Solved

Exchange 2007 - Security Certificate

Posted on 2011-02-21
23
461 Views
Last Modified: 2012-05-11
Hi Guys,

We had a local (self-signed) security certificate and recently upgrade to a public SSL.
Some workstations keep giving us an SSL error message, but in the pop-up message, the workstations still refers back to the self-signed certificate name and not the new SSL FDQN.

All the services in Exchange were bound to the new certificate.

Any help will be appreciated.
Regards, Rupert

0
Comment
Question by:Rupert Eghardt
  • 10
  • 10
  • 3
23 Comments
 
LVL 10

Assisted Solution

by:abhijitmdp
abhijitmdp earned 100 total points
ID: 34942113
You need to manually delete the older certificate from the desktop and install the new certificate there as well.
0
 

Author Comment

by:Rupert Eghardt
ID: 34942260
On the workstation side, when opening Outlook, it gives a SECURITY WARNING and prompt the incorrect SSL FQDN.

When clicking on VIEW CERTIFICATE on this window, it shows the correct certificate (FQDN).
However, on the "certificate path" tab, it shows a yellow exclamation mark.
Upon clicking INSTALL it installs successfully, but when closing and opening Outlook again, it still shows the old (self-signed) certificate name.

Should I first delete the old certificate in MMC?  Before installing the new certificate from Outlook?
I checked under TRUSTED ROOT CERTIFICATION AUTHORITY, but couldn't spot the old certificate by FDQN, not sure where to delete the self-signed certificate first?
0
 

Author Comment

by:Rupert Eghardt
ID: 34942295
Two new workstations were added to the domain (after the new SSL were installed on the server) and they are also getting the Exchange SSL error with the wrong SSL name.  Hence, I believe the problem should be somewhere in the Exchange config?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942516
How many CAS do you have? do you publish exchange throw ISA? if so, had you installed the certificate on ISA server and modify the listener ?

how many users face the problem (%) ?
0
 

Author Comment

by:Rupert Eghardt
ID: 34942615
All the internal users are experiencing the problem.
The certificate was installed on the ISA server, but internal users access the Exchange server directly, so am so we could exclude that scenario?

We had an SBS server, which were migrated to another Exchange 2007 box.  Mailboxes were moved to the Exchange 2007 box, away from the SBS box.

I am sure both servers are still running CAS.

As a point to start from, do you suggest that I remove CAS from the SBS server?

0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34942641
Yes, you are right, The problem is somewhere in exchange, I You need to delete and reinstall the certificate on your servers. Be carefull at the time of rechaining the cert, insert the currect names there, also you will need an UCC5 cert so that you can enter multiple alternative names and configure outlook anywhere in a good maner.
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34942643
You do not need to remove CAS from SBS
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942670
Client side,On outlook icon on notification area, right click ( while pressing control) and select connection status.

where does this client connect ?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942686
Another thing to check on the warning box fired up by outlook, top right, for which resource does this alert belong ? autodiscover , mail ...etc ?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942717
sorry I meant top left.
0
 

Author Comment

by:Rupert Eghardt
ID: 34942738
CONNECTION STATUS:  The client connects to the new server for the MAIL, but for DIRECTORY and PUBLIC it still refers back to the SBS server.

I am sure this could cause connection problems as it is currently connected to both servers?

In the TOP-LEFT corner of the message box, it gives the FQDN of the previous SSL certificate.
Is it not suppose to show autodiscover.domain.local?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942766
First of all, did you tried to restart outlook/machines on client side.if so please try to delete outlook profile (ost file) and recreate it again...
0
 

Author Comment

by:Rupert Eghardt
ID: 34942827
I deleted the OST file, and the mailbox started downloaded messages from the server.
HOWEVER, it still connects to both servers and give the certificate error (previous certificate FQDN)
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942834
Where does your mx record point ? to old or to the new server ?
0
 

Author Comment

by:Rupert Eghardt
ID: 34942848
We are using a smarthost to collect the mail form the ISP.
The MX for the internet domain points to the ISP's mailserver.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942949
Then your clients reach your change server throw ISP smarthost ? client--isa--isp--isa--exchange ? please correct me If I am wrong...
0
 

Author Comment

by:Rupert Eghardt
ID: 34942998
The incoming-mail comes via the ISP - smarthost - Exchange
Outgoing mail goes through Exchange - smarthost - ISP

Internal clients access the Exchange server directly
External clients access the Exchange server via the ISA server from the internet

I hope this explains  ...
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34943205
In your internal DNS, where does you mx point ? to old exchange server ?
0
 

Author Comment

by:Rupert Eghardt
ID: 34943288
I think you are right,
The internal domain is OurDomain.local and the external domain is OurDomain.com

The external domain's MX records points to the ISP, but the remote services (such as owa.OurDomain.com) points to the external IP of the ISA server.

Internally all these points to the local IP of the Exchange server.

However, I can't spot the MX record in DNS, where in the internal DNS should the MX record be listed?  Is there a way to test where the internal MX records points to internally?

0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34943355
Do you enable auto-discover ? maybe autodiscover distribute a wrong settings..
a.PNG
0
 

Author Comment

by:Rupert Eghardt
ID: 34943557
OK, I checked in DNS, forwarding lookup zones,
no MX present, I will create new MX record pointing to the new Exchange server
I didn't specifically enabled AutoDiscover, but I through it was installed / enabled by default during Exchange installation?

I did set all the AutoDiscover settings to the correct location on the new server;
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html

0
 

Author Comment

by:Rupert Eghardt
ID: 34950725
Hi Suliman,

I think the problem is most likely DNS related.
When I try to create a MX record and browse for the "fully qualified domain" name, it only bring up my domain controller, although I have created an A record for the Exchange server, which is a separate box altogether.

Under forward lookup zones, I have:
1.  _msdcs.domain.local,
The SOA, NS and CNAME entries were auto-created in _msdcs.domain.local

2.  domain.local
All the workstations and member servers records were automatically created in domain.local

3.  domain.com
I created the domain.com for AUTODISCOVER and FDQN (SSL) A records, pointing to the Exchange server.

Does the above DNS structure under Forward Lookup Zones appear to be correct?
When I add the MX record, is the Exchange server suppose to show up in the list when browing for "fully qualified domain name"?
0
 
LVL 23

Accepted Solution

by:
Suliman Abu Kharroub earned 400 total points
ID: 34951640
Please keep the DNS settings for now and run another test on outlook:.

 Create a new exchange outlook profile ( manually not using auto-discovery ) specifying the new CAS server.
a.PNG
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question