Solved

Outlook security alert with new SSL certificate - help

Posted on 2013-06-11
8
1,673 Views
Last Modified: 2013-06-17
Hi,
We have renewed our owa certificate with godaddy. At renewal we were forced to remove the local fqdn names (example: hostname.domain.local) of the 2 exchange 2010 servers that we have in a cluster.
We installed the certificate on TMG 2010 Forefront server for OWA. External access is working as expected with the renewed certificate however, internally we receive a security alert from outlook (screenshot attached), referencing the fqdn of the exchange server telling us the NAME of the security certificate does not match the name of the site. When we click on "view certificate" we see it pointing to the godaddy certificate we just renewed.

Do we need to install the certificate on Exchange? if so on both servers in the cluster? or is to only be installed on the forefront server?

We have removed the local domains - what do we do now?
outlook.jpg
0
Comment
Question by:MongolianNoseFlute
8 Comments
 
LVL 9

Expert Comment

by:David Carr
ID: 39237611
Yes the certificate should be installed on your Client Access Server(s).

There is a great step by step guide at
Part 1 http://smtp25.blogspot.com/2010/01/assigning-ssl-certificate-for-owa.html
Part 2 http://smtp25.blogspot.com/2010/01/assigning-ssl-certificate-for-owa_07.html
0
 

Author Comment

by:MongolianNoseFlute
ID: 39237786
Thank you - we tried adding the certificate to client access servers but still receive that security alert. any ideas? It seems to be the same with or without the cert.
Is this something to do with autodiscover?
0
 
LVL 20

Expert Comment

by:Lazarus
ID: 39238488
Autodiscover should be in your SSL, is it?
0
 
LVL 3

Expert Comment

by:rafter81
ID: 39240662
It's looking up your .local name, you said you removed that from your certificate - therefore you wouldn't have a name match on the cert - because the .local name is removed.  Your client needs to reference whatever name(s) you have in your certificate.

P.S. what roles have you assigned the new certificate too in exchange?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39240894
I bet this is the classic Internal Autodiscover value.

get-clientaccessserver | select identity, AutodiscoverInternalServiceURI

The host name should be on the SSL certificate, it will be the internal server name by default.
You need a split DNS so the external name resolves internally and then change the values in Exchange.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:MongolianNoseFlute
ID: 39251483
Hi Simon,

this is very useful information in the link you provided.
Unfortunately after all applying changes to URLs and commands below everything just stopped working including external access to OWA

this is what we ran:

Set-ClientAccessServer -AutodiscoverServiceInternalUri https://owa.name.com/autodiscover/autodiscover.xml

and

Set-WebServicesVirtualDirectory -Identity "server1\EWS (Default Web Site)" -InternalUrl https://owa.name.com/ews/exchange.asmx -ExternalUrl https://owa.name.com/ews/exchange.asmx 

Set-WebServicesVirtualDirectory -Identity "server2\EWS (Default Web Site)" -InternalUrl https://owa.name.com/ews/exchange.asmx -ExternalUrl https://owa.name.com/ews/exchange.asmx

everything back to normal after reverting all changes back and External Url to -ExternalUrl https://servername.domain.local/ews/exchange.asmx

any ideas?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39252932
Define not working?
The changes to the URLs are what are required, but you do need to ensure that you have both the internal and external DNS setup correctly.
The script on my web page is something I use three or four times a week, without any issues, so that would tend to indicate the problem is elsewhere.

Simon.
0
 

Author Comment

by:MongolianNoseFlute
ID: 39253539
Hi Simon,

I have tried again but this time without changing –ExternalUrl

This time all works well, no more cert security alert!!! :)

Unfortunately, now some users getting different pop up.
“Outlook is attempting to connect to xxx.xxx@xxx.com If your password has changed, it may need to be re-entered. Click here to re-enter your password.”

When users click on this message nothing happens, they have not changed their password.

any idea on this?

Michal
popup.jpg
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now