Solved

Outlook security alert with new SSL certificate - help

Posted on 2013-06-11
8
1,707 Views
Last Modified: 2013-06-17
Hi,
We have renewed our owa certificate with godaddy. At renewal we were forced to remove the local fqdn names (example: hostname.domain.local) of the 2 exchange 2010 servers that we have in a cluster.
We installed the certificate on TMG 2010 Forefront server for OWA. External access is working as expected with the renewed certificate however, internally we receive a security alert from outlook (screenshot attached), referencing the fqdn of the exchange server telling us the NAME of the security certificate does not match the name of the site. When we click on "view certificate" we see it pointing to the godaddy certificate we just renewed.

Do we need to install the certificate on Exchange? if so on both servers in the cluster? or is to only be installed on the forefront server?

We have removed the local domains - what do we do now?
outlook.jpg
0
Comment
Question by:MongolianNoseFlute
8 Comments
 
LVL 9

Expert Comment

by:David Carr
ID: 39237611
Yes the certificate should be installed on your Client Access Server(s).

There is a great step by step guide at
Part 1 http://smtp25.blogspot.com/2010/01/assigning-ssl-certificate-for-owa.html
Part 2 http://smtp25.blogspot.com/2010/01/assigning-ssl-certificate-for-owa_07.html
0
 

Author Comment

by:MongolianNoseFlute
ID: 39237786
Thank you - we tried adding the certificate to client access servers but still receive that security alert. any ideas? It seems to be the same with or without the cert.
Is this something to do with autodiscover?
0
 
LVL 20

Expert Comment

by:Lazarus
ID: 39238488
Autodiscover should be in your SSL, is it?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:rafter81
ID: 39240662
It's looking up your .local name, you said you removed that from your certificate - therefore you wouldn't have a name match on the cert - because the .local name is removed.  Your client needs to reference whatever name(s) you have in your certificate.

P.S. what roles have you assigned the new certificate too in exchange?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39240894
I bet this is the classic Internal Autodiscover value.

get-clientaccessserver | select identity, AutodiscoverInternalServiceURI

The host name should be on the SSL certificate, it will be the internal server name by default.
You need a split DNS so the external name resolves internally and then change the values in Exchange.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:MongolianNoseFlute
ID: 39251483
Hi Simon,

this is very useful information in the link you provided.
Unfortunately after all applying changes to URLs and commands below everything just stopped working including external access to OWA

this is what we ran:

Set-ClientAccessServer -AutodiscoverServiceInternalUri https://owa.name.com/autodiscover/autodiscover.xml

and

Set-WebServicesVirtualDirectory -Identity "server1\EWS (Default Web Site)" -InternalUrl https://owa.name.com/ews/exchange.asmx -ExternalUrl https://owa.name.com/ews/exchange.asmx 

Set-WebServicesVirtualDirectory -Identity "server2\EWS (Default Web Site)" -InternalUrl https://owa.name.com/ews/exchange.asmx -ExternalUrl https://owa.name.com/ews/exchange.asmx

everything back to normal after reverting all changes back and External Url to -ExternalUrl https://servername.domain.local/ews/exchange.asmx

any ideas?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39252932
Define not working?
The changes to the URLs are what are required, but you do need to ensure that you have both the internal and external DNS setup correctly.
The script on my web page is something I use three or four times a week, without any issues, so that would tend to indicate the problem is elsewhere.

Simon.
0
 

Author Comment

by:MongolianNoseFlute
ID: 39253539
Hi Simon,

I have tried again but this time without changing –ExternalUrl

This time all works well, no more cert security alert!!! :)

Unfortunately, now some users getting different pop up.
“Outlook is attempting to connect to xxx.xxx@xxx.com If your password has changed, it may need to be re-entered. Click here to re-enter your password.”

When users click on this message nothing happens, they have not changed their password.

any idea on this?

Michal
popup.jpg
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question