Solved

Security Alert on Outlook 2007 Clients

Posted on 2011-02-11
6
946 Views
Last Modified: 2012-05-11
Hello, we just got through setting up a brand new domain with new servers for a client. The exchange server is running exchange 2007 on windows 2008. We have a public cert that we installed in IIS. However, whenever a user attempts to launch outlook, they get a security alert complaining that the "name of the security certificate  is invalid or does not match the name of the site". I guess this is true because the certificate is "webmail.domain.com" while the security alert displays "server.domain.local." What do we have to do to get rid of this error?
0
Comment
Question by:StarfishTech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 

Author Comment

by:StarfishTech
ID: 34876989
I am also seeing this error in the application log of the server. I'm not sure if this is related.

Log Name:      Application
Source:        MSExchangeTransport
Date:          2/11/2011 11:37:01 PM
Event ID:      12014
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server.domain.local

Description:
Microsoft Exchange could not find a certificate that contains the domain name server.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default SERVER with a FQDN parameter of server.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

0
 
LVL 27

Accepted Solution

by:
davorin earned 250 total points
ID: 34879177
You have to install a certificate on exchange with mutiple subject alternate names
like servername, servername.doamin.local, external name like mail.domain.com, autodiscover.domain.com.
It depends what you need.
For more details look at Sambee post.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23048364.html
You can also use self signed cert, if you have no problems with deploying certificates to users.
0
 

Author Comment

by:StarfishTech
ID: 34880775
So I can use the public cert for OWA and a self signed cert for exchange? I DO have to roll out the cert to the users if I use self signed? All that outlook complains about is the name on the cert so I'm wondering if I even have to install it?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:StarfishTech
ID: 34880777
The more I think about it I want to make sure we continue to use the public cert? Would it be best to just get a new multi domain cert that contains all of the names like mail.domain.com, mail.server.local, etc??
0
 
LVL 27

Expert Comment

by:davorin
ID: 34882300
As you said you have three options:
- you can use self-signed cert, but you will have to make this cert trusted by clients. With domain computers this is not a problem, because if domain controller  trusts a certificate, also client will.
You will have to install certificates manually on non domain computers and mobile devices. (Not possible on all mobile devices).
- You can buy a new SAN certificate (or additional certificates, but I would prefer first option).
http://technet.microsoft.com/en-us/library/aa995942(EXCHG.80).aspx
- or you can try to change all FQDN so they will reflect the name used in certificate
This article could help you:
http://forums.msexchange.org/m_1800444783/mpage_1/key_/tm.htm#1800444783

Anyway, the "cleanest" procedure should be buying a new cert.
0
 
LVL 26

Assisted Solution

by:e_aravind
e_aravind earned 250 total points
ID: 34883316
When the issue is happening,
Can you check the "Test email autoconfiguration" from the affected client
The log tab should say, "https://server.domain.local...." found as SCP
correct?

>> This means that the SCP URL when identified and collected by the Outlook, you  are facing the issue.

You could try the following too:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml 

Reference:
http://support.microsoft.com/kb/940726

>> regarding the event-id @ the application logs
you need to assign the smtp service with the default "self-signed" cert.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question