Outlook 2007 certificate security warning with a new certificate in Exhange 2010
Hello,
Because I wanted to get rid of the security warning in Outlook Web App, I bought a certificate and installed it on our Exchange 2010 CAS server which is also a Hub Transport server.
It's obvious that the certificate was generated with the external fqdn of the CAS-server. Let's say mail.contoso.com.
So I ran in to a problem that users on our internal LAN got a security warning in Outlook 2007 because the name on the certificate wasn't right. Internal fqnd is let's say netbiosname.contoso.local.
On technet I found the following article http://support.microsoft.com/kb/940726/en-us.
I followed the steps in the article and changed the hosts file on a PC tot test it.
I changed the host file so that the external fqdn mail.contoso.com would point to an internal ip.
I thought it would solve this problem but now Outlook had a new security warning from a certificate on our mailbox server???? How is that possible???
It really puzzles me because I would think that Outlook 2007 would connect through the CAS server and get a certificate from a Mailbox server.
Just to be clear. We have 1 mailboxserver and 1 CAS/HUB server.
Regards,
Ron
Because I wanted to get rid of the security warning in Outlook Web App, I bought a certificate and installed it on our Exchange 2010 CAS server which is also a Hub Transport server.
It's obvious that the certificate was generated with the external fqdn of the CAS-server. Let's say mail.contoso.com.
So I ran in to a problem that users on our internal LAN got a security warning in Outlook 2007 because the name on the certificate wasn't right. Internal fqnd is let's say netbiosname.contoso.local.
On technet I found the following article http://support.microsoft.com/kb/940726/en-us.
I followed the steps in the article and changed the hosts file on a PC tot test it.
I changed the host file so that the external fqdn mail.contoso.com would point to an internal ip.
I thought it would solve this problem but now Outlook had a new security warning from a certificate on our mailbox server???? How is that possible???
It really puzzles me because I would think that Outlook 2007 would connect through the CAS server and get a certificate from a Mailbox server.
Just to be clear. We have 1 mailboxserver and 1 CAS/HUB server.
Regards,
Ron
are you using a different URL when accessing from internal network ?
why not create an internal record on the internal dns with "mail.contoso.com" and guide your users to use it internally and externally
why not create an internal record on the internal dns with "mail.contoso.com" and guide your users to use it internally and externally
Outlook is a Mapi client and connects directly to Mailbox server in Exchange 2007 but is changed in Exchange 2010.
In Exchange 2010 the Mapi connection also happens to CAS server.
Coming to your second problem,
Option 1
1. How is youur outlook Webapp published for external world?
If it through ISA server, then install the external certificate for Outlook Web App in ISA server and revert the internally generated certificate back on exchange server
Option 2
2. You can a Alias in the internal DNS server same as your external webapp and request users to access the Webapp using the new URL
In Exchange 2010 the Mapi connection also happens to CAS server.
Coming to your second problem,
Option 1
1. How is youur outlook Webapp published for external world?
If it through ISA server, then install the external certificate for Outlook Web App in ISA server and revert the internally generated certificate back on exchange server
Option 2
2. You can a Alias in the internal DNS server same as your external webapp and request users to access the Webapp using the new URL
ASKER
M-Manakhly
Yes, I use a different URL in the internal network.
I did try to do that by changing the hosts file and not the DNS option. Just to test it.
But then I was offered the certicate from de mailbox server!?!?!?
ckeshav
Option 1
Webapp published with a rule in our Juniper firewall. So no ISA involved.
Option 2
I don't know exactly what you mean but it seems a bit like the option M-Manakly suggested.
The problem is not in Webapp, That works perfect external. The problem is internal.
Yes, I use a different URL in the internal network.
I did try to do that by changing the hosts file and not the DNS option. Just to test it.
But then I was offered the certicate from de mailbox server!?!?!?
ckeshav
Option 1
Webapp published with a rule in our Juniper firewall. So no ISA involved.
Option 2
I don't know exactly what you mean but it seems a bit like the option M-Manakly suggested.
The problem is not in Webapp, That works perfect external. The problem is internal.
from outlook: go to (Tools) then go to (Account settings) , on the (Email tab) click (change) ... on the opened wizard go to (More settings) , on the (Connection) tab go to (Exchange proxy settings)
is the "(on fast networks) connect http then TCPIP " checked ?
is the "(on fast networks) connect http then TCPIP " checked ?
Assuming you are accessing your webapp from
Externally: https://mail.contoso.com
Internally: https://cashostname.contoso.com
But now you have purchased a certificate matching mail.contoso.com
So Add an Alias in your internal DNS server from mail.contoso.com - IP should be of your internal CAS server.
then from your internal network access https://mail.contoso.com it should work and without the certificate warning.
For warning on Outlook, you may need to force the usage of this certificate for IIS only using the Exchange management shell.
1. Run Get-ExchangeCertificate |FL – This will list details of all certificates that you have assigned to Exchange Services. Please understand, this cmdlet does not retrieve any information about any other certificate from local certificate store which is not used by Exchange. Once you get the output printed on the screen; note down the Thumbprint of certificate into a notepad.
2. Enable this renewed certificate for IIS as well run
Enable-ExchangeCertificate
Thumbprint - From your external certificate
Follow the same command to change the services to your internal certificate for other services like POP3, SMTP, IMAP
3. Verify all the services are working correctly after renewing and enabling the certificate.
Externally: https://mail.contoso.com
Internally: https://cashostname.contoso.com
But now you have purchased a certificate matching mail.contoso.com
So Add an Alias in your internal DNS server from mail.contoso.com - IP should be of your internal CAS server.
then from your internal network access https://mail.contoso.com it should work and without the certificate warning.
For warning on Outlook, you may need to force the usage of this certificate for IIS only using the Exchange management shell.
1. Run Get-ExchangeCertificate |FL – This will list details of all certificates that you have assigned to Exchange Services. Please understand, this cmdlet does not retrieve any information about any other certificate from local certificate store which is not used by Exchange. Once you get the output printed on the screen; note down the Thumbprint of certificate into a notepad.
2. Enable this renewed certificate for IIS as well run
Enable-ExchangeCertificate
Thumbprint - From your external certificate
Follow the same command to change the services to your internal certificate for other services like POP3, SMTP, IMAP
3. Verify all the services are working correctly after renewing and enabling the certificate.
ASKER
M-Manakhly:
No it is not checked but I tried it and now it's connecting through the external URL and still there is a warining.
ckeshav
For Outlook I ran that command through the Shell before and I know about this.
IIS uses the external certificate. POP3, SMTP and IMAP use the automatically generared internal certificate.
No it is not checked but I tried it and now it's connecting through the external URL and still there is a warining.
ckeshav
For Outlook I ran that command through the Shell before and I know about this.
IIS uses the external certificate. POP3, SMTP and IMAP use the automatically generared internal certificate.
Did you add the Alias?
ASKER
Like I said, I adjusted the hosts file to point to the internal IP of the CAS before and that did'nt work.
But I did create an alias and still the problem is there but that is logical because Outlook is still connecting to the intern fqdn and not the external.
I'm beginning to think that putting an ISA server or Forefront server before Outlook Web App as M-Manakhly suggested.
The only thing is that maybe I have to buy a new certificate.
But I did create an alias and still the problem is there but that is logical because Outlook is still connecting to the intern fqdn and not the external.
I'm beginning to think that putting an ISA server or Forefront server before Outlook Web App as M-Manakhly suggested.
The only thing is that maybe I have to buy a new certificate.
dear, since your SSL certificates are for mail.yourdomain.com. you can use same doamin nsame for internal and external.
what you have to do is in your juniper firewall create one rule allowing https traffic. i prefer you use wizard option (if avaible in your model) through zizard you can publish any server globally. once you publish owa in your firewall you dont have to do any thing, when ever user will request mail.youdoamin.com the traffix will go to firewall and firewall will nat to your local exchange IP.
i am using similer setup but with Sonicwall.
what you have to do is in your juniper firewall create one rule allowing https traffic. i prefer you use wizard option (if avaible in your model) through zizard you can publish any server globally. once you publish owa in your firewall you dont have to do any thing, when ever user will request mail.youdoamin.com the traffix will go to firewall and firewall will nat to your local exchange IP.
i am using similer setup but with Sonicwall.
ISA was mentioned by me :)
Try this as a last resort
Set-OutlookProvider EXPR -Server CASServername -CertPrincipalName none
Set-OutlookProvider EXPR -Server $null
http://social.technet.microsoft.com/forums/en-US/exchangesvrgeneral/thread/ffea8c99-f206-49f9-98e9-122efcf828f0
Try this as a last resort
Set-OutlookProvider EXPR -Server CASServername -CertPrincipalName none
Set-OutlookProvider EXPR -Server $null
http://social.technet.microsoft.com/forums/en-US/exchangesvrgeneral/thread/ffea8c99-f206-49f9-98e9-122efcf828f0
ASKER
I know what you mean but then I have to connect Outlook with the Exchange server throught HTTPS.
And that doesn't work also.
And that doesn't work also.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
M-Manakhly
The technet article worked. I don't know why it didn't before. As you can see I found the same one.
The only thing I can imagine that I didn't do recycle. Instead I think I did recycling.
Thank for the help everyone!
The technet article worked. I don't know why it didn't before. As you can see I found the same one.
The only thing I can imagine that I didn't do recycle. Instead I think I did recycling.
Thank for the help everyone!
good luck :)
ASKER
Thank you! Same to you!
ASKER
It really puzzles me because I would think that Outlook 2007 would connect through the CAS server and get a certificate from a Mailbox server.
Shlould be:
It really puzzles me because I would think that Outlook 2007 would connect through the CAS server and not get a certificate from a Mailbox server.