Solved

Security Alert on Outlook 2007 Clients

Posted on 2011-02-11
6
940 Views
Last Modified: 2012-05-11
Hello, we just got through setting up a brand new domain with new servers for a client. The exchange server is running exchange 2007 on windows 2008. We have a public cert that we installed in IIS. However, whenever a user attempts to launch outlook, they get a security alert complaining that the "name of the security certificate  is invalid or does not match the name of the site". I guess this is true because the certificate is "webmail.domain.com" while the security alert displays "server.domain.local." What do we have to do to get rid of this error?
0
Comment
Question by:StarfishTech
  • 3
  • 2
6 Comments
 

Author Comment

by:StarfishTech
ID: 34876989
I am also seeing this error in the application log of the server. I'm not sure if this is related.

Log Name:      Application
Source:        MSExchangeTransport
Date:          2/11/2011 11:37:01 PM
Event ID:      12014
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server.domain.local

Description:
Microsoft Exchange could not find a certificate that contains the domain name server.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default SERVER with a FQDN parameter of server.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

0
 
LVL 27

Accepted Solution

by:
davorin earned 250 total points
ID: 34879177
You have to install a certificate on exchange with mutiple subject alternate names
like servername, servername.doamin.local, external name like mail.domain.com, autodiscover.domain.com.
It depends what you need.
For more details look at Sambee post.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23048364.html
You can also use self signed cert, if you have no problems with deploying certificates to users.
0
 

Author Comment

by:StarfishTech
ID: 34880775
So I can use the public cert for OWA and a self signed cert for exchange? I DO have to roll out the cert to the users if I use self signed? All that outlook complains about is the name on the cert so I'm wondering if I even have to install it?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:StarfishTech
ID: 34880777
The more I think about it I want to make sure we continue to use the public cert? Would it be best to just get a new multi domain cert that contains all of the names like mail.domain.com, mail.server.local, etc??
0
 
LVL 27

Expert Comment

by:davorin
ID: 34882300
As you said you have three options:
- you can use self-signed cert, but you will have to make this cert trusted by clients. With domain computers this is not a problem, because if domain controller  trusts a certificate, also client will.
You will have to install certificates manually on non domain computers and mobile devices. (Not possible on all mobile devices).
- You can buy a new SAN certificate (or additional certificates, but I would prefer first option).
http://technet.microsoft.com/en-us/library/aa995942(EXCHG.80).aspx
- or you can try to change all FQDN so they will reflect the name used in certificate
This article could help you:
http://forums.msexchange.org/m_1800444783/mpage_1/key_/tm.htm#1800444783

Anyway, the "cleanest" procedure should be buying a new cert.
0
 
LVL 26

Assisted Solution

by:e_aravind
e_aravind earned 250 total points
ID: 34883316
When the issue is happening,
Can you check the "Test email autoconfiguration" from the affected client
The log tab should say, "https://server.domain.local...." found as SCP
correct?

>> This means that the SCP URL when identified and collected by the Outlook, you  are facing the issue.

You could try the following too:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

Reference:
http://support.microsoft.com/kb/940726

>> regarding the event-id @ the application logs
you need to assign the smtp service with the default "self-signed" cert.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now