mimadm
asked on
Security Alert Outlook 2010 - Certificate was issued by company you have not chosen to trust
I may have done the following wrong, Exch 2007 is new to me but I was under the gun...
Today our autodiscover certificate expired. I renewed it from Exchange with Get-NewExchangeCertificate
After I renewed the cert, I enabled it and removed the old. OWA stopped working when the original certificate expired, so I exported the cert and installed it to the ISA servers and voila - everything appeared to resume.
Users with Outlook 2010 get the attached security alert
Information you exchange with this site cannot be viewed or changed by others. However there is a problem with the site's security certificate.
The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.
Users with outlook 2007 are not getting this security warning.
Environment:
Exchange 2007 8.2 Build 176.2
W2K 2003 R2 SP2 x64
2 node CCR Cluster
2 CAS/HUB
2 Edge
Workstations are XP with Outlook 2007 or 7 with Outlook 2010.
Can anyone tell me what I may have done wrong or what I need to do prevent this security alert from popping up?
Untitled.jpg
Today our autodiscover certificate expired. I renewed it from Exchange with Get-NewExchangeCertificate
After I renewed the cert, I enabled it and removed the old. OWA stopped working when the original certificate expired, so I exported the cert and installed it to the ISA servers and voila - everything appeared to resume.
Users with Outlook 2010 get the attached security alert
Information you exchange with this site cannot be viewed or changed by others. However there is a problem with the site's security certificate.
The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.
Users with outlook 2007 are not getting this security warning.
Environment:
Exchange 2007 8.2 Build 176.2
W2K 2003 R2 SP2 x64
2 node CCR Cluster
2 CAS/HUB
2 Edge
Workstations are XP with Outlook 2007 or 7 with Outlook 2010.
Can anyone tell me what I may have done wrong or what I need to do prevent this security alert from popping up?
Untitled.jpg
ASKER
Thank you but I have read this - We have Exchange 2007 not Exchange 2010k, it does not apply.
Is it self-signed certificate or issued by AD certificate authority? Do you have CA certificate in Trusted Root Certificate Authorities?
View certificate, does it show the new certificate ? if not, please give more details how do you renew the certificate.
is this a self-signed certificate or a public trusted CA?
is this a self-signed certificate or a public trusted CA?
ASKER
Yes the certificate is new, it expired and I renewed with Exchange powershell commands.
The following commands were used:
Get-ExchangeCertificate –Thumbprint “thumbprintofexpiredcert” | New-ExchangeCertificate
Enable-ExchangeCertificate
reference:
http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx
http://www.farneville.com/2010/07/how-to-create-new-exchange-certificate-for-exchange-2007.html
When OWA did not work, further reaseach instructed to install the cert to the Trusted Root Certificate Authorities on the CAS servers and the ISA servers. I exported the cert and then installed it on both.
I created the cert with the above cmdlets, This was not issued from an external or internal CA although the original that expired had been issued from our internal CA.
The following commands were used:
Get-ExchangeCertificate –Thumbprint “thumbprintofexpiredcert” | New-ExchangeCertificate
Enable-ExchangeCertificate
reference:
http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx
http://www.farneville.com/2010/07/how-to-create-new-exchange-certificate-for-exchange-2007.html
When OWA did not work, further reaseach instructed to install the cert to the Trusted Root Certificate Authorities on the CAS servers and the ISA servers. I exported the cert and then installed it on both.
I created the cert with the above cmdlets, This was not issued from an external or internal CA although the original that expired had been issued from our internal CA.
Then your clients behave properly. They got brand new certificate from your Exchange server, from CA they do not trust. If you distribute this certificate to you clients' Trusted Root Certificate Authorities container they won't ask anymore.
ASKER
Thank you and I understand that, however I am looking for the perminant solution. It's obvious to me that I have done something incorrectly upon renewing the certificate however my lack of expertise and experience with exchange 2007 has lead me to here to pose the question to experts.
What method do you propose to distribute the certificate? In reviewing how I renewed and distributed the certificate with Exchange cmdlets, was it done correctly or did I miss a step(s)?
What method do you propose to distribute the certificate? In reviewing how I renewed and distributed the certificate with Exchange cmdlets, was it done correctly or did I miss a step(s)?
Use Domain CA which is trusted by your domain clients. This way each next certificate you issue for your Exchange will be automatically trusted.
If you create self-signed certificate again, your clients again will ask if it's trusted.
If you create self-signed certificate again, your clients again will ask if it's trusted.
ASKER
How would I use the domain CA for an Exchange Cert?
If you have properly configured Enterprise CA - one way is to generate web certificate request via IIS7 console. You will be ask during process if you want to use your domain online authority. You can then export the certificate to pfx file and import to exchange via EMC or EMS.
your config sounds good.
please double check the certificate subject name. spelling mistake may cause the error. for example mial instead of mail.
please double check the certificate subject name. spelling mistake may cause the error. for example mial instead of mail.
ASKER
Sulimanw: All spelling is correct, it works, the problem is that outlook 2010 users (not 2007) get the security warning. I am trying to illiminate the security warning for all users, individually installing the cert is not ideal for several thousand users.
As I said - use Enterprise CA - this will save your time next time.
Or you can distribute self-signed certificate to all your clients at once via Group Policy.
Or you can distribute self-signed certificate to all your clients at once via Group Policy.
ASKER
mpilarczyk - Very little experience with certificates as a whole, even less in Exchange. Detailed information is greatly appriciated.
Export your self-signed certificate to pfx (pkcs#12) file using Export-ExchangeCertifcate in Exchange Management Shell.
Copy pfx file to your domain controller then create GPO policy as described here:
http://technet.microsoft.com/pl-pl/library/cc770315%28WS.10%29.aspx
In order to get new policy with certificate each client must run "gpupdate" command or restart.
Copy pfx file to your domain controller then create GPO policy as described here:
http://technet.microsoft.com/pl-pl/library/cc770315%28WS.10%29.aspx
In order to get new policy with certificate each client must run "gpupdate" command or restart.
Here you have Export-ExchangeCertificate
http://technet.microsoft.com/en-us/library/aa996305.aspx
See examples at the end.
http://technet.microsoft.com/en-us/library/aa996305.aspx
See examples at the end.
Please don't. self-signed certificate and Enterprise certificate will not allow users to access mails externally ( owa and outlook anywhare).
does the new certificate have "autodiscover.domain.com" subject name on it?
does the new certificate have "autodiscover.domain.com" subject name on it?
self-signed certificate and Enterprise certificate will not allow users to access mails externally.
I have to definitively disagree with this statement.
how can users access their emails from a non-joined domain machine (external machine) which does not have that certificate installed on ? outlook or owa will show a warning alert as same as in the question.
Yes, non-domain machines will still show warning, and you can accept certificate and still have access to owa and OAnywhere. So your statement was wrong :)
Of course - the most elegant way would be to buy commercial certificate from Thawte or VeriSign.
But not every organization wants this. We have our company CA and we allow external clients download our CA certificate and we provide instruction how to import it.
Of course - the most elegant way would be to buy commercial certificate from Thawte or VeriSign.
But not every organization wants this. We have our company CA and we allow external clients download our CA certificate and we provide instruction how to import it.
then the certificate does not have anything to do if you press "continue" on the warning message ( data will not be encrypted ).
there is a free public CA you can get a free single name certificate from : http://startssl.com
but here in this question the certificate warning "in the screenshot" shows autodiscover.domain.com, thats why I am asking if the certificate include autodiscover in it ?
there is a free public CA you can get a free single name certificate from : http://startssl.com
but here in this question the certificate warning "in the screenshot" shows autodiscover.domain.com, thats why I am asking if the certificate include autodiscover in it ?
then the certificate does not have anything to do if you press "continue" on the warning message ( data will not be encrypted ).
Again. I strongly disagree with this statement :)
If you press "Yes" you agree that connection will be encrypted with untrusted certificate.
but here in this question the certificate warning "in the screenshot" shows autodiscover.domain.com, thats why I am asking if the certificate include autodiscover in it ?
The warning says the name of certificate is valid for "autodiscover.domain.com".
so, we agree to disagree :)
Regarding startssl.com - I cant see this issuer in my Firefox certificate issuers list, so it is as good as my Enterprise CA.
I meant Windows certificates issuers list, not Firefox.
please see attached:
but, some smart phones does not have it listed as trusted root certificate authorities for example iPohne.
but, some smart phones does not have it listed as trusted root certificate authorities for example iPohne.
Yes, its nice you have this CA. But I still don't. This makes your solution efficient in no more than 50% cases.
this attached screenshot was taken from a brand new windows 7 VM, so for all windows machines it will work fine.
a.PNG
a.PNG
It's really nice you have the issuer. Congratulations, really.
But I have two Windows 7 Home machines and one XP Pro at home and none of them has this issuer certificate. So it wouldn't work for me.
But I have two Windows 7 Home machines and one XP Pro at home and none of them has this issuer certificate. So it wouldn't work for me.
waiting your 100% efficient solution.
Sulimanw, I gave it few posts earlier - called it "most elegant way".
Here is another case for you Sulimanw.
Seems not only my machines think that StartCom isn't trusted Certificate Authority.
Seems not only my machines think that StartCom isn't trusted Certificate Authority.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
close
ASKER
I found this article, followed it and it worked.
Ive had bother with this recently :(
Outlook Security Alert (The security certificate was issued by a company you have no chosen to trust)
Outlook Security Alert (The security certificate was issued by a company you have no chosen to trust)
This problem occurs if all the following conditions are true:
You have an Exchange 2007 server that hosts the Client Access Server role together with an Exchange 2010 server that hosts the Client Access Server role in the environment.
Your mailbox is located on an Exchange 2010 server that hosts the Mailbox role.
The certificate that is installed on the Exchange 2010 server that hosts the Client Access Server role is self-signed.