Exchange 2007 - Security Certificate

Hi Guys,

We had a local (self-signed) security certificate and recently upgrade to a public SSL.
Some workstations keep giving us an SSL error message, but in the pop-up message, the workstations still refers back to the self-signed certificate name and not the new SSL FDQN.

All the services in Exchange were bound to the new certificate.

Any help will be appreciated.
Regards, Rupert

Rupert EghardtProgrammerAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Suliman Abu KharroubConnect With a Mentor IT Consultant Commented:
Please keep the DNS settings for now and run another test on outlook:.

 Create a new exchange outlook profile ( manually not using auto-discovery ) specifying the new CAS server.
a.PNG
0
 
abhijitmdpConnect With a Mentor Commented:
You need to manually delete the older certificate from the desktop and install the new certificate there as well.
0
 
Rupert EghardtProgrammerAuthor Commented:
On the workstation side, when opening Outlook, it gives a SECURITY WARNING and prompt the incorrect SSL FQDN.

When clicking on VIEW CERTIFICATE on this window, it shows the correct certificate (FQDN).
However, on the "certificate path" tab, it shows a yellow exclamation mark.
Upon clicking INSTALL it installs successfully, but when closing and opening Outlook again, it still shows the old (self-signed) certificate name.

Should I first delete the old certificate in MMC?  Before installing the new certificate from Outlook?
I checked under TRUSTED ROOT CERTIFICATION AUTHORITY, but couldn't spot the old certificate by FDQN, not sure where to delete the self-signed certificate first?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Rupert EghardtProgrammerAuthor Commented:
Two new workstations were added to the domain (after the new SSL were installed on the server) and they are also getting the Exchange SSL error with the wrong SSL name.  Hence, I believe the problem should be somewhere in the Exchange config?
0
 
Suliman Abu KharroubIT Consultant Commented:
How many CAS do you have? do you publish exchange throw ISA? if so, had you installed the certificate on ISA server and modify the listener ?

how many users face the problem (%) ?
0
 
Rupert EghardtProgrammerAuthor Commented:
All the internal users are experiencing the problem.
The certificate was installed on the ISA server, but internal users access the Exchange server directly, so am so we could exclude that scenario?

We had an SBS server, which were migrated to another Exchange 2007 box.  Mailboxes were moved to the Exchange 2007 box, away from the SBS box.

I am sure both servers are still running CAS.

As a point to start from, do you suggest that I remove CAS from the SBS server?

0
 
abhijitmdpCommented:
Yes, you are right, The problem is somewhere in exchange, I You need to delete and reinstall the certificate on your servers. Be carefull at the time of rechaining the cert, insert the currect names there, also you will need an UCC5 cert so that you can enter multiple alternative names and configure outlook anywhere in a good maner.
0
 
abhijitmdpCommented:
You do not need to remove CAS from SBS
0
 
Suliman Abu KharroubIT Consultant Commented:
Client side,On outlook icon on notification area, right click ( while pressing control) and select connection status.

where does this client connect ?
0
 
Suliman Abu KharroubIT Consultant Commented:
Another thing to check on the warning box fired up by outlook, top right, for which resource does this alert belong ? autodiscover , mail ...etc ?
0
 
Suliman Abu KharroubIT Consultant Commented:
sorry I meant top left.
0
 
Rupert EghardtProgrammerAuthor Commented:
CONNECTION STATUS:  The client connects to the new server for the MAIL, but for DIRECTORY and PUBLIC it still refers back to the SBS server.

I am sure this could cause connection problems as it is currently connected to both servers?

In the TOP-LEFT corner of the message box, it gives the FQDN of the previous SSL certificate.
Is it not suppose to show autodiscover.domain.local?
0
 
Suliman Abu KharroubIT Consultant Commented:
First of all, did you tried to restart outlook/machines on client side.if so please try to delete outlook profile (ost file) and recreate it again...
0
 
Rupert EghardtProgrammerAuthor Commented:
I deleted the OST file, and the mailbox started downloaded messages from the server.
HOWEVER, it still connects to both servers and give the certificate error (previous certificate FQDN)
0
 
Suliman Abu KharroubIT Consultant Commented:
Where does your mx record point ? to old or to the new server ?
0
 
Rupert EghardtProgrammerAuthor Commented:
We are using a smarthost to collect the mail form the ISP.
The MX for the internet domain points to the ISP's mailserver.
0
 
Suliman Abu KharroubIT Consultant Commented:
Then your clients reach your change server throw ISP smarthost ? client--isa--isp--isa--exchange ? please correct me If I am wrong...
0
 
Rupert EghardtProgrammerAuthor Commented:
The incoming-mail comes via the ISP - smarthost - Exchange
Outgoing mail goes through Exchange - smarthost - ISP

Internal clients access the Exchange server directly
External clients access the Exchange server via the ISA server from the internet

I hope this explains  ...
0
 
Suliman Abu KharroubIT Consultant Commented:
In your internal DNS, where does you mx point ? to old exchange server ?
0
 
Rupert EghardtProgrammerAuthor Commented:
I think you are right,
The internal domain is OurDomain.local and the external domain is OurDomain.com

The external domain's MX records points to the ISP, but the remote services (such as owa.OurDomain.com) points to the external IP of the ISA server.

Internally all these points to the local IP of the Exchange server.

However, I can't spot the MX record in DNS, where in the internal DNS should the MX record be listed?  Is there a way to test where the internal MX records points to internally?

0
 
Suliman Abu KharroubIT Consultant Commented:
Do you enable auto-discover ? maybe autodiscover distribute a wrong settings..
a.PNG
0
 
Rupert EghardtProgrammerAuthor Commented:
OK, I checked in DNS, forwarding lookup zones,
no MX present, I will create new MX record pointing to the new Exchange server
I didn't specifically enabled AutoDiscover, but I through it was installed / enabled by default during Exchange installation?

I did set all the AutoDiscover settings to the correct location on the new server;
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html

0
 
Rupert EghardtProgrammerAuthor Commented:
Hi Suliman,

I think the problem is most likely DNS related.
When I try to create a MX record and browse for the "fully qualified domain" name, it only bring up my domain controller, although I have created an A record for the Exchange server, which is a separate box altogether.

Under forward lookup zones, I have:
1.  _msdcs.domain.local,
The SOA, NS and CNAME entries were auto-created in _msdcs.domain.local

2.  domain.local
All the workstations and member servers records were automatically created in domain.local

3.  domain.com
I created the domain.com for AUTODISCOVER and FDQN (SSL) A records, pointing to the Exchange server.

Does the above DNS structure under Forward Lookup Zones appear to be correct?
When I add the MX record, is the Exchange server suppose to show up in the list when browing for "fully qualified domain name"?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.