?
Solved

Exchange 2010/Outlook 2007 Certificate warning

Posted on 2011-02-11
8
Medium Priority
?
706 Views
Last Modified: 2012-05-11
Exchange 2010 is very new to me so forgive me if I sound naive in some of my questioning.  

We have 2 Exchange Servers in our organization, a 2003 and a 2010 Exchange Server.  All the Roles for  2010 are on 1 server.

In order to get Active Sync working we purchased a Certificate from GoDaddy.  Active Sync is working on the new server.......it was issued to the name we use for our external URL.  The internal URL is the same name as the Exchange 2010 server.

While active sync work fine, whenever Outlook 2007 opens a mailbox that resides on the Exchange 2010 Server it gets the warning certificate message that is well known where the last option "The name on the security certificate is invalid or does not match the name of the site"   The internal URL was not included when we created this certificate.

This morning I created a new cert for the internal url...without thinking I assigned it IIS services...well this made the cert warning message go away but also broke active sync.  Removed the IIS services from the new cert and active sync worked fine.


So basically all to say how do I make the certificate warning message stop when my internal users open Outlook 2007 without breaking active sync?

Thanks and sorry to sound naive...trying to understand as I go


0
Comment
Question by:BlueGoose
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 5

Expert Comment

by:LLMorrisson
ID: 34872750
If you don't have a SAN cert, you'll need to change the internal service URL that is used for communication between Exchange and Outlook so it matches the name in the cert to make it stop complaining. You obviously need to make sure this address is resolvable internally too before you do it, otherwise that will break it too.
0
 
LVL 26

Expert Comment

by:jar3817
ID: 34872940
How about you set internal outlook clients to connect vi MAPI rather than HTTPS? Or are they laptops that are internal sometimes and external other times?

Really the best thing to do would be to use the same domain name internally and externally. That might require you run split dns, it all depends on your setup.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:BlueGoose
ID: 34873026
Internal clients are connecting by MAPI (verified by right clicking icon in tray and choosing Connection Status)

Short of having the internal and external urls's being the same is there other options?  Right now the only 3rd party cert we have is the GoDaddy on that is used for Active Sync.   Could I just purchase another cert for the internal url or will I pretty much end up with the same issue as the self signed one?
0
 
LVL 5

Accepted Solution

by:
LLMorrisson earned 2000 total points
ID: 34873307
Ideally you should be using a SAN certificate (aka a UCC). This is a cert that lets you list multiple names in the same cert. You cna get these from godaddy too, although they are a little more expensive than the regular certs unfortunately.
0
 

Author Comment

by:BlueGoose
ID: 34873623
I think we will go the UCC route.......any ideas on what I should choose during the creating of the cert on the Exchange 2010 server...we will be using it for active sync, owa, internal email...so many choices, not sure which ones to choose
0
 
LVL 5

Expert Comment

by:LLMorrisson
ID: 34874001
You can use the tool built into exchange 2010 to tell you want SANs you need in your cert. Goto the Server Configuration node in the EMC and click on New Exchange Certificate. During the wizard there is an opportunity to tell it what services you want to protect with the cert and it will fetch all your current service URLs as part of that process. You can then use that info for your SAN cert order.
0
 

Author Closing Comment

by:BlueGoose
ID: 34874331
Thanks!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Changing a few Outlook Options can help keep you organized!
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question