the server name in as an enterprise trusted source or something?

Thanks!
0
Ben Hart
Asked:
Ben Hart
  • 6
  • 3
  • 2
2 Solutions
 
Old UserCommented:
You can create a GPO and add the trusted root authority i.e. the server that issued the self cert
see this link

http://msdn.microsoft.com/en-us/library/cc738131(v=ws.10).aspx
0
 
abhijitmdpCommented:
Better you buy a SAN certificate from GoDaddy or any other certificate provider and implement that certificate in your exchange and assign all services to the new certificate.
0
 
Ben HartAuthor Commented:
Christ this stuff gets moved to inactive way too damned fast.


dpreston68/abhijitmdp: Would this issue be resolved once the existing externally verified certificate is moved from the existing Exchange server to this one?  
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Old UserCommented:
Yes if you install non self cert ssl the issue will be resolved as long as the hostnames match.
normally for Exchange 07/10 i would recomend a UCC/SAN ssl with the below subject names

mail.domain.com  (your MX record)
webmail.domain.com  (your OWA url)
autodiscover.domain.com
serverhostname
serverhostname.internaldomain.local

if you are going to buy an externall ssl it will be advisable to go for the suggested UCC/SAN
0
 
Ben HartAuthor Commented:
Your comment is well received,  but my boss-imposed goal is to keep the same external OWA url that we currently use with 2003.  I think I'll need to go with your GPO idea for now dpreston, until we are ready to shut down the old server.. unless there's something else I missed since we are transitioning from 03 to 10, we will be using both servers for at least a short while simultaneously.  Which I still need to determine if OWA will pass through the 2003 to users on 2010.
0
 
abhijitmdpCommented:
Any update...
0
 
Ben HartAuthor Commented:
Well no change really.  We're still getting that error even after both creating a domain signed cert for the 2010's FQDN, a self-signed for the same, and even trying to set the autodiscover internal URL to the autodiscover URL (matching the external URL) just so the urls in the cert would match.  I've been without time to test over the weekend but a co-worker on Friday did complain about a cert warning I can only assume was the same as I've been trying to fix.
0
 
abhijitmdpCommented:
You need to use a UCC5 certificate as you'll use multiple cert names.
0
 
Ben HartAuthor Commented:
We went with a trio of normal SSL certs, one for the new OWA url, one for autodiscover and the last for legacy.mail.  We are also not publishing the autodiscover externally.. the internal Outlook clients are receiving the error and it complains that the cert it's given when requesting autodiscover is the OWA cert.

I just now re-ran the command to set the clientaccessserver autodiscover service internal uri to my autodiscover url, which doesn't seem to have helped since now most of the Outlook client internally error out on attempting to autodiscover.

Clients that are connected internally but not joined to the domain are unable to negotiate an encrypted connection.  Which if you tell Outlook to continue searching (unencrypted) it still bombs out saying how it couldn't find the server settings.

Now a client that is joined to the domain and plugged in internally, Outlook did work.  However in both instances teh mailbox was housed on the 2003 server.  I tried on the internal client with a mailbox housed on the 2010 server and it failed encrypted and unencrypted.
0
 
Ben HartAuthor Commented:
This issue is still an issue, but because of my companies fault and not anyone else's.  I'll award points to those who have provided insight and advice thus far.
0
 
Ben HartAuthor Commented:
This issue is still an issue, but because of my companies fault and not anyone else's.  I'll award points to those who have provided insight and advice thus far.  dematzer I'd like to request the question not be auto closed but let me award points to abhijitmdp and dpreston68 for the help they've provided thus far.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now