• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1675
  • Last Modified:

Internal outlook users getting certificate error

Dear all,
We have exchange server 2010, mailbox and hub transport in one box and cas see is on another box, everything looks fine, external users are using OWA, but internal users are getting every time certificate request error, outlook is pointing CAS server.
My question is how to avoid certificate error for internal users, is it normal outlook pointing CAS server, becaz I heard users will connect mailbox server.
Please assist me asap
0
nivasnet
Asked:
nivasnet
  • 4
  • 4
  • 3
  • +2
3 Solutions
 
MAS (MVE)Technical Department HeadCommented:
Did you add your mailbox server FQDN in your certificate?
Do you have autodiscover.domain.com in your certificate?
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
with exchange 2010 users outlook connects to the CAS server. with exchange 2007 it connects to the mailbox server.

you need the following names on the external certificate:

webmail.domain.com
autodiscover.domain.com
legacy.domain.com (optional for coexistance)

on the INTERNAL certificate, or the external if you're using only one, you also need:

casserver.domain.local (the cas internal fqdn, as it's there that the client connects)
you need one per cas and if you have a casarray you also need it there.

now you do have two options. use only one certificate, external and public with all the above names, or use two certificates, one internal and one external. the internal should have all the names and the external only the names stated above. i'll recommend using only one.
0
 
Sushil SonawaneCommented:
In exchange 2010 outlook user connect to cas server and 2007 user connect to mailbox server.

You create new certificate for fqdn which you get an error in certificate.

For create the certificate please follow the following url

(http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010)
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
AkhaterCommented:
simply put the problem is that your exchange urls are set to be servername.domain.local and that is not added to your certificate.

however to be able to give an accurate answer there are 2 questions that need to be asked

1. Is your internal (active directory) domain and your external (email/owa domain) the same ?

2. are you using a public (paid for) certificate or an internal one from an internal CA?
0
 
nivasnetAuthor Commented:
no our internal domain name is aaaa.com, external users aaaa.net.
no we are not using paid certificate, internal certificate only
0
 
AkhaterCommented:
in that case the easiest way is to issue the exchange certificate again and add servername.aaa.com (the internal name of the server) to the Subject Alternate Names  (SAN) of the certificate
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
Internal certificate names:

webmail.domain.net
autodiscover.domain.net
legacy.domain.net (if needed)
casserver.domain.com (internal name)
0
 
nivasnetAuthor Commented:
Apart certificate, Do I need to create a record "auto discover" ip address in Dns and SCP entry in active directory also.
Please advise me
0
 
AkhaterCommented:
There is no reason for an internal autodiscover record and the scp is created automatically
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
you do need autodiscover only if you're using mobile devices connected internally via wifi.
0
 
nivasnetAuthor Commented:
Ok thank you very much, what about auto discovery entry in DNS.
0
 
Antonio VargasMicrosoft Senior Cloud ConsultantCommented:
Only on the external DNS. Internal DNS only needs autodiscover if you're using mobile devices internally
0
 
AkhaterCommented:
As I previously told you since your internal and external domains are different creating autodiscover record internally useless
0
 
Sushil SonawaneCommented:
if you want to use autodiscover internally there is no need to create dns entry in local dns server. If you created dns entry, it's good.

For externaly network user also want to user autodiscover funcation then you have to create autodiscover entry in external (Public) DNS Server.

OR

If you have installed internal url certificate and want to use autodiscover funcation internaly then instead of create a autodiscover certificate you can change autodiscover url name also using following commands.

Set-ClientAccessServer -Identity "fcnts60bdc11" –AutodiscoverServiceInternalURI https://mail.aaa.local/autodiscover/autodiscover.xml

 
Set-WebServicesVirtualDirectory -Identity "fcnts60bdc11\EWS (Default Web Site)" –InternalUrl  https://mail.aaa.local/EWS/Exchange.asmx

 
Set-OABVirtualDirectory -Identity “fcnts60bdc11\OAB (Default Web Site)” -InternalURL https://mail.aaa.local/oab
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 4
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now