?
Solved

Outlook security alert with new SSL certificate - help

Posted on 2013-06-11
8
Medium Priority
?
1,761 Views
Last Modified: 2013-06-17
Hi,
We have renewed our owa certificate with godaddy. At renewal we were forced to remove the local fqdn names (example: hostname.domain.local) of the 2 exchange 2010 servers that we have in a cluster.
We installed the certificate on TMG 2010 Forefront server for OWA. External access is working as expected with the renewed certificate however, internally we receive a security alert from outlook (screenshot attached), referencing the fqdn of the exchange server telling us the NAME of the security certificate does not match the name of the site. When we click on "view certificate" we see it pointing to the godaddy certificate we just renewed.

Do we need to install the certificate on Exchange? if so on both servers in the cluster? or is to only be installed on the forefront server?

We have removed the local domains - what do we do now?
outlook.jpg
0
Comment
Question by:MongolianNoseFlute
8 Comments
 
LVL 9

Expert Comment

by:David Carr
ID: 39237611
Yes the certificate should be installed on your Client Access Server(s).

There is a great step by step guide at
Part 1 http://smtp25.blogspot.com/2010/01/assigning-ssl-certificate-for-owa.html
Part 2 http://smtp25.blogspot.com/2010/01/assigning-ssl-certificate-for-owa_07.html
0
 

Author Comment

by:MongolianNoseFlute
ID: 39237786
Thank you - we tried adding the certificate to client access servers but still receive that security alert. any ideas? It seems to be the same with or without the cert.
Is this something to do with autodiscover?
0
 
LVL 20

Expert Comment

by:Lazarus
ID: 39238488
Autodiscover should be in your SSL, is it?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
LVL 3

Expert Comment

by:rafter81
ID: 39240662
It's looking up your .local name, you said you removed that from your certificate - therefore you wouldn't have a name match on the cert - because the .local name is removed.  Your client needs to reference whatever name(s) you have in your certificate.

P.S. what roles have you assigned the new certificate too in exchange?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39240894
I bet this is the classic Internal Autodiscover value.

get-clientaccessserver | select identity, AutodiscoverInternalServiceURI

The host name should be on the SSL certificate, it will be the internal server name by default.
You need a split DNS so the external name resolves internally and then change the values in Exchange.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:MongolianNoseFlute
ID: 39251483
Hi Simon,

this is very useful information in the link you provided.
Unfortunately after all applying changes to URLs and commands below everything just stopped working including external access to OWA

this is what we ran:

Set-ClientAccessServer -AutodiscoverServiceInternalUri https://owa.name.com/autodiscover/autodiscover.xml

and

Set-WebServicesVirtualDirectory -Identity "server1\EWS (Default Web Site)" -InternalUrl https://owa.name.com/ews/exchange.asmx -ExternalUrl https://owa.name.com/ews/exchange.asmx 

Set-WebServicesVirtualDirectory -Identity "server2\EWS (Default Web Site)" -InternalUrl https://owa.name.com/ews/exchange.asmx -ExternalUrl https://owa.name.com/ews/exchange.asmx

everything back to normal after reverting all changes back and External Url to -ExternalUrl https://servername.domain.local/ews/exchange.asmx

any ideas?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39252932
Define not working?
The changes to the URLs are what are required, but you do need to ensure that you have both the internal and external DNS setup correctly.
The script on my web page is something I use three or four times a week, without any issues, so that would tend to indicate the problem is elsewhere.

Simon.
0
 

Author Comment

by:MongolianNoseFlute
ID: 39253539
Hi Simon,

I have tried again but this time without changing –ExternalUrl

This time all works well, no more cert security alert!!! :)

Unfortunately, now some users getting different pop up.
“Outlook is attempting to connect to xxx.xxx@xxx.com If your password has changed, it may need to be re-entered. Click here to re-enter your password.”

When users click on this message nothing happens, they have not changed their password.

any idea on this?

Michal
popup.jpg
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question