Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2007 - Security Certificate

Posted on 2011-02-21
23
Medium Priority
?
466 Views
Last Modified: 2012-05-11
Hi Guys,

We had a local (self-signed) security certificate and recently upgrade to a public SSL.
Some workstations keep giving us an SSL error message, but in the pop-up message, the workstations still refers back to the self-signed certificate name and not the new SSL FDQN.

All the services in Exchange were bound to the new certificate.

Any help will be appreciated.
Regards, Rupert

0
Comment
Question by:Rupert Eghardt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 10
  • 3
23 Comments
 
LVL 10

Assisted Solution

by:abhijitmdp
abhijitmdp earned 400 total points
ID: 34942113
You need to manually delete the older certificate from the desktop and install the new certificate there as well.
0
 

Author Comment

by:Rupert Eghardt
ID: 34942260
On the workstation side, when opening Outlook, it gives a SECURITY WARNING and prompt the incorrect SSL FQDN.

When clicking on VIEW CERTIFICATE on this window, it shows the correct certificate (FQDN).
However, on the "certificate path" tab, it shows a yellow exclamation mark.
Upon clicking INSTALL it installs successfully, but when closing and opening Outlook again, it still shows the old (self-signed) certificate name.

Should I first delete the old certificate in MMC?  Before installing the new certificate from Outlook?
I checked under TRUSTED ROOT CERTIFICATION AUTHORITY, but couldn't spot the old certificate by FDQN, not sure where to delete the self-signed certificate first?
0
 

Author Comment

by:Rupert Eghardt
ID: 34942295
Two new workstations were added to the domain (after the new SSL were installed on the server) and they are also getting the Exchange SSL error with the wrong SSL name.  Hence, I believe the problem should be somewhere in the Exchange config?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942516
How many CAS do you have? do you publish exchange throw ISA? if so, had you installed the certificate on ISA server and modify the listener ?

how many users face the problem (%) ?
0
 

Author Comment

by:Rupert Eghardt
ID: 34942615
All the internal users are experiencing the problem.
The certificate was installed on the ISA server, but internal users access the Exchange server directly, so am so we could exclude that scenario?

We had an SBS server, which were migrated to another Exchange 2007 box.  Mailboxes were moved to the Exchange 2007 box, away from the SBS box.

I am sure both servers are still running CAS.

As a point to start from, do you suggest that I remove CAS from the SBS server?

0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34942641
Yes, you are right, The problem is somewhere in exchange, I You need to delete and reinstall the certificate on your servers. Be carefull at the time of rechaining the cert, insert the currect names there, also you will need an UCC5 cert so that you can enter multiple alternative names and configure outlook anywhere in a good maner.
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34942643
You do not need to remove CAS from SBS
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942670
Client side,On outlook icon on notification area, right click ( while pressing control) and select connection status.

where does this client connect ?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942686
Another thing to check on the warning box fired up by outlook, top right, for which resource does this alert belong ? autodiscover , mail ...etc ?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942717
sorry I meant top left.
0
 

Author Comment

by:Rupert Eghardt
ID: 34942738
CONNECTION STATUS:  The client connects to the new server for the MAIL, but for DIRECTORY and PUBLIC it still refers back to the SBS server.

I am sure this could cause connection problems as it is currently connected to both servers?

In the TOP-LEFT corner of the message box, it gives the FQDN of the previous SSL certificate.
Is it not suppose to show autodiscover.domain.local?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942766
First of all, did you tried to restart outlook/machines on client side.if so please try to delete outlook profile (ost file) and recreate it again...
0
 

Author Comment

by:Rupert Eghardt
ID: 34942827
I deleted the OST file, and the mailbox started downloaded messages from the server.
HOWEVER, it still connects to both servers and give the certificate error (previous certificate FQDN)
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942834
Where does your mx record point ? to old or to the new server ?
0
 

Author Comment

by:Rupert Eghardt
ID: 34942848
We are using a smarthost to collect the mail form the ISP.
The MX for the internet domain points to the ISP's mailserver.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942949
Then your clients reach your change server throw ISP smarthost ? client--isa--isp--isa--exchange ? please correct me If I am wrong...
0
 

Author Comment

by:Rupert Eghardt
ID: 34942998
The incoming-mail comes via the ISP - smarthost - Exchange
Outgoing mail goes through Exchange - smarthost - ISP

Internal clients access the Exchange server directly
External clients access the Exchange server via the ISA server from the internet

I hope this explains  ...
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34943205
In your internal DNS, where does you mx point ? to old exchange server ?
0
 

Author Comment

by:Rupert Eghardt
ID: 34943288
I think you are right,
The internal domain is OurDomain.local and the external domain is OurDomain.com

The external domain's MX records points to the ISP, but the remote services (such as owa.OurDomain.com) points to the external IP of the ISA server.

Internally all these points to the local IP of the Exchange server.

However, I can't spot the MX record in DNS, where in the internal DNS should the MX record be listed?  Is there a way to test where the internal MX records points to internally?

0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34943355
Do you enable auto-discover ? maybe autodiscover distribute a wrong settings..
a.PNG
0
 

Author Comment

by:Rupert Eghardt
ID: 34943557
OK, I checked in DNS, forwarding lookup zones,
no MX present, I will create new MX record pointing to the new Exchange server
I didn't specifically enabled AutoDiscover, but I through it was installed / enabled by default during Exchange installation?

I did set all the AutoDiscover settings to the correct location on the new server;
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html

0
 

Author Comment

by:Rupert Eghardt
ID: 34950725
Hi Suliman,

I think the problem is most likely DNS related.
When I try to create a MX record and browse for the "fully qualified domain" name, it only bring up my domain controller, although I have created an A record for the Exchange server, which is a separate box altogether.

Under forward lookup zones, I have:
1.  _msdcs.domain.local,
The SOA, NS and CNAME entries were auto-created in _msdcs.domain.local

2.  domain.local
All the workstations and member servers records were automatically created in domain.local

3.  domain.com
I created the domain.com for AUTODISCOVER and FDQN (SSL) A records, pointing to the Exchange server.

Does the above DNS structure under Forward Lookup Zones appear to be correct?
When I add the MX record, is the Exchange server suppose to show up in the list when browing for "fully qualified domain name"?
0
 
LVL 23

Accepted Solution

by:
Suliman Abu Kharroub earned 1600 total points
ID: 34951640
Please keep the DNS settings for now and run another test on outlook:.

 Create a new exchange outlook profile ( manually not using auto-discovery ) specifying the new CAS server.
a.PNG
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question