Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2010 Outlook Anywhere cert error but only after successful login

Posted on 2012-03-13
5
Medium Priority
?
275 Views
Last Modified: 2012-03-15
I have a new Exchange 2010 installation. I've purchased a UC/SAN certificate with a number of alternative names included to cover the FQDN of all CAS/HT servers as well as autodiscover and the standard recommended name.

I've installed the cert on our hardware loadbalancer and set up SSL offloading.

When I connect using Outlook 2010 and Outlook Anywhere, the autodiscover service works fast and perfectly sets up the account and then I can connect Outlook without incident.

However, 30-45 seconds after a successful login and without interrupting anything I get a security alert. It appears to reference the self-signed cert created in the installation of Exchange. I'm not sure what is triggering the need for the cert. The top of the error shows the FQDN of one of  my cas/ht servers which is included in my UC/SAN cert.

I'm pretty sure this something that is not being properly pointed to by my load balancer but I'm not sure what it is. I currently have ports 110, 143, 993,, 25, 587, 443 and 80 setup for load balancing.

What am I missing? Any help appreciated.
0
Comment
Question by:hcca
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 1

Expert Comment

by:SMurphy11
ID: 37716013
Have you also installed your purchased certificate on your CAS servers?  

In fact, you should have generated the request for your UC/SAN certificate in Exchange using either the EMC or the shell.

It sounds to me like it is not installed in Exchange or the services have not been assigned to that certificate.
0
 

Author Comment

by:hcca
ID: 37716097
I have not installed the cert on the CAS servers because I intended to do all SSL offloading, though I can do this if necessary.

I did generate the request from the EMC.

I just ran a test from https://www.testexchangeconnectivity.com/ and it reports that common name on the UC cert does not match the "msstd:domain.com" in the Outlook client. It says this causes  a failure of the SSL mutual authentication with the RPC proxy server.

Is this what is causing the error?
0
 
LVL 1

Expert Comment

by:SMurphy11
ID: 37716654
Yes.. so, complete the request and assign the cert to the services in Exchange and you should be good to go.

Basically what is happening is the load balancer doesn't trust Exchange's self-signed cert.

Also, since you generated the request in Exchange, my guess is the load balancer doesn't have the private key that goes with that cert.   After you import it in Exchange and assign it, you can export it with the private key and add it to the load balancer.
0
 

Author Comment

by:hcca
ID: 37721218
The load balancer was configured with the private key for the cert. As I said, it is doing the SSL offloading without a problem for the Outlook Anywhere. It is sometime after that connection is established that the security alert comes up.
0
 
LVL 1

Accepted Solution

by:
SMurphy11 earned 2000 total points
ID: 37721652
I understand the SSL offloading.  Bottom line is Outlook Anywhere will not work with a self-signed certificate.

Complete the pending request in Exchange 2010 and install your third-party certificate there and assign it and everything should work as you expect.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question