Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

newly installed computers can't trust the certificate of exchange server

Posted on 2011-02-14
18
Medium Priority
?
346 Views
Last Modified: 2012-08-13
Dear All,

i have a public certificate from entrust and it works perfectly from out side the company but from the inside i configured the owa to be windows integrated and basic authintication and all the others like it but i am recieving a certificate ,this only happened with my local servers names.

i opened mmc- certificates - computer

and i found it unable to trust the entrust

i tried to trace the server and i didn't find any backet going to the internet

how can i know what to tell the network team to allow for the entrust to work
0
Comment
Question by:ALAA_ELMAHDY
  • 8
  • 6
  • 2
  • +1
17 Comments
 
LVL 6

Expert Comment

by:craig_j_Lawrence
ID: 34894242
Hi,

Did you add the local server names to the Subject Alternate Name (SAN) list when the certificate was created?

for a client computer to "accept" a certificate, the host name you are entering in the browser must match one of the names associated with the certificate.

0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34894571
As Craig says you either need to change the cert subject

OR

Add an internal DNS entry for whatever name is on your cert to resolve to the internal IP address of your web server.
0
 

Author Comment

by:ALAA_ELMAHDY
ID: 34894660
both of them are existing

the names are very well in the certificate it self (SAN one)

and it was working perfectly and still working on the server zone but i don't know what happened.

this message disappears when i trust the entrust certificate chain so i think it's a matter of the clients can't check the issuer of the certificate but i don't know what to do then.

the certificate is working from the internet perfectly and the servers that appear on the message are the client access servers.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:ALAA_ELMAHDY
ID: 34894661
and there is a dns record for what ever names in the certificate.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34895923
Can you post the cert error message? Modify the domain name in MSPaint if you want.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34895932
Also, where are you receiving the cert warning? Outlook or OWA on these new machines?
0
 

Author Comment

by:ALAA_ELMAHDY
ID: 34904158
I am recieving this message on the new Pc's

i had called microsoft support and they transfer the issue from exchange to windows team we reached that the windows is able to download the entrust certificate from the windows update site but not able to inject it to the local pc's certificates.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34904438
So you are going to have to install the cert manually then? Surely Entrust will have something to say about this? Have you tried installing IE 9 or the latest Root Certificate update from Windows Update?
0
 

Author Comment

by:ALAA_ELMAHDY
ID: 34904614
how can i install the latest Root Certificate update from Windows Update
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34904825
IE --> tools --> safety --> windows update
It should be listed as one of the optional updates
0
 

Author Comment

by:ALAA_ELMAHDY
ID: 34905084
THIS IS WINDOWS 7 AND it's fully updated
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34905218
Have you spoken to your cert provider to see if they have any solution? You may need a new intermediate cert from them to resolve this.
0
 

Author Comment

by:ALAA_ELMAHDY
ID: 34905228
i have downloaded the certificate from windows update and checked for the update and discovered that the last update is 2009 means nothing new and also when i installed the certificate it works like sharm.
0
 

Author Comment

by:ALAA_ELMAHDY
ID: 34905232
but i want to get it working on all pc's
0
 
LVL 6

Accepted Solution

by:
craig_j_Lawrence earned 2000 total points
ID: 34913270
you can use group policy to distribute the root certificate to all your workstations, look at this technet article for details
0
 

Author Comment

by:ALAA_ELMAHDY
ID: 35115517
sorry for not closing the Question due to limited connectivity.

Finally microsoft announced that there was there an error in the windows update package which the windows 7 uses to update the trusted CA's list.

and this was fixed and republished by the windows Update team.

thanks
Alaa Elahdy
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35145665
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses
Course of the Month20 days, 15 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question