• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7939
  • Last Modified:

Security Alert Outlook 2010 - Certificate was issued by company you have not chosen to trust

I may have done the following wrong, Exch 2007 is new to me but I was under the gun...

Today our autodiscover certificate expired.  I renewed it from Exchange with Get-NewExchangeCertificate etc.

After I renewed the cert, I enabled it and removed the old.  OWA stopped working when the original certificate expired, so I exported the cert and installed it to the ISA servers and voila - everything appeared to resume.

Users with Outlook 2010 get the attached security alert

Information you exchange with this site cannot be viewed or changed by others.  However there is a problem with the site's security certificate.

The security certificate was issued by a company you have not chosen to trust.  View the certificate to determine whether you want to trust the certifying authority.

Users with outlook 2007 are not getting this security warning.

Environment:
Exchange 2007 8.2 Build 176.2
W2K 2003 R2 SP2 x64
2 node CCR Cluster
2 CAS/HUB
2 Edge

Workstations are XP with Outlook 2007 or  7 with Outlook 2010.

Can anyone tell me what I may have done wrong or what I need to do prevent this security alert from popping up?

Untitled.jpg
0
mimadm
Asked:
mimadm
  • 16
  • 10
  • 9
  • +2
1 Solution
 
Randy DownsOWNERCommented:
http://support.microsoft.com/kb/2006728

This problem occurs if all the following conditions are true:

You have an Exchange 2007 server that hosts the Client Access Server role together with an Exchange 2010 server that hosts the Client Access Server role in the environment.  
Your mailbox is located on an Exchange 2010 server that hosts the Mailbox role.  
The certificate that is installed on the Exchange 2010 server that hosts the Client Access Server role is self-signed.
0
 
mimadmAuthor Commented:
Thank you but I have read this - We have Exchange 2007 not Exchange 2010k, it does not apply.
0
 
mpilarczykCommented:
Is it self-signed certificate or issued by AD certificate authority? Do you have CA certificate in Trusted Root Certificate Authorities?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Suliman Abu KharroubIT Consultant Commented:
View certificate, does it show the new certificate ? if not, please give more details how do you renew the certificate.

is this a self-signed certificate or a public trusted CA?
0
 
mimadmAuthor Commented:
Yes the certificate is new, it expired and I renewed with Exchange powershell commands.

The following commands were used:

Get-ExchangeCertificate –Thumbprint “thumbprintofexpiredcert” | New-ExchangeCertificate

Enable-ExchangeCertificate –Thumbprint “thumbprintofnewcert” -Services “IMAP, POP, IIS, SMTP

reference:
http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx
http://www.farneville.com/2010/07/how-to-create-new-exchange-certificate-for-exchange-2007.html

When OWA did not work, further reaseach instructed to install the cert to the Trusted Root Certificate Authorities on the CAS servers and the ISA servers.  I exported the cert and then installed it on both.

I created the cert with the above cmdlets, This was not issued from an external or internal CA although the original that expired had been issued from our internal CA.  
0
 
mpilarczykCommented:
Then your clients behave properly. They got brand new certificate from your Exchange server, from CA they do not trust. If you distribute this certificate to you clients' Trusted Root Certificate Authorities container they won't ask anymore.
0
 
mimadmAuthor Commented:
Thank you and I understand that, however I am looking for the perminant solution.  It's obvious to me that I have done something incorrectly upon renewing the certificate however my lack of expertise and experience with exchange 2007 has lead me to here to pose the question to experts.  

What method do you propose to distribute the certificate?  In reviewing how I renewed and distributed the certificate with Exchange cmdlets, was it done correctly or did I miss a step(s)?  
0
 
mpilarczykCommented:
Use Domain CA which is trusted by your domain clients. This way each next certificate you issue for your Exchange will be automatically trusted.

If you create self-signed certificate again, your clients again will ask if it's trusted.
0
 
mimadmAuthor Commented:
How would I use the domain CA for an Exchange Cert?  
0
 
mpilarczykCommented:
If you have properly configured Enterprise CA -  one way is to generate web certificate request via IIS7 console. You will be ask during process if you want to use your domain online authority. You can then export the certificate to pfx file and import to exchange via EMC or EMS.
0
 
Suliman Abu KharroubIT Consultant Commented:
your config sounds good.

please double check the certificate subject name. spelling mistake may cause the error. for example mial instead of mail.
0
 
mimadmAuthor Commented:
Sulimanw: All spelling is correct, it works, the problem is that outlook 2010 users (not 2007) get the security warning.  I am trying to illiminate the security warning for all users, individually installing the cert is not ideal for several thousand users.
0
 
mpilarczykCommented:
As I said - use Enterprise CA - this will save your time next time.
Or you can distribute self-signed certificate to all your clients at once via Group Policy.
0
 
mimadmAuthor Commented:
mpilarczyk - Very little experience with certificates  as a whole, even less in Exchange.  Detailed information is greatly appriciated.
0
 
mpilarczykCommented:
Export your self-signed certificate to pfx (pkcs#12) file using Export-ExchangeCertifcate in Exchange Management Shell.
Copy pfx file to your domain controller then create GPO policy as described here:
http://technet.microsoft.com/pl-pl/library/cc770315%28WS.10%29.aspx

In order to get new policy with certificate each client must run "gpupdate" command or restart.
0
 
mpilarczykCommented:
Here you have Export-ExchangeCertificate documentation:

http://technet.microsoft.com/en-us/library/aa996305.aspx

See examples at the end.
0
 
Suliman Abu KharroubIT Consultant Commented:
Please don't. self-signed certificate and Enterprise certificate will not allow users to access mails externally ( owa and outlook anywhare).

does the new certificate have "autodiscover.domain.com" subject name on it?
0
 
mpilarczykCommented:
self-signed certificate and Enterprise certificate will not allow users to access mails externally.

I have to definitively disagree with this statement.
0
 
Suliman Abu KharroubIT Consultant Commented:
how can users access their emails from a non-joined domain machine (external machine) which does not have that certificate installed on ? outlook or owa will show a warning alert as same as in the question.
0
 
mpilarczykCommented:
Yes, non-domain machines will still show warning, and you can accept certificate and still have access to owa and OAnywhere. So your statement was wrong :)

Of course - the most elegant way would be to buy commercial certificate from Thawte or VeriSign.
But not every organization wants this. We have our company CA and we allow external clients download our CA certificate and we provide instruction how to import it.
0
 
Suliman Abu KharroubIT Consultant Commented:
then the certificate does not have anything to do if you press "continue" on the warning message ( data will not be encrypted ).

there is a free public CA you can get a free single name certificate from : http://startssl.com

but here in this question the certificate warning "in the screenshot" shows autodiscover.domain.com, thats why I am asking if the certificate include autodiscover in it ?
0
 
mpilarczykCommented:
then the certificate does not have anything to do if you press "continue" on the warning message ( data will not be encrypted ).

Again. I strongly disagree with this statement :)
If you press "Yes" you agree that connection will be encrypted with untrusted certificate.

but here in this question the certificate warning "in the screenshot" shows autodiscover.domain.com, thats why I am asking if the certificate include autodiscover in it ?

The warning says the name of certificate is valid for "autodiscover.domain.com". Only issuer is not trusted.
0
 
Suliman Abu KharroubIT Consultant Commented:
so, we agree to disagree :)

0
 
mpilarczykCommented:
Regarding startssl.com - I cant see this issuer in my Firefox certificate issuers list, so it is as good as my Enterprise CA.

0
 
mpilarczykCommented:
I meant Windows certificates issuers list, not Firefox.
0
 
Suliman Abu KharroubIT Consultant Commented:
please see attached:


but, some smart phones does not have it listed as trusted root certificate authorities for example iPohne.
0
 
Suliman Abu KharroubIT Consultant Commented:
0
 
mpilarczykCommented:
Yes, its nice you have this CA. But I still don't. This makes your solution efficient in no more than 50% cases.
0
 
Suliman Abu KharroubIT Consultant Commented:
this attached screenshot was taken from a brand new windows 7 VM, so for all windows machines it will work fine.
a.PNG
0
 
mpilarczykCommented:
It's really nice you have the issuer. Congratulations, really.
But I have two Windows 7 Home machines and one XP Pro at home and none of them has this issuer certificate. So it wouldn't work for me.
0
 
Suliman Abu KharroubIT Consultant Commented:
waiting your 100% efficient  solution.
0
 
mpilarczykCommented:
Sulimanw, I gave it few posts earlier -  called it "most elegant way".
0
 
mpilarczykCommented:
Here is another case for you Sulimanw.
Seems not only my machines think that StartCom isn't trusted Certificate Authority.
0
 
mimadmAuthor Commented:
I found this, all is now well in my world: http://www.exchangeinbox.com/article.aspx?i=127
0
 
mimadmAuthor Commented:
close
0
 
mimadmAuthor Commented:
I found this article, followed it and it worked.
0
 
Pete LongTechnical ConsultantCommented:
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 16
  • 10
  • 9
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now