Solved

Exchange 2007 certificates

Posted on 2011-03-02
14
597 Views
Last Modified: 2012-05-11
Hello,
   I am trying to configure exchange 2007 (one single standalone server) to use the Private CA I just set up on my windows 2008 box. I am new to Windows Active Directory Certificate Services and am not sure how to configure exchange to use the certificate server instead of the self-signing one. My goal is to set up outlook anywhere for a client who does not want to buy a provider-based cert. Any help is appreciated. Thanks.
0
Comment
Question by:Matt Coughlin
  • 7
  • 6
14 Comments
 
LVL 7

Expert Comment

by:flaphead_com
ID: 35017549
so i do this .. you need to add the internal cert authority to the trust cert authorities on each client machine
0
 
LVL 5

Author Comment

by:Matt Coughlin
ID: 35017749
ok, I am new to internal certs... I need to add a cert from the CA to each machine needing Outlook anywhere?

How do I add certs to machines?
0
 
LVL 10

Accepted Solution

by:
JaredJ1 earned 500 total points
ID: 35017901
Ok, if the new CA that you have built is a member of the domain you don't need to add certificates to new computers. Computers that are members of the domain will trust the new CA automatically.

What you will need to do is get Exchange to create a new certificate request, and then submit that request to the CA, download the certificate and install it on the Exchange server, and then tell Exchange to use it.

All of these steps can be found in this Technet chapter:

http://technet.microsoft.com/en-us/library/bb310795(EXCHG.80).aspx
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 5

Author Comment

by:Matt Coughlin
ID: 35018031
If my internet domain is mail.domain.net (domain name provided by an external source) and my internal AD domain is mail.domain.local what should I put as the subject name in the request so that the client computer can access exchange from outside or inside the network?
0
 
LVL 10

Expert Comment

by:JaredJ1
ID: 35018212
Internally your clients won't be using Outlook anywhere, they'll just be using MAPI so you need to set it to work for external access, so use 'mail.domain.net'
0
 
LVL 5

Author Comment

by:Matt Coughlin
ID: 35018228
hmm how would you set that up in outlook? When you choose to connect to an exchange server you would put in mail.domain.local.

then when you travel outside the network you need to change it to mail.domain.net?
0
 
LVL 10

Expert Comment

by:JaredJ1
ID: 35018491
You shouldn't have to configure it in Outlook if you have Autodiscover working. Assuming that it's not working you would need to configure a profile as you would normally pointing to your internal server name. Then go into 'More Settings', Click the 'Connection' tab, then click 'Exchange Proxy Settings', then enter in the external name settings. See the screenshot....
Outlook Account Settings
0
 
LVL 5

Author Comment

by:Matt Coughlin
ID: 35018573
ok so here is the code I am typing in exchange shell

New-ExchangeCertificate -generaterequest -subjectname "dc=local,dc=domain,cn=mail.iconintl.local" -domainname mail.domain.net,mail.domain.local,autodiscover.domain.net,autodiscover.domain.local -PrivateKeyExportable $true -path c:\certrequest.txt
0
 
LVL 10

Expert Comment

by:JaredJ1
ID: 35018647
Looks fine.
0
 
LVL 5

Author Comment

by:Matt Coughlin
ID: 35018678
ok I have the request file, how do I submit it to the Windows CA?
0
 
LVL 10

Expert Comment

by:JaredJ1
ID: 35018813
1. Navigate to https://<Internal PKI CA>/certsrv
2. Choose Request a Certificate.
3. Choose Advanced Certificate Request.
4. Choose Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
5. Select Web server as the certificate template.
6. Copy the text from the cert request file and paste into the window.
7. Submit the request.
7. Click to download the certificate and save it as c:\cert.cer
8. Import the certificate file using the following command from the EMC:

Import-ExchangeCertificate -path C:\cert.cer

9. Check the new certificate is listed as expected using:

get-exchangecertificate | fl

This will give you the thumbprint of the new certificate which is needed in the next step.

10. Allow the cert to be used for IIS and SMTP with the following command:

Enable-ExchangeCertificate -Thumbprint <thumbprint> -Services "IIS,SMTP"

0
 
LVL 5

Author Comment

by:Matt Coughlin
ID: 35019610
Alright, everything seems to be working. I am just dealing with an issue with clients connecting externally. It keeps asking for the password and never accepts it. I am looking into it, but it seems to have something to do with the check box "Only Connect to Proxy Servers that have this principal name in the certificate."

(connected internally)
everything works as expected

(connected externally)
When I uncheck the box and restart outlook, it connects just fine to Exchange. Eventually outlook resets this setting and I will have to change it again.

any ideas?
0
 
LVL 10

Expert Comment

by:JaredJ1
ID: 35025865
My apologies, I think I made an error when i looked at your certificate request. If you look at the certificate it probably states that it is issued to: mail.domain.local, it should be issued to mail.domain.net
Request a new certificate:

New-ExchangeCertificate -generaterequest -subjectname "dc=local,dc=domain,cn=mail.domain.net" -domainname mail.domain.net,mail.domain.local,autodiscover.domain.net,autodiscover.domain.local -PrivateKeyExportable $true -path c:\certrequest.txt

Once installed this should work.
0
 
LVL 5

Author Comment

by:Matt Coughlin
ID: 35037565
Oh that worked like a charm! Thanks so much!
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10:  Delay in entering RDP credentials 19 33
Delete Files Recurse - Powershell Script 3 42
exchange 2007, outlook 3 25
exchange, owa, script 20 15
Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question