Solved

Security Alert on Outlook 2007 Clients

Posted on 2011-02-11
6
944 Views
Last Modified: 2012-05-11
Hello, we just got through setting up a brand new domain with new servers for a client. The exchange server is running exchange 2007 on windows 2008. We have a public cert that we installed in IIS. However, whenever a user attempts to launch outlook, they get a security alert complaining that the "name of the security certificate  is invalid or does not match the name of the site". I guess this is true because the certificate is "webmail.domain.com" while the security alert displays "server.domain.local." What do we have to do to get rid of this error?
0
Comment
Question by:StarfishTech
  • 3
  • 2
6 Comments
 

Author Comment

by:StarfishTech
ID: 34876989
I am also seeing this error in the application log of the server. I'm not sure if this is related.

Log Name:      Application
Source:        MSExchangeTransport
Date:          2/11/2011 11:37:01 PM
Event ID:      12014
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server.domain.local

Description:
Microsoft Exchange could not find a certificate that contains the domain name server.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default SERVER with a FQDN parameter of server.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

0
 
LVL 27

Accepted Solution

by:
davorin earned 250 total points
ID: 34879177
You have to install a certificate on exchange with mutiple subject alternate names
like servername, servername.doamin.local, external name like mail.domain.com, autodiscover.domain.com.
It depends what you need.
For more details look at Sambee post.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23048364.html
You can also use self signed cert, if you have no problems with deploying certificates to users.
0
 

Author Comment

by:StarfishTech
ID: 34880775
So I can use the public cert for OWA and a self signed cert for exchange? I DO have to roll out the cert to the users if I use self signed? All that outlook complains about is the name on the cert so I'm wondering if I even have to install it?
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:StarfishTech
ID: 34880777
The more I think about it I want to make sure we continue to use the public cert? Would it be best to just get a new multi domain cert that contains all of the names like mail.domain.com, mail.server.local, etc??
0
 
LVL 27

Expert Comment

by:davorin
ID: 34882300
As you said you have three options:
- you can use self-signed cert, but you will have to make this cert trusted by clients. With domain computers this is not a problem, because if domain controller  trusts a certificate, also client will.
You will have to install certificates manually on non domain computers and mobile devices. (Not possible on all mobile devices).
- You can buy a new SAN certificate (or additional certificates, but I would prefer first option).
http://technet.microsoft.com/en-us/library/aa995942(EXCHG.80).aspx
- or you can try to change all FQDN so they will reflect the name used in certificate
This article could help you:
http://forums.msexchange.org/m_1800444783/mpage_1/key_/tm.htm#1800444783

Anyway, the "cleanest" procedure should be buying a new cert.
0
 
LVL 26

Assisted Solution

by:e_aravind
e_aravind earned 250 total points
ID: 34883316
When the issue is happening,
Can you check the "Test email autoconfiguration" from the affected client
The log tab should say, "https://server.domain.local...." found as SCP
correct?

>> This means that the SCP URL when identified and collected by the Outlook, you  are facing the issue.

You could try the following too:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml 

Reference:
http://support.microsoft.com/kb/940726

>> regarding the event-id @ the application logs
you need to assign the smtp service with the default "self-signed" cert.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question