Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Security Alert on Outlook 2007 Clients

Posted on 2011-02-11
6
Medium Priority
?
950 Views
Last Modified: 2012-05-11
Hello, we just got through setting up a brand new domain with new servers for a client. The exchange server is running exchange 2007 on windows 2008. We have a public cert that we installed in IIS. However, whenever a user attempts to launch outlook, they get a security alert complaining that the "name of the security certificate  is invalid or does not match the name of the site". I guess this is true because the certificate is "webmail.domain.com" while the security alert displays "server.domain.local." What do we have to do to get rid of this error?
0
Comment
Question by:StarfishTech
  • 3
  • 2
6 Comments
 

Author Comment

by:StarfishTech
ID: 34876989
I am also seeing this error in the application log of the server. I'm not sure if this is related.

Log Name:      Application
Source:        MSExchangeTransport
Date:          2/11/2011 11:37:01 PM
Event ID:      12014
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server.domain.local

Description:
Microsoft Exchange could not find a certificate that contains the domain name server.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default SERVER with a FQDN parameter of server.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

0
 
LVL 27

Accepted Solution

by:
davorin earned 1000 total points
ID: 34879177
You have to install a certificate on exchange with mutiple subject alternate names
like servername, servername.doamin.local, external name like mail.domain.com, autodiscover.domain.com.
It depends what you need.
For more details look at Sambee post.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23048364.html
You can also use self signed cert, if you have no problems with deploying certificates to users.
0
 

Author Comment

by:StarfishTech
ID: 34880775
So I can use the public cert for OWA and a self signed cert for exchange? I DO have to roll out the cert to the users if I use self signed? All that outlook complains about is the name on the cert so I'm wondering if I even have to install it?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:StarfishTech
ID: 34880777
The more I think about it I want to make sure we continue to use the public cert? Would it be best to just get a new multi domain cert that contains all of the names like mail.domain.com, mail.server.local, etc??
0
 
LVL 27

Expert Comment

by:davorin
ID: 34882300
As you said you have three options:
- you can use self-signed cert, but you will have to make this cert trusted by clients. With domain computers this is not a problem, because if domain controller  trusts a certificate, also client will.
You will have to install certificates manually on non domain computers and mobile devices. (Not possible on all mobile devices).
- You can buy a new SAN certificate (or additional certificates, but I would prefer first option).
http://technet.microsoft.com/en-us/library/aa995942(EXCHG.80).aspx
- or you can try to change all FQDN so they will reflect the name used in certificate
This article could help you:
http://forums.msexchange.org/m_1800444783/mpage_1/key_/tm.htm#1800444783

Anyway, the "cleanest" procedure should be buying a new cert.
0
 
LVL 26

Assisted Solution

by:e_aravind
e_aravind earned 1000 total points
ID: 34883316
When the issue is happening,
Can you check the "Test email autoconfiguration" from the affected client
The log tab should say, "https://server.domain.local...." found as SCP
correct?

>> This means that the SCP URL when identified and collected by the Outlook, you  are facing the issue.

You could try the following too:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml 

Reference:
http://support.microsoft.com/kb/940726

>> regarding the event-id @ the application logs
you need to assign the smtp service with the default "self-signed" cert.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question