Microsoft Outlook 2010 Certificate error

I hope that you can help.

I have an Exchange 2010 CAS array connected to a hardware load balancer that is doing SSL offloading. There are multiple third party root CA certificates for different domains installed on the load balancer and SSL offloading is working correctly for OWA, ActiveSync, and OA clients. However when a local client attempts to access their mail through Outlook 2010, the following error occurs:

“The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.”

And then a question of “Do you want to proceed?” is asked and you have to reply Yes, No or View Certificate.

The certificate being used to authenticate the Outlook 2010 clients on the network is the default that is part of Exchange 2010. When I select “yes” I can access mail with no problem and Outlook works just fine, I just want to avoid this pop up from always appearing every time I go into Outlook as there are many users who get this prompt at the moment and trying to avoid it from happening. Are there any settings that you know of that disables the pop up at the same time continuing to use the default certificate from Exchange 2010?

Thank you.
leporej092170Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jessie Gill, CISSPTechnical ArchitectCommented:
This happens if their is a certificate mismatch.  Is your internal URL the same name as the Certificate?

I.E  You have a SSL cert which has mail.domain.com and autodiscover.mail.com installed on CAS.  But the internal URL for the CAS maybe something like server.domain.com, thus the SSL warning.

So make sure your internal URL matches your SSL certificate.

What we did is keep the external and internal URL teh same ie. mail.domain.com and then we use split brain DNS internally mail.domain.com points to the load balancer and externally mail.domain.com points to our firewall.

http://support.microsoft.com/kb/940726
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kcoectCommented:
If your using a third party certificate you may need to install their certificate authority certificate in the Trusted Root Certificate Authority on your machines.  You should be able to use AD to push that out...
0
Justin DurrantSr. Engineer - Windows Server/VirtualizationCommented:
You need a SAN or UC certificate.  I recommend GoDaddy  or www.domainsforexchange.net

http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

One of the most important aspects of a successful Exchange messaging deployment is how you configure your SSL certificates for securing client communication to your Exchange infrastructure. This is because all communication between Outlook clients and the Autodiscover service  endpoint, in addition to communication between the Outlook client and Exchange services, occurs over an SSL channel. For this communication to occur without failing, you must have a valid SSL certificate installed. For  a certificate to be considered valid, it must meet the following criteria:

- The client can follow the certificate chain up to the trusted root.
- The name matches the URL that the client is trying to communicate with.
- The certificate is current and has not expired.

Remember,  the cert request needs to be generated by Exchange using PowerShell.
 http://technet.microsoft.com/en-us/library/aa998327.aspx

When you get the response back from the CA, use the import-certificate command to process  and enable it for SMTP, IIS, etc.
http://technet.microsoft.com/en-us/library/bb124424.aspx
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Beyond Next SolutionsSolutions ArchitectCommented:
Did you create a CAS Array and configure the -RpcClientAccessServer parameter of your mailbox databases to point to the hostname of the cas array?

Example-
- Your internal VIP (virtual IP) address is 10.1.1.1 and your internal DNS (internal.com) has records that point to the CAS array

1. Create an internal DNS host record that points to the internal VIP of the hardware load balancer. This assumes that your load balancer is balancing all TCP/UDP ports across all CAS servers in the AD site.
     - Zone name in your internal DNS=internal.com: mail.internal.com A 10.1.1.1
                                                                                 
2. Ensure that internal clients resolve mail.internal.com to 10.1.1.1, and that external clients resolve public DNS host names to your public IP (and CANNOT resolve the internal CAS array name!!).

3. Create the CAS Array:
New-ClientAccessArray -Name "mail.internal.com" -Fqdn "mail.internal.com" -Site "Default-First-Site-Name"

4. Configure each mailbox database in your site to use the CAS array:
Set-MailboxDatabase "DBname" -RpcClientAccessServer "mail.internal.com"

I may have left out something, but that should get it done.
0
RadweldCommented:
As stated your external certificate is ok but communications internally is using a self signed certificate automatically when you installed exchange.

Options are to get a new public cert with the internal casarray and autodiscover names added to it or install a public Key infrastructure pki to generate your own certificates. You configure your clients to auto enrol a domain cert and then secure internal traffic with this. It's more effort and my preferred solution is to get the internal names added to the public certificate.
0
leporej092170Author Commented:
Thanks for the help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.