Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2010 Security Alert

Posted on 2011-02-10
12
Medium Priority
?
708 Views
Last Modified: 2012-05-11
This morning a couple users out of our ~150 use rbase, opened outlook and got a security alert warning them that the new 2010 server's certificate was from an untrusted source.  Because it was self-signed.

I found guides here: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26706037.html and here: http://support.microsoft.com/kb/940726/en-us

However I cannot follow because we are not ready to transition fully over to the new server.  Other than each client that gets this manually accepting.. is there anything I can do on the back end?  Somehow adding the server name in as an enterprise trusted source or something?

Thanks!
0
Comment
Question by:Ben Hart
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
12 Comments
 
LVL 11

Accepted Solution

by:
Old User earned 1000 total points
ID: 34869053
You can create a GPO and add the trusted root authority i.e. the server that issued the self cert
see this link

http://msdn.microsoft.com/en-us/library/cc738131(v=ws.10).aspx
0
 
LVL 10

Assisted Solution

by:abhijitmdp
abhijitmdp earned 1000 total points
ID: 34869785
Better you buy a SAN certificate from GoDaddy or any other certificate provider and implement that certificate in your exchange and assign all services to the new certificate.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 34887624
Christ this stuff gets moved to inactive way too damned fast.


dpreston68/abhijitmdp: Would this issue be resolved once the existing externally verified certificate is moved from the existing Exchange server to this one?  
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 11

Expert Comment

by:Old User
ID: 34887717
Yes if you install non self cert ssl the issue will be resolved as long as the hostnames match.
normally for Exchange 07/10 i would recomend a UCC/SAN ssl with the below subject names

mail.domain.com  (your MX record)
webmail.domain.com  (your OWA url)
autodiscover.domain.com
serverhostname
serverhostname.internaldomain.local

if you are going to buy an externall ssl it will be advisable to go for the suggested UCC/SAN
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 34887771
Your comment is well received,  but my boss-imposed goal is to keep the same external OWA url that we currently use with 2003.  I think I'll need to go with your GPO idea for now dpreston, until we are ready to shut down the old server.. unless there's something else I missed since we are transitioning from 03 to 10, we will be using both servers for at least a short while simultaneously.  Which I still need to determine if OWA will pass through the 2003 to users on 2010.
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34926811
Any update...
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 34944124
Well no change really.  We're still getting that error even after both creating a domain signed cert for the 2010's FQDN, a self-signed for the same, and even trying to set the autodiscover internal URL to the autodiscover URL (matching the external URL) just so the urls in the cert would match.  I've been without time to test over the weekend but a co-worker on Friday did complain about a cert warning I can only assume was the same as I've been trying to fix.
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34963257
You need to use a UCC5 certificate as you'll use multiple cert names.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35018320
We went with a trio of normal SSL certs, one for the new OWA url, one for autodiscover and the last for legacy.mail.  We are also not publishing the autodiscover externally.. the internal Outlook clients are receiving the error and it complains that the cert it's given when requesting autodiscover is the OWA cert.

I just now re-ran the command to set the clientaccessserver autodiscover service internal uri to my autodiscover url, which doesn't seem to have helped since now most of the Outlook client internally error out on attempting to autodiscover.

Clients that are connected internally but not joined to the domain are unable to negotiate an encrypted connection.  Which if you tell Outlook to continue searching (unencrypted) it still bombs out saying how it couldn't find the server settings.

Now a client that is joined to the domain and plugged in internally, Outlook did work.  However in both instances teh mailbox was housed on the 2003 server.  I tried on the internal client with a mailbox housed on the 2010 server and it failed encrypted and unencrypted.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35232290
This issue is still an issue, but because of my companies fault and not anyone else's.  I'll award points to those who have provided insight and advice thus far.
0
 
LVL 14

Author Comment

by:Ben Hart
ID: 35232312
This issue is still an issue, but because of my companies fault and not anyone else's.  I'll award points to those who have provided insight and advice thus far.  dematzer I'd like to request the question not be auto closed but let me award points to abhijitmdp and dpreston68 for the help they've provided thus far.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question