Link to home
Avatar of StarfishTech
StarfishTech

asked on

Security Alert on Outlook 2007 Clients

Hello, we just got through setting up a brand new domain with new servers for a client. The exchange server is running exchange 2007 on windows 2008. We have a public cert that we installed in IIS. However, whenever a user attempts to launch outlook, they get a security alert complaining that the "name of the security certificate  is invalid or does not match the name of the site". I guess this is true because the certificate is "webmail.domain.com" while the security alert displays "server.domain.local." What do we have to do to get rid of this error?
Avatar of StarfishTech
StarfishTech

ASKER

I am also seeing this error in the application log of the server. I'm not sure if this is related.

Log Name:      Application
Source:        MSExchangeTransport
Date:          2/11/2011 11:37:01 PM
Event ID:      12014
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server.domain.local

Description:
Microsoft Exchange could not find a certificate that contains the domain name server.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default SERVER with a FQDN parameter of server.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

ASKER CERTIFIED SOLUTION
Avatar of davorin
davorin
Flag of Slovenia image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
So I can use the public cert for OWA and a self signed cert for exchange? I DO have to roll out the cert to the users if I use self signed? All that outlook complains about is the name on the cert so I'm wondering if I even have to install it?
The more I think about it I want to make sure we continue to use the public cert? Would it be best to just get a new multi domain cert that contains all of the names like mail.domain.com, mail.server.local, etc??
As you said you have three options:
- you can use self-signed cert, but you will have to make this cert trusted by clients. With domain computers this is not a problem, because if domain controller  trusts a certificate, also client will.
You will have to install certificates manually on non domain computers and mobile devices. (Not possible on all mobile devices).
- You can buy a new SAN certificate (or additional certificates, but I would prefer first option).
http://technet.microsoft.com/en-us/library/aa995942(EXCHG.80).aspx
- or you can try to change all FQDN so they will reflect the name used in certificate
This article could help you:
http://forums.msexchange.org/m_1800444783/mpage_1/key_/tm.htm#1800444783

Anyway, the "cleanest" procedure should be buying a new cert.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.