• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 475
  • Last Modified:

Exchange 2007 - Security Certificate

Hi Guys,

We had a local (self-signed) security certificate and recently upgrade to a public SSL.
Some workstations keep giving us an SSL error message, but in the pop-up message, the workstations still refers back to the self-signed certificate name and not the new SSL FDQN.

All the services in Exchange were bound to the new certificate.

Any help will be appreciated.
Regards, Rupert

0
Rupert Eghardt
Asked:
Rupert Eghardt
  • 10
  • 10
  • 3
2 Solutions
 
abhijitmdpCommented:
You need to manually delete the older certificate from the desktop and install the new certificate there as well.
0
 
Rupert EghardtAuthor Commented:
On the workstation side, when opening Outlook, it gives a SECURITY WARNING and prompt the incorrect SSL FQDN.

When clicking on VIEW CERTIFICATE on this window, it shows the correct certificate (FQDN).
However, on the "certificate path" tab, it shows a yellow exclamation mark.
Upon clicking INSTALL it installs successfully, but when closing and opening Outlook again, it still shows the old (self-signed) certificate name.

Should I first delete the old certificate in MMC?  Before installing the new certificate from Outlook?
I checked under TRUSTED ROOT CERTIFICATION AUTHORITY, but couldn't spot the old certificate by FDQN, not sure where to delete the self-signed certificate first?
0
 
Rupert EghardtAuthor Commented:
Two new workstations were added to the domain (after the new SSL were installed on the server) and they are also getting the Exchange SSL error with the wrong SSL name.  Hence, I believe the problem should be somewhere in the Exchange config?
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
Suliman Abu KharroubIT Consultant Commented:
How many CAS do you have? do you publish exchange throw ISA? if so, had you installed the certificate on ISA server and modify the listener ?

how many users face the problem (%) ?
0
 
Rupert EghardtAuthor Commented:
All the internal users are experiencing the problem.
The certificate was installed on the ISA server, but internal users access the Exchange server directly, so am so we could exclude that scenario?

We had an SBS server, which were migrated to another Exchange 2007 box.  Mailboxes were moved to the Exchange 2007 box, away from the SBS box.

I am sure both servers are still running CAS.

As a point to start from, do you suggest that I remove CAS from the SBS server?

0
 
abhijitmdpCommented:
Yes, you are right, The problem is somewhere in exchange, I You need to delete and reinstall the certificate on your servers. Be carefull at the time of rechaining the cert, insert the currect names there, also you will need an UCC5 cert so that you can enter multiple alternative names and configure outlook anywhere in a good maner.
0
 
abhijitmdpCommented:
You do not need to remove CAS from SBS
0
 
Suliman Abu KharroubIT Consultant Commented:
Client side,On outlook icon on notification area, right click ( while pressing control) and select connection status.

where does this client connect ?
0
 
Suliman Abu KharroubIT Consultant Commented:
Another thing to check on the warning box fired up by outlook, top right, for which resource does this alert belong ? autodiscover , mail ...etc ?
0
 
Suliman Abu KharroubIT Consultant Commented:
sorry I meant top left.
0
 
Rupert EghardtAuthor Commented:
CONNECTION STATUS:  The client connects to the new server for the MAIL, but for DIRECTORY and PUBLIC it still refers back to the SBS server.

I am sure this could cause connection problems as it is currently connected to both servers?

In the TOP-LEFT corner of the message box, it gives the FQDN of the previous SSL certificate.
Is it not suppose to show autodiscover.domain.local?
0
 
Suliman Abu KharroubIT Consultant Commented:
First of all, did you tried to restart outlook/machines on client side.if so please try to delete outlook profile (ost file) and recreate it again...
0
 
Rupert EghardtAuthor Commented:
I deleted the OST file, and the mailbox started downloaded messages from the server.
HOWEVER, it still connects to both servers and give the certificate error (previous certificate FQDN)
0
 
Suliman Abu KharroubIT Consultant Commented:
Where does your mx record point ? to old or to the new server ?
0
 
Rupert EghardtAuthor Commented:
We are using a smarthost to collect the mail form the ISP.
The MX for the internet domain points to the ISP's mailserver.
0
 
Suliman Abu KharroubIT Consultant Commented:
Then your clients reach your change server throw ISP smarthost ? client--isa--isp--isa--exchange ? please correct me If I am wrong...
0
 
Rupert EghardtAuthor Commented:
The incoming-mail comes via the ISP - smarthost - Exchange
Outgoing mail goes through Exchange - smarthost - ISP

Internal clients access the Exchange server directly
External clients access the Exchange server via the ISA server from the internet

I hope this explains  ...
0
 
Suliman Abu KharroubIT Consultant Commented:
In your internal DNS, where does you mx point ? to old exchange server ?
0
 
Rupert EghardtAuthor Commented:
I think you are right,
The internal domain is OurDomain.local and the external domain is OurDomain.com

The external domain's MX records points to the ISP, but the remote services (such as owa.OurDomain.com) points to the external IP of the ISA server.

Internally all these points to the local IP of the Exchange server.

However, I can't spot the MX record in DNS, where in the internal DNS should the MX record be listed?  Is there a way to test where the internal MX records points to internally?

0
 
Suliman Abu KharroubIT Consultant Commented:
Do you enable auto-discover ? maybe autodiscover distribute a wrong settings..
a.PNG
0
 
Rupert EghardtAuthor Commented:
OK, I checked in DNS, forwarding lookup zones,
no MX present, I will create new MX record pointing to the new Exchange server
I didn't specifically enabled AutoDiscover, but I through it was installed / enabled by default during Exchange installation?

I did set all the AutoDiscover settings to the correct location on the new server;
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html

0
 
Rupert EghardtAuthor Commented:
Hi Suliman,

I think the problem is most likely DNS related.
When I try to create a MX record and browse for the "fully qualified domain" name, it only bring up my domain controller, although I have created an A record for the Exchange server, which is a separate box altogether.

Under forward lookup zones, I have:
1.  _msdcs.domain.local,
The SOA, NS and CNAME entries were auto-created in _msdcs.domain.local

2.  domain.local
All the workstations and member servers records were automatically created in domain.local

3.  domain.com
I created the domain.com for AUTODISCOVER and FDQN (SSL) A records, pointing to the Exchange server.

Does the above DNS structure under Forward Lookup Zones appear to be correct?
When I add the MX record, is the Exchange server suppose to show up in the list when browing for "fully qualified domain name"?
0
 
Suliman Abu KharroubIT Consultant Commented:
Please keep the DNS settings for now and run another test on outlook:.

 Create a new exchange outlook profile ( manually not using auto-discovery ) specifying the new CAS server.
a.PNG
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 10
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now