Solved

Exchange 2013 - certificate warning for local outlook clients

Posted on 2013-05-15
5
5,606 Views
Last Modified: 2013-05-23
I've just finished setting up a Microsoft Exchange 2013 environment. We have two servers in two different sites, each site has a domain controller and an exchange server.

We're doing the "internal URL set to the same as the external URL" style of making our SSL certificate work.

The exchange servers are internally known as:

exchangeA.mycompany.local
exchangeB.mycompany.local

And externally, they are known as:

siteA.mycompany.com
siteB.mycompany.com

So on my Internal DNS, I created a zone for "mycompany.com", and set up the records accordingly

siteA.mycompany.com   -->   [[local IP of exchangeA.mycompany.local]]
siteB.mycompany.com   -->   [[local IP of exchangeA.mycompany.local]]

And on my external DNS server (e.g. my web hosting provider), I set up the records:

siteA.mycompany.com   -->   [[WAN IP address of site A's router]]
siteB.mycompany.com   -->   [[WAN IP address of site B's router]]

I also updated the InternalURL / ExternalURL for all virtual directories in the Exchange Administration Center / EAC.

Everything is ALMOST working. Smartphones, Outlook from OUTSIDE the office, and Web access all work fine.

What's not working is regular Outlook clients on the local network:

When I am INSIDE the company on the local network, and I attempt to connect a Microsoft Outlook client to Exchange, I get a certificate warning. It appears Outlook is auto-discovering the "exchangeA.mycompany.local" internal name, instead of the "SiteA.mycompany.com" external name.

The outlook client still works if I push past that warning... but it pops up every time you open Outlook and is incredibly annoying.

certificate warning for local outlook clients
Did I miss something?
0
Comment
Question by:Frosty555
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 11

Assisted Solution

by:Marc Dekeyser
Marc Dekeyser earned 500 total points
ID: 39170502
Yes,

Autodiscover internally uses SCPs in AD to discover the exchange servers. Best bet is to created a CAS array with round robin DNS (even if you have only one server) per site and name that the same as your external access records.

That should resokve your cert warnings
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 39170612
i would also change how you have the DNS zones setup

create full pinpoint zones for then so you would have a zone called sitea.mycompany.com with a single A record in there
0
 
LVL 31

Author Comment

by:Frosty555
ID: 39173539
Geminon - you lost me... I do have two Exchange servers both of them are holding the Client Access role. AFAIK CAS Arrays do not exist in Exchange 2013 anymore (see: http://www.vmhosts.co.uk/load-balancing-cas-servers-in-exchange-2013/)

Round-robin DNS is a new concept to me... and where are these SCP records? I didn't see them anywhere in DNSMGMT.MSC on my domain controller

How exactly do you think my DNS records should be configured?

One other thing I should mention is that I do have a third hostname  "mail.mycompany.com", which is currently pointing to the same IP address as "sitea.mycompany.com" both internally and externally, but I didn't think it was really relevant. "mail.mycompany.com" is where the employees go when they want to access the webmail remotely. It is also named on the SSL certificate

The SSL cert names these hostnames:

sitea.mycompany.com
siteb.mycompany.com
mail.mycompany.com
autodiscover.mycompany.com
mycompany.com
0
 
LVL 31

Accepted Solution

by:
Frosty555 earned 0 total points
ID: 39177520
Okay I figured it out.

Geminon - you were right that the Autodiscover service getting the wrong hostname from the SCP records were configured, but you didn't give me enough information to know what to DO about it. In particular - SCP records are stored in Active Directory, not DNS.

This technet article pointed me in the right direction:

http://blogs.technet.com/b/exchdxb/archive/2012/05/10/troublshooting-autodiscover-exchange-2007-2010.aspx

I needed to go into Active Directory Sites and Services->Services->Microsoft Exchange->First Organization->Administrative Group->Servers->[[EXCHANGEA or EXCHANGEB]]->Protocols->Autodiscover->[[EXCHANGEA or EXHCANGEB]], and update the "serviceBindingInformation" attribute with the correct external hostname as named on the SSL certificate.

If there was a way to do this from the GUI, I wasn't able to find it.

After that, Outlook worked properly.
0
 
LVL 31

Author Closing Comment

by:Frosty555
ID: 39190266
Pointed me in the right direction
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
In-place Upgrading Dirsync to Azure AD Connect
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question