?
Solved

Outlook security alert with new SSL certificate - help

Posted on 2013-06-11
8
Medium Priority
?
1,730 Views
Last Modified: 2013-06-17
Hi,
We have renewed our owa certificate with godaddy. At renewal we were forced to remove the local fqdn names (example: hostname.domain.local) of the 2 exchange 2010 servers that we have in a cluster.
We installed the certificate on TMG 2010 Forefront server for OWA. External access is working as expected with the renewed certificate however, internally we receive a security alert from outlook (screenshot attached), referencing the fqdn of the exchange server telling us the NAME of the security certificate does not match the name of the site. When we click on "view certificate" we see it pointing to the godaddy certificate we just renewed.

Do we need to install the certificate on Exchange? if so on both servers in the cluster? or is to only be installed on the forefront server?

We have removed the local domains - what do we do now?
outlook.jpg
0
Comment
Question by:MongolianNoseFlute
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 9

Expert Comment

by:David Carr
ID: 39237611
Yes the certificate should be installed on your Client Access Server(s).

There is a great step by step guide at
Part 1 http://smtp25.blogspot.com/2010/01/assigning-ssl-certificate-for-owa.html
Part 2 http://smtp25.blogspot.com/2010/01/assigning-ssl-certificate-for-owa_07.html
0
 

Author Comment

by:MongolianNoseFlute
ID: 39237786
Thank you - we tried adding the certificate to client access servers but still receive that security alert. any ideas? It seems to be the same with or without the cert.
Is this something to do with autodiscover?
0
 
LVL 20

Expert Comment

by:Lazarus
ID: 39238488
Autodiscover should be in your SSL, is it?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 3

Expert Comment

by:rafter81
ID: 39240662
It's looking up your .local name, you said you removed that from your certificate - therefore you wouldn't have a name match on the cert - because the .local name is removed.  Your client needs to reference whatever name(s) you have in your certificate.

P.S. what roles have you assigned the new certificate too in exchange?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39240894
I bet this is the classic Internal Autodiscover value.

get-clientaccessserver | select identity, AutodiscoverInternalServiceURI

The host name should be on the SSL certificate, it will be the internal server name by default.
You need a split DNS so the external name resolves internally and then change the values in Exchange.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:MongolianNoseFlute
ID: 39251483
Hi Simon,

this is very useful information in the link you provided.
Unfortunately after all applying changes to URLs and commands below everything just stopped working including external access to OWA

this is what we ran:

Set-ClientAccessServer -AutodiscoverServiceInternalUri https://owa.name.com/autodiscover/autodiscover.xml

and

Set-WebServicesVirtualDirectory -Identity "server1\EWS (Default Web Site)" -InternalUrl https://owa.name.com/ews/exchange.asmx -ExternalUrl https://owa.name.com/ews/exchange.asmx 

Set-WebServicesVirtualDirectory -Identity "server2\EWS (Default Web Site)" -InternalUrl https://owa.name.com/ews/exchange.asmx -ExternalUrl https://owa.name.com/ews/exchange.asmx

everything back to normal after reverting all changes back and External Url to -ExternalUrl https://servername.domain.local/ews/exchange.asmx

any ideas?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39252932
Define not working?
The changes to the URLs are what are required, but you do need to ensure that you have both the internal and external DNS setup correctly.
The script on my web page is something I use three or four times a week, without any issues, so that would tend to indicate the problem is elsewhere.

Simon.
0
 

Author Comment

by:MongolianNoseFlute
ID: 39253539
Hi Simon,

I have tried again but this time without changing –ExternalUrl

This time all works well, no more cert security alert!!! :)

Unfortunately, now some users getting different pop up.
“Outlook is attempting to connect to xxx.xxx@xxx.com If your password has changed, it may need to be re-entered. Click here to re-enter your password.”

When users click on this message nothing happens, they have not changed their password.

any idea on this?

Michal
popup.jpg
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question