?
Solved

Outlook 2007 certificate security warning with a new certificate in Exhange 2010

Posted on 2011-05-03
16
Medium Priority
?
1,012 Views
Last Modified: 2012-05-11
Hello,

Because I wanted to get rid of the security warning in Outlook Web App, I bought a certificate and installed it on our Exchange 2010 CAS server which is also a Hub Transport server.
It's obvious that the certificate was generated with the external fqdn of the CAS-server. Let's say mail.contoso.com.

So I ran in to a problem that users on our internal LAN got a security warning in Outlook 2007 because the name on the certificate wasn't right. Internal fqnd is let's say netbiosname.contoso.local.

On technet I found the following article http://support.microsoft.com/kb/940726/en-us.
I followed the steps in the article and changed the hosts file on a PC tot test it.
I changed the host file so that the external fqdn mail.contoso.com would point to an internal ip.

I thought it would solve this problem but now Outlook had a new security warning from a certificate on our mailbox server???? How is that possible???

It really puzzles me because I would think that Outlook 2007 would connect through the CAS server and get a certificate from a Mailbox server.

Just to be clear. We have 1 mailboxserver and 1 CAS/HUB server.

Regards,


Ron
0
Comment
Question by:cdron
  • 7
  • 4
  • 4
  • +1
16 Comments
 

Author Comment

by:cdron
ID: 35511221
Sorry the following sentence is not right.

It really puzzles me because I would think that Outlook 2007 would connect through the CAS server and get a certificate from a Mailbox server.

Shlould be:

It really puzzles me because I would think that Outlook 2007 would connect through the CAS server and not get a certificate from a Mailbox server.

0
 
LVL 13

Expert Comment

by:Mohamed ElManakhly
ID: 35511241
are you using a different URL when accessing from internal  network ?
why not create an internal record on the internal dns with "mail.contoso.com" and guide your users to use it internally and externally
0
 
LVL 8

Expert Comment

by:ckeshav
ID: 35511294
Outlook is a Mapi client and connects directly to Mailbox server in Exchange 2007 but is changed in Exchange 2010.
In Exchange 2010 the Mapi connection also happens to CAS server.


Coming to your second problem,
Option 1
1. How is youur outlook Webapp published for external world?
If it through ISA server, then install the external certificate for Outlook Web App in ISA server and revert the internally generated certificate back on exchange server

Option 2
2. You can a Alias in the internal DNS server same as your external webapp and request users to access the Webapp using the new URL
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:cdron
ID: 35511362
M-Manakhly
Yes, I use a different URL in the internal network.
I did try to do that by changing the hosts file and not the DNS option. Just to test it.
But then I was offered the certicate from de mailbox server!?!?!?

ckeshav
Option 1
Webapp published with a rule in our Juniper firewall. So no ISA involved.

Option 2
I don't know exactly what you mean but it seems a bit like the option M-Manakly suggested.
The problem is not in Webapp, That works perfect external. The problem is internal.
0
 
LVL 13

Expert Comment

by:Mohamed ElManakhly
ID: 35511399
from outlook: go to (Tools) then go to (Account settings) , on the (Email tab) click (change) ... on the opened wizard go to (More settings) , on the (Connection) tab go to (Exchange proxy settings)
is the  "(on fast networks) connect http then TCPIP " checked ?
0
 
LVL 8

Expert Comment

by:ckeshav
ID: 35511479
Assuming you are accessing your webapp from
Externally: https://mail.contoso.com
Internally:  https://cashostname.contoso.com

But now you have purchased a certificate matching mail.contoso.com

So Add an Alias in your internal DNS server from mail.contoso.com - IP should be of your internal CAS server.

then from your internal network access https://mail.contoso.com it should work and without the certificate warning.

For warning on Outlook, you may need to force the usage of this certificate for IIS only using the Exchange management shell.

1. Run Get-ExchangeCertificate |FL – This will list details of all certificates that you have assigned to Exchange Services. Please understand, this cmdlet does not retrieve any information about any other certificate from local certificate store which is not used by Exchange. Once you get the output printed on the screen; note down the Thumbprint of certificate into a notepad.

2. Enable this renewed certificate for IIS as well run
Enable-ExchangeCertificate – Thumbprint “E0BB201793DC74D0F94F3275E6AA53BA75907565” –Services IIS

Thumbprint - From your external certificate

Follow the same command to change the services to your internal certificate for other services like POP3, SMTP, IMAP

3. Verify all the services are working correctly after renewing and enabling the certificate.


0
 

Author Comment

by:cdron
ID: 35511608
M-Manakhly:
No it is not checked but I tried it and now it's connecting through the external URL and still there is a warining.

ckeshav
For Outlook I ran that command through the Shell before and I know about this.
IIS uses the external certificate. POP3, SMTP and  IMAP use the automatically generared internal certificate.
0
 
LVL 8

Expert Comment

by:ckeshav
ID: 35511620
Did you add the Alias?
0
 

Author Comment

by:cdron
ID: 35511843
Like I said, I adjusted the hosts file to point to the internal IP of the CAS before and that did'nt work.

But I did create an alias and still the problem is there but that is logical because Outlook is still connecting to the intern fqdn and not the external.

I'm beginning to think that putting an ISA server or Forefront server before Outlook Web App as M-Manakhly suggested.
The only thing is that maybe I have to buy a new certificate.
0
 
LVL 3

Expert Comment

by:itubaf
ID: 35511885
dear, since your SSL certificates are for mail.yourdomain.com. you can use same doamin nsame for internal and external.

what you have to do is in your juniper firewall create one rule allowing https traffic. i prefer you use wizard option (if avaible in your model) through zizard you can publish any server globally. once you publish owa in your firewall you dont have to do any thing, when ever user will request mail.youdoamin.com the traffix will go to firewall and firewall will nat to your local exchange IP.
i am using similer setup but with Sonicwall.
0
 
LVL 8

Expert Comment

by:ckeshav
ID: 35511888
ISA was mentioned by me :)

Try this as a last resort

Set-OutlookProvider EXPR -Server CASServername -CertPrincipalName none
Set-OutlookProvider EXPR -Server $null


http://social.technet.microsoft.com/forums/en-US/exchangesvrgeneral/thread/ffea8c99-f206-49f9-98e9-122efcf828f0
0
 

Author Comment

by:cdron
ID: 35511923
I know what you mean but then I have to connect Outlook with the Exchange server throught HTTPS.
And that doesn't work also.
0
 
LVL 13

Accepted Solution

by:
Mohamed ElManakhly earned 2000 total points
ID: 35512016
configure the internal URLs with mail.contoso.com and create an internal record for it
http://support.microsoft.com/kb/940726
0
 

Author Comment

by:cdron
ID: 35512140
M-Manakhly
The technet article worked. I don't know why it didn't before. As you can see I found the same one.

The only thing I can imagine that I didn't do recycle. Instead I think I did recycling.

Thank for the help everyone!
0
 
LVL 13

Expert Comment

by:Mohamed ElManakhly
ID: 35512161
good luck :)
0
 

Author Comment

by:cdron
ID: 35512174
Thank you! Same to you!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
I came across an unsolved Outlook issue and here is my solution.
how to add IIS SMTP to handle application/Scanner relays into office 365.
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month17 days, 5 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question