Solved

Exchange 2010/Outlook 2007 Certificate warning

Posted on 2011-02-11
8
698 Views
Last Modified: 2012-05-11
Exchange 2010 is very new to me so forgive me if I sound naive in some of my questioning.  

We have 2 Exchange Servers in our organization, a 2003 and a 2010 Exchange Server.  All the Roles for  2010 are on 1 server.

In order to get Active Sync working we purchased a Certificate from GoDaddy.  Active Sync is working on the new server.......it was issued to the name we use for our external URL.  The internal URL is the same name as the Exchange 2010 server.

While active sync work fine, whenever Outlook 2007 opens a mailbox that resides on the Exchange 2010 Server it gets the warning certificate message that is well known where the last option "The name on the security certificate is invalid or does not match the name of the site"   The internal URL was not included when we created this certificate.

This morning I created a new cert for the internal url...without thinking I assigned it IIS services...well this made the cert warning message go away but also broke active sync.  Removed the IIS services from the new cert and active sync worked fine.


So basically all to say how do I make the certificate warning message stop when my internal users open Outlook 2007 without breaking active sync?

Thanks and sorry to sound naive...trying to understand as I go


0
Comment
Question by:BlueGoose
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 5

Expert Comment

by:LLMorrisson
ID: 34872750
If you don't have a SAN cert, you'll need to change the internal service URL that is used for communication between Exchange and Outlook so it matches the name in the cert to make it stop complaining. You obviously need to make sure this address is resolvable internally too before you do it, otherwise that will break it too.
0
 
LVL 5

Expert Comment

by:LLMorrisson
ID: 34872782
0
 
LVL 26

Expert Comment

by:jar3817
ID: 34872940
How about you set internal outlook clients to connect vi MAPI rather than HTTPS? Or are they laptops that are internal sometimes and external other times?

Really the best thing to do would be to use the same domain name internally and externally. That might require you run split dns, it all depends on your setup.
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 

Author Comment

by:BlueGoose
ID: 34873026
Internal clients are connecting by MAPI (verified by right clicking icon in tray and choosing Connection Status)

Short of having the internal and external urls's being the same is there other options?  Right now the only 3rd party cert we have is the GoDaddy on that is used for Active Sync.   Could I just purchase another cert for the internal url or will I pretty much end up with the same issue as the self signed one?
0
 
LVL 5

Accepted Solution

by:
LLMorrisson earned 500 total points
ID: 34873307
Ideally you should be using a SAN certificate (aka a UCC). This is a cert that lets you list multiple names in the same cert. You cna get these from godaddy too, although they are a little more expensive than the regular certs unfortunately.
0
 

Author Comment

by:BlueGoose
ID: 34873623
I think we will go the UCC route.......any ideas on what I should choose during the creating of the cert on the Exchange 2010 server...we will be using it for active sync, owa, internal email...so many choices, not sure which ones to choose
0
 
LVL 5

Expert Comment

by:LLMorrisson
ID: 34874001
You can use the tool built into exchange 2010 to tell you want SANs you need in your cert. Goto the Server Configuration node in the EMC and click on New Exchange Certificate. During the wizard there is an opportunity to tell it what services you want to protect with the cert and it will fetch all your current service URLs as part of that process. You can then use that info for your SAN cert order.
0
 

Author Closing Comment

by:BlueGoose
ID: 34874331
Thanks!
0

Featured Post

SuperAntiSpyware Licenses Discounted by 25% !

Exclusive offer to Experts Exchange Members!
Buy SuperAntiSpyware License(s) from us and save 25% on the regular purchase price.
- Includes Full SuperAntiSpyware Vendor Support Entitlements
- Your Subscription does not begin until you activate your license
- Buy for your friends

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What does UTC stand for?  “Coordinated Universal Time” – Think of this as the true time on Planet Earth that never changes with the exception of minor leap seconds here and there to account for the changes in the planet's rotation.   What does th…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

736 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question