Outlook 2007 certificate security warning with a new certificate in Exhange 2010

Hello,

Because I wanted to get rid of the security warning in Outlook Web App, I bought a certificate and installed it on our Exchange 2010 CAS server which is also a Hub Transport server.
It's obvious that the certificate was generated with the external fqdn of the CAS-server. Let's say mail.contoso.com.

So I ran in to a problem that users on our internal LAN got a security warning in Outlook 2007 because the name on the certificate wasn't right. Internal fqnd is let's say netbiosname.contoso.local.

On technet I found the following article http://support.microsoft.com/kb/940726/en-us.
I followed the steps in the article and changed the hosts file on a PC tot test it.
I changed the host file so that the external fqdn mail.contoso.com would point to an internal ip.

I thought it would solve this problem but now Outlook had a new security warning from a certificate on our mailbox server???? How is that possible???

It really puzzles me because I would think that Outlook 2007 would connect through the CAS server and get a certificate from a Mailbox server.

Just to be clear. We have 1 mailboxserver and 1 CAS/HUB server.

Regards,


Ron
cdronAsked:
Who is Participating?
 
Mohamed ElManakhlyInfrastructure Team LeaderCommented:
configure the internal URLs with mail.contoso.com and create an internal record for it
http://support.microsoft.com/kb/940726
0
 
cdronAuthor Commented:
Sorry the following sentence is not right.

It really puzzles me because I would think that Outlook 2007 would connect through the CAS server and get a certificate from a Mailbox server.

Shlould be:

It really puzzles me because I would think that Outlook 2007 would connect through the CAS server and not get a certificate from a Mailbox server.

0
 
Mohamed ElManakhlyInfrastructure Team LeaderCommented:
are you using a different URL when accessing from internal  network ?
why not create an internal record on the internal dns with "mail.contoso.com" and guide your users to use it internally and externally
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
ckeshavSr. Infrastructure SpecialistCommented:
Outlook is a Mapi client and connects directly to Mailbox server in Exchange 2007 but is changed in Exchange 2010.
In Exchange 2010 the Mapi connection also happens to CAS server.


Coming to your second problem,
Option 1
1. How is youur outlook Webapp published for external world?
If it through ISA server, then install the external certificate for Outlook Web App in ISA server and revert the internally generated certificate back on exchange server

Option 2
2. You can a Alias in the internal DNS server same as your external webapp and request users to access the Webapp using the new URL
0
 
cdronAuthor Commented:
M-Manakhly
Yes, I use a different URL in the internal network.
I did try to do that by changing the hosts file and not the DNS option. Just to test it.
But then I was offered the certicate from de mailbox server!?!?!?

ckeshav
Option 1
Webapp published with a rule in our Juniper firewall. So no ISA involved.

Option 2
I don't know exactly what you mean but it seems a bit like the option M-Manakly suggested.
The problem is not in Webapp, That works perfect external. The problem is internal.
0
 
Mohamed ElManakhlyInfrastructure Team LeaderCommented:
from outlook: go to (Tools) then go to (Account settings) , on the (Email tab) click (change) ... on the opened wizard go to (More settings) , on the (Connection) tab go to (Exchange proxy settings)
is the  "(on fast networks) connect http then TCPIP " checked ?
0
 
ckeshavSr. Infrastructure SpecialistCommented:
Assuming you are accessing your webapp from
Externally: https://mail.contoso.com
Internally:  https://cashostname.contoso.com

But now you have purchased a certificate matching mail.contoso.com

So Add an Alias in your internal DNS server from mail.contoso.com - IP should be of your internal CAS server.

then from your internal network access https://mail.contoso.com it should work and without the certificate warning.

For warning on Outlook, you may need to force the usage of this certificate for IIS only using the Exchange management shell.

1. Run Get-ExchangeCertificate |FL – This will list details of all certificates that you have assigned to Exchange Services. Please understand, this cmdlet does not retrieve any information about any other certificate from local certificate store which is not used by Exchange. Once you get the output printed on the screen; note down the Thumbprint of certificate into a notepad.

2. Enable this renewed certificate for IIS as well run
Enable-ExchangeCertificate – Thumbprint “E0BB201793DC74D0F94F3275E6AA53BA75907565” –Services IIS

Thumbprint - From your external certificate

Follow the same command to change the services to your internal certificate for other services like POP3, SMTP, IMAP

3. Verify all the services are working correctly after renewing and enabling the certificate.


0
 
cdronAuthor Commented:
M-Manakhly:
No it is not checked but I tried it and now it's connecting through the external URL and still there is a warining.

ckeshav
For Outlook I ran that command through the Shell before and I know about this.
IIS uses the external certificate. POP3, SMTP and  IMAP use the automatically generared internal certificate.
0
 
ckeshavSr. Infrastructure SpecialistCommented:
Did you add the Alias?
0
 
cdronAuthor Commented:
Like I said, I adjusted the hosts file to point to the internal IP of the CAS before and that did'nt work.

But I did create an alias and still the problem is there but that is logical because Outlook is still connecting to the intern fqdn and not the external.

I'm beginning to think that putting an ISA server or Forefront server before Outlook Web App as M-Manakhly suggested.
The only thing is that maybe I have to buy a new certificate.
0
 
itubafCommented:
dear, since your SSL certificates are for mail.yourdomain.com. you can use same doamin nsame for internal and external.

what you have to do is in your juniper firewall create one rule allowing https traffic. i prefer you use wizard option (if avaible in your model) through zizard you can publish any server globally. once you publish owa in your firewall you dont have to do any thing, when ever user will request mail.youdoamin.com the traffix will go to firewall and firewall will nat to your local exchange IP.
i am using similer setup but with Sonicwall.
0
 
ckeshavSr. Infrastructure SpecialistCommented:
ISA was mentioned by me :)

Try this as a last resort

Set-OutlookProvider EXPR -Server CASServername -CertPrincipalName none
Set-OutlookProvider EXPR -Server $null


http://social.technet.microsoft.com/forums/en-US/exchangesvrgeneral/thread/ffea8c99-f206-49f9-98e9-122efcf828f0
0
 
cdronAuthor Commented:
I know what you mean but then I have to connect Outlook with the Exchange server throught HTTPS.
And that doesn't work also.
0
 
cdronAuthor Commented:
M-Manakhly
The technet article worked. I don't know why it didn't before. As you can see I found the same one.

The only thing I can imagine that I didn't do recycle. Instead I think I did recycling.

Thank for the help everyone!
0
 
Mohamed ElManakhlyInfrastructure Team LeaderCommented:
good luck :)
0
 
cdronAuthor Commented:
Thank you! Same to you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.