Solved

Exchange 2007 - Security Certificate

Posted on 2011-02-21
23
455 Views
Last Modified: 2012-05-11
Hi Guys,

We had a local (self-signed) security certificate and recently upgrade to a public SSL.
Some workstations keep giving us an SSL error message, but in the pop-up message, the workstations still refers back to the self-signed certificate name and not the new SSL FDQN.

All the services in Exchange were bound to the new certificate.

Any help will be appreciated.
Regards, Rupert

0
Comment
Question by:Rupert Eghardt
  • 10
  • 10
  • 3
23 Comments
 
LVL 10

Assisted Solution

by:abhijitmdp
abhijitmdp earned 100 total points
ID: 34942113
You need to manually delete the older certificate from the desktop and install the new certificate there as well.
0
 

Author Comment

by:Rupert Eghardt
ID: 34942260
On the workstation side, when opening Outlook, it gives a SECURITY WARNING and prompt the incorrect SSL FQDN.

When clicking on VIEW CERTIFICATE on this window, it shows the correct certificate (FQDN).
However, on the "certificate path" tab, it shows a yellow exclamation mark.
Upon clicking INSTALL it installs successfully, but when closing and opening Outlook again, it still shows the old (self-signed) certificate name.

Should I first delete the old certificate in MMC?  Before installing the new certificate from Outlook?
I checked under TRUSTED ROOT CERTIFICATION AUTHORITY, but couldn't spot the old certificate by FDQN, not sure where to delete the self-signed certificate first?
0
 

Author Comment

by:Rupert Eghardt
ID: 34942295
Two new workstations were added to the domain (after the new SSL were installed on the server) and they are also getting the Exchange SSL error with the wrong SSL name.  Hence, I believe the problem should be somewhere in the Exchange config?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942516
How many CAS do you have? do you publish exchange throw ISA? if so, had you installed the certificate on ISA server and modify the listener ?

how many users face the problem (%) ?
0
 

Author Comment

by:Rupert Eghardt
ID: 34942615
All the internal users are experiencing the problem.
The certificate was installed on the ISA server, but internal users access the Exchange server directly, so am so we could exclude that scenario?

We had an SBS server, which were migrated to another Exchange 2007 box.  Mailboxes were moved to the Exchange 2007 box, away from the SBS box.

I am sure both servers are still running CAS.

As a point to start from, do you suggest that I remove CAS from the SBS server?

0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34942641
Yes, you are right, The problem is somewhere in exchange, I You need to delete and reinstall the certificate on your servers. Be carefull at the time of rechaining the cert, insert the currect names there, also you will need an UCC5 cert so that you can enter multiple alternative names and configure outlook anywhere in a good maner.
0
 
LVL 10

Expert Comment

by:abhijitmdp
ID: 34942643
You do not need to remove CAS from SBS
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942670
Client side,On outlook icon on notification area, right click ( while pressing control) and select connection status.

where does this client connect ?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942686
Another thing to check on the warning box fired up by outlook, top right, for which resource does this alert belong ? autodiscover , mail ...etc ?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942717
sorry I meant top left.
0
 

Author Comment

by:Rupert Eghardt
ID: 34942738
CONNECTION STATUS:  The client connects to the new server for the MAIL, but for DIRECTORY and PUBLIC it still refers back to the SBS server.

I am sure this could cause connection problems as it is currently connected to both servers?

In the TOP-LEFT corner of the message box, it gives the FQDN of the previous SSL certificate.
Is it not suppose to show autodiscover.domain.local?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942766
First of all, did you tried to restart outlook/machines on client side.if so please try to delete outlook profile (ost file) and recreate it again...
0
 

Author Comment

by:Rupert Eghardt
ID: 34942827
I deleted the OST file, and the mailbox started downloaded messages from the server.
HOWEVER, it still connects to both servers and give the certificate error (previous certificate FQDN)
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942834
Where does your mx record point ? to old or to the new server ?
0
 

Author Comment

by:Rupert Eghardt
ID: 34942848
We are using a smarthost to collect the mail form the ISP.
The MX for the internet domain points to the ISP's mailserver.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34942949
Then your clients reach your change server throw ISP smarthost ? client--isa--isp--isa--exchange ? please correct me If I am wrong...
0
 

Author Comment

by:Rupert Eghardt
ID: 34942998
The incoming-mail comes via the ISP - smarthost - Exchange
Outgoing mail goes through Exchange - smarthost - ISP

Internal clients access the Exchange server directly
External clients access the Exchange server via the ISA server from the internet

I hope this explains  ...
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34943205
In your internal DNS, where does you mx point ? to old exchange server ?
0
 

Author Comment

by:Rupert Eghardt
ID: 34943288
I think you are right,
The internal domain is OurDomain.local and the external domain is OurDomain.com

The external domain's MX records points to the ISP, but the remote services (such as owa.OurDomain.com) points to the external IP of the ISA server.

Internally all these points to the local IP of the Exchange server.

However, I can't spot the MX record in DNS, where in the internal DNS should the MX record be listed?  Is there a way to test where the internal MX records points to internally?

0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34943355
Do you enable auto-discover ? maybe autodiscover distribute a wrong settings..
a.PNG
0
 

Author Comment

by:Rupert Eghardt
ID: 34943557
OK, I checked in DNS, forwarding lookup zones,
no MX present, I will create new MX record pointing to the new Exchange server
I didn't specifically enabled AutoDiscover, but I through it was installed / enabled by default during Exchange installation?

I did set all the AutoDiscover settings to the correct location on the new server;
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html

0
 

Author Comment

by:Rupert Eghardt
ID: 34950725
Hi Suliman,

I think the problem is most likely DNS related.
When I try to create a MX record and browse for the "fully qualified domain" name, it only bring up my domain controller, although I have created an A record for the Exchange server, which is a separate box altogether.

Under forward lookup zones, I have:
1.  _msdcs.domain.local,
The SOA, NS and CNAME entries were auto-created in _msdcs.domain.local

2.  domain.local
All the workstations and member servers records were automatically created in domain.local

3.  domain.com
I created the domain.com for AUTODISCOVER and FDQN (SSL) A records, pointing to the Exchange server.

Does the above DNS structure under Forward Lookup Zones appear to be correct?
When I add the MX record, is the Exchange server suppose to show up in the list when browing for "fully qualified domain name"?
0
 
LVL 23

Accepted Solution

by:
Suliman Abu Kharroub earned 400 total points
ID: 34951640
Please keep the DNS settings for now and run another test on outlook:.

 Create a new exchange outlook profile ( manually not using auto-discovery ) specifying the new CAS server.
a.PNG
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video discusses moving either the default database or any database to a new volume.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now