Link to home
Avatar of Ben Hart
Ben HartFlag for United States of America

asked on

Exchange 2010 Security Alert

This morning a couple users out of our ~150 use rbase, opened outlook and got a security alert warning them that the new 2010 server's certificate was from an untrusted source.  Because it was self-signed.

I found guides here: https://www.experts-exchange.com/questions/26706037/Exchange-Security-Alert-from-SSL-after-2003-to-2010-Move.html and here: http://support.microsoft.com/kb/940726/en-us

However I cannot follow because we are not ready to transition fully over to the new server.  Other than each client that gets this manually accepting.. is there anything I can do on the back end?  Somehow adding the server name in as an enterprise trusted source or something?

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Old User
Old User
Flag of Afghanistan image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of Ben Hart

ASKER

Christ this stuff gets moved to inactive way too damned fast.


dpreston68/abhijitmdp: Would this issue be resolved once the existing externally verified certificate is moved from the existing Exchange server to this one?  
Yes if you install non self cert ssl the issue will be resolved as long as the hostnames match.
normally for Exchange 07/10 i would recomend a UCC/SAN ssl with the below subject names

mail.domain.com  (your MX record)
webmail.domain.com  (your OWA url)
autodiscover.domain.com
serverhostname
serverhostname.internaldomain.local

if you are going to buy an externall ssl it will be advisable to go for the suggested UCC/SAN
Your comment is well received,  but my boss-imposed goal is to keep the same external OWA url that we currently use with 2003.  I think I'll need to go with your GPO idea for now dpreston, until we are ready to shut down the old server.. unless there's something else I missed since we are transitioning from 03 to 10, we will be using both servers for at least a short while simultaneously.  Which I still need to determine if OWA will pass through the 2003 to users on 2010.
Any update...
Well no change really.  We're still getting that error even after both creating a domain signed cert for the 2010's FQDN, a self-signed for the same, and even trying to set the autodiscover internal URL to the autodiscover URL (matching the external URL) just so the urls in the cert would match.  I've been without time to test over the weekend but a co-worker on Friday did complain about a cert warning I can only assume was the same as I've been trying to fix.
You need to use a UCC5 certificate as you'll use multiple cert names.
We went with a trio of normal SSL certs, one for the new OWA url, one for autodiscover and the last for legacy.mail.  We are also not publishing the autodiscover externally.. the internal Outlook clients are receiving the error and it complains that the cert it's given when requesting autodiscover is the OWA cert.

I just now re-ran the command to set the clientaccessserver autodiscover service internal uri to my autodiscover url, which doesn't seem to have helped since now most of the Outlook client internally error out on attempting to autodiscover.

Clients that are connected internally but not joined to the domain are unable to negotiate an encrypted connection.  Which if you tell Outlook to continue searching (unencrypted) it still bombs out saying how it couldn't find the server settings.

Now a client that is joined to the domain and plugged in internally, Outlook did work.  However in both instances teh mailbox was housed on the 2003 server.  I tried on the internal client with a mailbox housed on the 2010 server and it failed encrypted and unencrypted.
This issue is still an issue, but because of my companies fault and not anyone else's.  I'll award points to those who have provided insight and advice thus far.
This issue is still an issue, but because of my companies fault and not anyone else's.  I'll award points to those who have provided insight and advice thus far.  dematzer I'd like to request the question not be auto closed but let me award points to abhijitmdp and dpreston68 for the help they've provided thus far.