Solved

Exchange 2010 Security Alert

Posted on 2011-02-10
12
694 Views
Last Modified: 2012-05-11
This morning a couple users out of our ~150 use rbase, opened outlook and got a security alert warning them that the new 2010 server's certificate was from an untrusted source.  Because it was self-signed.

I found guides here: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26706037.html and here: http://support.microsoft.com/kb/940726/en-us

However I cannot follow because we are not ready to transition fully over to the new server.  Other than each client that gets this manually accepting.. is there anything I can do on the back end?  Somehow adding the server name in as an enterprise trusted source or something?

Thanks!
0
Comment
Question by:Ben Hart
  • 6
  • 3
  • 2
12 Comments
 
LVL 11

Accepted Solution

by:
Old User earned 250 total points
ID: 34869053
You can create a GPO and add the trusted root authority i.e. the server that issued the self cert
see this link

http://msdn.microsoft.com/en-us/library/cc738131(v=ws.10).aspx
0
 
LVL 10

Assisted Solution

by:abhijitmdp
abhijitmdp earned 250 total points
ID: 34869785
Better you buy a SAN certificate from GoDaddy or any other certificate provider and implement that certificate in your exchange and assign all services to the new certificate.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 34887624
Christ this stuff gets moved to inactive way too damned fast.


dpreston68/abhijitmdp: Would this issue be resolved once the existing externally verified certificate is moved from the existing Exchange server to this one?  
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 11

Expert Comment

by:Old User
ID: 34887717
Yes if you install non self cert ssl the issue will be resolved as long as the hostnames match.
normally for Exchange 07/10 i would recomend a UCC/SAN ssl with the below subject names

mail.domain.com  (your MX record)
webmail.domain.com  (your OWA url)
autodiscover.domain.com
serverhostname
serverhostname.internaldomain.local

if you are going to buy an externall ssl it will be advisable to go for the suggested UCC/SAN
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 34887771
Your comment is well received,  but my boss-imposed goal is to keep the same external OWA url that we currently use with 2003.  I think I'll need to go with your GPO idea for now dpreston, until we are ready to shut down the old server.. unless there's something else I missed since we are transitioning from 03 to 10, we will be using both servers for at least a short while simultaneously.  Which I still need to determine if OWA will pass through the 2003 to users on 2010.
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34926811
Any update...
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 34944124
Well no change really.  We're still getting that error even after both creating a domain signed cert for the 2010's FQDN, a self-signed for the same, and even trying to set the autodiscover internal URL to the autodiscover URL (matching the external URL) just so the urls in the cert would match.  I've been without time to test over the weekend but a co-worker on Friday did complain about a cert warning I can only assume was the same as I've been trying to fix.
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34963257
You need to use a UCC5 certificate as you'll use multiple cert names.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35018320
We went with a trio of normal SSL certs, one for the new OWA url, one for autodiscover and the last for legacy.mail.  We are also not publishing the autodiscover externally.. the internal Outlook clients are receiving the error and it complains that the cert it's given when requesting autodiscover is the OWA cert.

I just now re-ran the command to set the clientaccessserver autodiscover service internal uri to my autodiscover url, which doesn't seem to have helped since now most of the Outlook client internally error out on attempting to autodiscover.

Clients that are connected internally but not joined to the domain are unable to negotiate an encrypted connection.  Which if you tell Outlook to continue searching (unencrypted) it still bombs out saying how it couldn't find the server settings.

Now a client that is joined to the domain and plugged in internally, Outlook did work.  However in both instances teh mailbox was housed on the 2003 server.  I tried on the internal client with a mailbox housed on the 2010 server and it failed encrypted and unencrypted.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35232290
This issue is still an issue, but because of my companies fault and not anyone else's.  I'll award points to those who have provided insight and advice thus far.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35232312
This issue is still an issue, but because of my companies fault and not anyone else's.  I'll award points to those who have provided insight and advice thus far.  dematzer I'd like to request the question not be auto closed but let me award points to abhijitmdp and dpreston68 for the help they've provided thus far.
0

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
In-place Upgrading Dirsync to Azure AD Connect
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video discusses moving either the default database or any database to a new volume.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question