Using Multiple Certificates for Exchange/Outlook
Background:
Exchange 2007 running on Server 2003 R2 X64 with IIS 6
- purchased SAN/UCC Certificate for 3 years
The Problem:
LAN users with Outlook 2010 are complaining about a certificate error every time they open Outlook:
"The name of the security certificate is invalid or does not match the name of the site"
LAN domain is exchange.domain.local
WAN domain is exchange.domain.com
The exchange server is on the LAN. Router uses port redirections to get to OWA on the exchange server - it does not have a public IP. There is no edge transport server.
Solution tried (but didn't work): http://support.microsoft.com/kb/940726
The issue started when Outlook was upgraded from 2003 to 2010. I purchased a new certificate from GoDaddy but I purchased a 3 year term certificate and discovered that you can no longer include .local addresses (no non-FQDN permitted) on any certificate that goes beyond November 1st 2015. This certificate will expire in January 2016.
The certificate is a SAN/UCC and includes autodiscover.domain.com, owa.domain.com, and the principle subject of exchange.domain.com.
Because of the above mentioned limitation, it does not include exchange.domain.local or autodiscover.domain.local,
In Exchange the certificate was assigned to all services - IIS, POP, IMAP, UM, SMTP
I have discovered that the assignment of the certificate to all the LAN systems appears to be via IIS. I have a self-signed certificate installed with the subject of exchange.domain.local and if it's present the Outlook client doesn't have a problem - it's happy with the certificate. Unfortunately this messes up OWA - it works but there's always a problem with the certificate because the domain doesn't match. This rather defeats the purpose purchasing a certificate.
I configured DNS with the primary domain of exchange.domain.com and set an A records to point to the Exchange server.
I reset the Internal and External URL's as described in the Microsoft article (listed above) for the CAS server to point to exchange.domain.com.
I also deployed the certificates (both of them) to all workstations using a GPO.
Nothing seems to help - Outlook 2010 always looks at the local domain name of the server and cannot accept the public name on the certificate.
Any help would be appreciated.
Exchange 2007 running on Server 2003 R2 X64 with IIS 6
- purchased SAN/UCC Certificate for 3 years
The Problem:
LAN users with Outlook 2010 are complaining about a certificate error every time they open Outlook:
"The name of the security certificate is invalid or does not match the name of the site"
LAN domain is exchange.domain.local
WAN domain is exchange.domain.com
The exchange server is on the LAN. Router uses port redirections to get to OWA on the exchange server - it does not have a public IP. There is no edge transport server.
Solution tried (but didn't work): http://support.microsoft.com/kb/940726
The issue started when Outlook was upgraded from 2003 to 2010. I purchased a new certificate from GoDaddy but I purchased a 3 year term certificate and discovered that you can no longer include .local addresses (no non-FQDN permitted) on any certificate that goes beyond November 1st 2015. This certificate will expire in January 2016.
The certificate is a SAN/UCC and includes autodiscover.domain.com, owa.domain.com, and the principle subject of exchange.domain.com.
Because of the above mentioned limitation, it does not include exchange.domain.local or autodiscover.domain.local,
In Exchange the certificate was assigned to all services - IIS, POP, IMAP, UM, SMTP
I have discovered that the assignment of the certificate to all the LAN systems appears to be via IIS. I have a self-signed certificate installed with the subject of exchange.domain.local and if it's present the Outlook client doesn't have a problem - it's happy with the certificate. Unfortunately this messes up OWA - it works but there's always a problem with the certificate because the domain doesn't match. This rather defeats the purpose purchasing a certificate.
I configured DNS with the primary domain of exchange.domain.com and set an A records to point to the Exchange server.
I reset the Internal and External URL's as described in the Microsoft article (listed above) for the CAS server to point to exchange.domain.com.
I also deployed the certificates (both of them) to all workstations using a GPO.
Nothing seems to help - Outlook 2010 always looks at the local domain name of the server and cannot accept the public name on the certificate.
Any help would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Looks like I was on the right track all along. The KB article didn't mention the Microsoft-Server-ActiveSyn
I also reviewed the site Sembee2 posted. Excellent tutorial and I really liked the script included at the bottom. Typing in Exchange cmdlet commands are ridiculous on a wrapping DOS window. I didn't find the Fig. 4 ECP reference but I think that's for Exchange 2010. Either way I didn't need it.
The problem persists on existing client workstations. I tested by setting up a new profile on an existing workstation. Autodiscover picked up the settings and created the profile without incident. After 5 minutes I still hadn't seen the certificate error.
I then went to a client workstation where the user was already set up. Closed and re-opened Outlook and it connects fine but after about 30 seconds the error about the invalid certificate pops up. I closed Outlook, nuked the profile, re-opened and generated a new profile created by Autodiscover for this user. Outlook generated a new OST and downloaded all the mail to the workstation without once complaining about the certificate.
I tried again on another workstation and the same results.
So unless someone has an idea about how to force Outlook to update without having to nuke and rebuild every Outlook profile that looks like what's going to have to happen.
I also reviewed the site Sembee2 posted. Excellent tutorial and I really liked the script included at the bottom. Typing in Exchange cmdlet commands are ridiculous on a wrapping DOS window. I didn't find the Fig. 4 ECP reference but I think that's for Exchange 2010. Either way I didn't need it.
The problem persists on existing client workstations. I tested by setting up a new profile on an existing workstation. Autodiscover picked up the settings and created the profile without incident. After 5 minutes I still hadn't seen the certificate error.
I then went to a client workstation where the user was already set up. Closed and re-opened Outlook and it connects fine but after about 30 seconds the error about the invalid certificate pops up. I closed Outlook, nuked the profile, re-opened and generated a new profile created by Autodiscover for this user. Outlook generated a new OST and downloaded all the mail to the workstation without once complaining about the certificate.
I tried again on another workstation and the same results.
So unless someone has an idea about how to force Outlook to update without having to nuke and rebuild every Outlook profile that looks like what's going to have to happen.
ASKER
Sembee2: Sorry I missed the testing at the bottom of your page.
--
Testing
To test the configuration, use Outlook 2007 or 2010 on a workstation.
Start Outlook 2007/2010 and wait for it to connect.
Then hold down CTRL and right click on the Outlook icon in the system tray next to your clock. Choose "Test Email AutoConfiguration…" Then select the option to test the configuration.
Should you have everything configured correctly, then all of the URLs should appear as your external certificate name and you do not get any certificate prompts.
--
I will test and see if this forces Outlook to update.
--
Testing
To test the configuration, use Outlook 2007 or 2010 on a workstation.
Start Outlook 2007/2010 and wait for it to connect.
Then hold down CTRL and right click on the Outlook icon in the system tray next to your clock. Choose "Test Email AutoConfiguration…" Then select the option to test the configuration.
Should you have everything configured correctly, then all of the URLs should appear as your external certificate name and you do not get any certificate prompts.
--
I will test and see if this forces Outlook to update.
ASKER
So far I've tested on two systems and both give the same error:
"autoconfiguration was unable to determine your settings"
Yet when I wipe a profile from a system and then create a new one I no longer get the certificate error.
More than halfway there - but this would be nice to resolve completely. Any suggestions?
"autoconfiguration was unable to determine your settings"
Yet when I wipe a profile from a system and then create a new one I no longer get the certificate error.
More than halfway there - but this would be nice to resolve completely. Any suggestions?
ASKER
Well I'm out of time for this so the only process left is to remove everyone's profile and re-add it to Outlook. It resolves the issue which is what I needed most.
Points to both of you for the excellent suggestions and new material. Thanks much.
Points to both of you for the excellent suggestions and new material. Thanks much.
ASKER
Split points - first for speed and providing excellent information second for still a quick response and a more complete tutorial including testing the configuration which is a tool I wasn't aware of before.
ASKER
The KB from Microsoft does say to "Recycle" the AppPool for an Exchange service and to run "iisreset /noforce" which I have done. However, I'll try the applet commands from the article you posted and see what happens. I'll let you know...