[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Internal outlook users getting certificate error

Posted on 2012-08-22
14
Medium Priority
?
1,623 Views
Last Modified: 2012-08-25
Dear all,
We have exchange server 2010, mailbox and hub transport in one box and cas see is on another box, everything looks fine, external users are using OWA, but internal users are getting every time certificate request error, outlook is pointing CAS server.
My question is how to avoid certificate error for internal users, is it normal outlook pointing CAS server, becaz I heard users will connect mailbox server.
Please assist me asap
0
Comment
Question by:nivasnet
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 28

Expert Comment

by:MAS
ID: 38319505
Did you add your mailbox server FQDN in your certificate?
Do you have autodiscover.domain.com in your certificate?
0
 
LVL 15

Assisted Solution

by:Antonio Vargas
Antonio Vargas earned 600 total points
ID: 38319565
with exchange 2010 users outlook connects to the CAS server. with exchange 2007 it connects to the mailbox server.

you need the following names on the external certificate:

webmail.domain.com
autodiscover.domain.com
legacy.domain.com (optional for coexistance)

on the INTERNAL certificate, or the external if you're using only one, you also need:

casserver.domain.local (the cas internal fqdn, as it's there that the client connects)
you need one per cas and if you have a casarray you also need it there.

now you do have two options. use only one certificate, external and public with all the above names, or use two certificates, one internal and one external. the internal should have all the names and the external only the names stated above. i'll recommend using only one.
0
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 38319574
In exchange 2010 outlook user connect to cas server and 2007 user connect to mailbox server.

You create new certificate for fqdn which you get an error in certificate.

For create the certificate please follow the following url

(http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 49

Expert Comment

by:Akhater
ID: 38319715
simply put the problem is that your exchange urls are set to be servername.domain.local and that is not added to your certificate.

however to be able to give an accurate answer there are 2 questions that need to be asked

1. Is your internal (active directory) domain and your external (email/owa domain) the same ?

2. are you using a public (paid for) certificate or an internal one from an internal CA?
0
 

Author Comment

by:nivasnet
ID: 38319724
no our internal domain name is aaaa.com, external users aaaa.net.
no we are not using paid certificate, internal certificate only
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 400 total points
ID: 38319731
in that case the easiest way is to issue the exchange certificate again and add servername.aaa.com (the internal name of the server) to the Subject Alternate Names  (SAN) of the certificate
0
 
LVL 15

Expert Comment

by:Antonio Vargas
ID: 38319764
Internal certificate names:

webmail.domain.net
autodiscover.domain.net
legacy.domain.net (if needed)
casserver.domain.com (internal name)
0
 

Author Comment

by:nivasnet
ID: 38320564
Apart certificate, Do I need to create a record "auto discover" ip address in Dns and SCP entry in active directory also.
Please advise me
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38320581
There is no reason for an internal autodiscover record and the scp is created automatically
0
 
LVL 15

Expert Comment

by:Antonio Vargas
ID: 38320610
you do need autodiscover only if you're using mobile devices connected internally via wifi.
0
 

Author Comment

by:nivasnet
ID: 38320612
Ok thank you very much, what about auto discovery entry in DNS.
0
 
LVL 15

Expert Comment

by:Antonio Vargas
ID: 38320630
Only on the external DNS. Internal DNS only needs autodiscover if you're using mobile devices internally
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38320637
As I previously told you since your internal and external domains are different creating autodiscover record internally useless
0
 
LVL 18

Accepted Solution

by:
Sushil Sonawane earned 1000 total points
ID: 38323241
if you want to use autodiscover internally there is no need to create dns entry in local dns server. If you created dns entry, it's good.

For externaly network user also want to user autodiscover funcation then you have to create autodiscover entry in external (Public) DNS Server.

OR

If you have installed internal url certificate and want to use autodiscover funcation internaly then instead of create a autodiscover certificate you can change autodiscover url name also using following commands.

Set-ClientAccessServer -Identity "fcnts60bdc11" –AutodiscoverServiceInternalURI https://mail.aaa.local/autodiscover/autodiscover.xml

 
Set-WebServicesVirtualDirectory -Identity "fcnts60bdc11\EWS (Default Web Site)" –InternalUrl  https://mail.aaa.local/EWS/Exchange.asmx

 
Set-OABVirtualDirectory -Identity “fcnts60bdc11\OAB (Default Web Site)” -InternalURL https://mail.aaa.local/oab
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question