We help IT Professionals succeed at work.

Exchange Certificate Security

Angry_Stu
Angry_Stu asked
on
Hi Guys,

We just added a new certificate to our Exchange 2007 box (to get our smartphones to receive email) and since this has been installed, all of our users now get a security warning message every time they open Outlook.

I have googled this issue and read through Microsoft's support pages regarding this, but I have yet to find a Microsoft support page that has ever been helpful with any issue I have had, and this record still stands!  ;)

Has anyone come across this before, or knows how to fix it?   It's very annoying.

Note:  A rebuild of the user profile client-side doesn't remedy the situation at all, it seems to be a server-side problem.

Users are using XP and Windows 2007, the problem is identical on all machines.
Comment
Watch Question

Hi,

Could you run a test for Exchange Activesync and post the result


https://www.testexchangeconnectivity.com/

Author

Commented:
@suriyaehnop

I don't really want to do that, it asks for my credentials.

How would this even help anyway?  All the email works perfectly fine, so I assume your test will also show that it is fine.
Nagendra Pratap SinghDesktop Applications Specialist
CERTIFIED EXPERT

Commented:
Is the alert same as this?

""The name of the security certificate is invalid or does not match the name of the site"

Can you close outlook and reopen it to create the issue once more.

This should give you the names outlook is objecting to. This is normally a server like mail002.domain.com and the server is for domain.com

This should help

http://support.microsoft.com/kb/940726
Hi Stu

It sounds like it's trying to use your new certificate for Outlook's AutoDiscover - Elan Shudnow has a great description of the issue and how to fix it:

http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/
What the article doesn't talk about is an important aspect is DNS.

You'll need the following details

Either
create an A Record for autodiscover.domain.com and have autodiscover.domain.com added to your SAN Certificate internally and externally OR
create a SRV Record for _autodiscover._tcp.domain.com to point to your webmail address (such as webmail.domain.com which would be used for other URL too)

You'll need to have an A Record for pointing to your external firewall IP of webmail.domain.com, so any request for http Or https gets to your environment.

The link provided above does give you the exact URL that needs to be setup.

If you have any questions, feel free to ask.

Regards,
Exchange_Geek

Author

Commented:
@npsingh

I looked at that article from Microsoft.   It's useless, like all of their articles.

@essaydave

I am looking through that article but where it says:

Get-ClientAccessServer -Identity CASServer | FL

What is a CASServer?   Is it the name of my Exchange server?

@Exchange_Geek

Thanks for the advice mate, but I don't really get what you are saying.  Too complicated for me ;)  I will try and work through that article, once I find out what a CASServer is.

Thanks to all for your responses.
Aight, let me simplify a bit more.

E2007 and E2010 have Exchange divided into various roles,

Mailbox Role aka Mbx is supposed to take care of mailboxes / mailbox database / public folders / generating OAB.

Client Access Server aka CAS Role is supposed to facilitate access to mailboxes and its features using various https URL such as Autodiscover, OAB, OOO, UM etc.

Hub Transport aka Hub Role is supposed to facilitate all mail flow that take places between mailboxes within your Exchange Organization and between internal to external (&vice versa) recipients.

Hope we are clear uptill here.

Things have changed for how OL 2007 (and higher versions) works ever since MS launched Exchange 2007 aka E2007. OL 2007 connects externally using heavily dependant on autodiscover links and DNS records. OL2007 has in-built process to connect to Exchange using custom-defined autodiscover URL and its associated Cert.

The link defined by npsingh123 - I'd agree won't be of much help - but the link given by easydav of shudnow (a well respected Exchange blogger) talks at length about how important certs are and how they play a vital role for Exchange-Outlook relationship. What it doesn't help you to understand is OL also work with DNS, i mean nothing in Internet world can work without DNS.

So, the suggestion that I gave would help you reach you're Exchange environment with the help of few DNS Record that needs to be created on internet facing DNS Servers of yours. This is precisely for all those machines (laptop / ipad etc) that aren't connected to your local domain (which would use internal DNS to reach Exchange).

Hope I've clarified your doubts.

Regards,
Exchange_Geek

Author

Commented:
@Exchange_Geek

Thanks for your reply again mate.   It certainly helps me understand the relationship between outlook and exchange a little clearer.

Unfortunately however, I still don't get exactly what it is you are suggesting that I do.   As I stated earlier, I am trying to work through the shudnow article but I cannot proceed without knowing what I am supposed to enter in place of "CASServer" in the command-line.

You have outlined briefly what the CAS server is for, but that doesn't help shed some light on what exactly I am supposed to be typing into the line.

Do I need to add the CAS role to my exchange server first?   Do I just type in the name of my exchange server into this line, because it is already configured by default to provide this service?

I need specifics mate ;)

Cheers!
CAS Server is the server that holds the CAS Role, you can find details of your CAS by checking the server in Exchange Management Console

Refer the image I could pick up from Google, check for the Roles: Client Access Server

Regards,
Exchange_Geek

Author

Commented:
@Exchange_Geek

Ok I have found that my exchange server has the client access role.  

So that means that I can now put in the following line and get started:

Get-ClientAccessServer -Identity ID01 | FL

It gets so much more complicated after this though.   Also, before I go any further, do I need to know which of these certificates is the new sparkly one?  (image attached).  Or doesn't it matter?
Certificates.jpg

Explore More ContentExplore courses, solutions, and other research materials related to this topic.