mray77
asked on
Outlook Security Alert due to Certificates
Since upgrading to Exchange/Outlook 2010, we needed to purchase an SSL cert; which we did from Digicert. Everything checked out fine on the cert. However, since configuring with Exchange 2010, our users are getting the Security Alert for mail.my-internal-domain.co m. The cert was configured for mail.my-external-domain.co m. I do have a green check mark indicating "the security certificate is from a trusted certifying authority" and for "the security certificate date is valid" However, i have a red x for "the name on the security certificate is invalid or does not match the name of the site."
All mail is flowing as expected.
All mail is flowing as expected.
The problem is related to the name of the site and the fact that it is accessed from outside with mail.my-external-domain.co m and from the inside with mail.my-internal-domain.co m.
In order to get rid of that warning you should have the certificate from Digicert with the field Subject Alternate Name containing "mail.my-internal-domain.c om".
More info about the certificate's SAN field here:
https://www.digicert.com/subject-alternative-name.htm
In order to get rid of that warning you should have the certificate from Digicert with the field Subject Alternate Name containing "mail.my-internal-domain.c
More info about the certificate's SAN field here:
https://www.digicert.com/subject-alternative-name.htm
ASKER
i did include both the internal and external domain names in the Cert. I did not however, add the cert to the DC. I will check that out. Thanks for the help thus far!
The error doesn't point to an issue with the trusting chain since you said that you get a green mark on "the security certificate is from a trusted certifying authority".
The error is more likely related to the name so maybe you have configured the internal clients to access the site by using the NETBIOS name (or even the IP).
Take a look at his article also:
http://blogs.technet.com/b/danielkenyon-smith/archive/2010/05/13/the-name-on-the-certificate-is-invalid-or-does-not-match-the-name-of-the-site-part-2.aspx
The error is more likely related to the name so maybe you have configured the internal clients to access the site by using the NETBIOS name (or even the IP).
Take a look at his article also:
http://blogs.technet.com/b/danielkenyon-smith/archive/2010/05/13/the-name-on-the-certificate-is-invalid-or-does-not-match-the-name-of-the-site-part-2.aspx
There is absolutely no reason to install the certificate on the Domain Controller.
If you processed the certificate request through the New Certificate wizard in the Exchange Management Console then the certificate should be correct.
You need to have the following names in it:
owa.domainname.com (the external URL you use for Outlook Web App/ActiveSync/Outlook Anywhere)
autodiscover.domainname.co m (where domainname.com is the part after the @ in your email address)
servername.domain.local (the internal fully qualified domain name of your server)
If any of these are missing then you will need to rekey your certificate.
Once you have completed the wizard in Exchange make sure you assign the services to it (right click the certificate in the list and select Assign Services).
If you have confirmed all of this and are still having problems then please post a screenshot of the error you are seeing.
If you processed the certificate request through the New Certificate wizard in the Exchange Management Console then the certificate should be correct.
You need to have the following names in it:
owa.domainname.com (the external URL you use for Outlook Web App/ActiveSync/Outlook Anywhere)
autodiscover.domainname.co
servername.domain.local (the internal fully qualified domain name of your server)
If any of these are missing then you will need to rekey your certificate.
Once you have completed the wizard in Exchange make sure you assign the services to it (right click the certificate in the list and select Assign Services).
If you have confirmed all of this and are still having problems then please post a screenshot of the error you are seeing.
The problem is that you dont have the internal dns name of your client access server on that certificate. so either do you get a new certificate and add the internal dns name there or you use a different certificate generated internally by your internal CA with all the names, and use the external certificate only for external access, published for example in TMG or ISA 2k6
you need these names:
webmail.domain.com (example of external name used for OWA, OA, ActiveSync, etc)
autodiscover.domain.com (one for each different primary smtp address you have on your org)
cas.domain.local (example for the internal cas server name, or, if you have several CAS servers put in the several names or the cas array name)
you need these names:
webmail.domain.com (example of external name used for OWA, OA, ActiveSync, etc)
autodiscover.domain.com (one for each different primary smtp address you have on your org)
cas.domain.local (example for the internal cas server name, or, if you have several CAS servers put in the several names or the cas array name)
ASKER
internally, this issue appears to be resolved. I did take the first piece of advice we received, and configured licensing on our DC, although, this does not necessarily include our exchange cert. What i had to do was uncheck cache mode, then this was working.
Externally, using RDP_HTTP, i still see a cert error; i will post specifics about that error shortly. Thanks for the continued support.
Externally, using RDP_HTTP, i still see a cert error; i will post specifics about that error shortly. Thanks for the continued support.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the detailed explanation!
2. When installing the certificate, did you also click on the Certification Path and install the DigiCert High Assurance certificate in your Trusted Root Certification Authorities store?