[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Outlook security alert with new SSL certificate - help

Posted on 2013-06-11
8
Medium Priority
?
1,744 Views
Last Modified: 2013-06-17
Hi,
We have renewed our owa certificate with godaddy. At renewal we were forced to remove the local fqdn names (example: hostname.domain.local) of the 2 exchange 2010 servers that we have in a cluster.
We installed the certificate on TMG 2010 Forefront server for OWA. External access is working as expected with the renewed certificate however, internally we receive a security alert from outlook (screenshot attached), referencing the fqdn of the exchange server telling us the NAME of the security certificate does not match the name of the site. When we click on "view certificate" we see it pointing to the godaddy certificate we just renewed.

Do we need to install the certificate on Exchange? if so on both servers in the cluster? or is to only be installed on the forefront server?

We have removed the local domains - what do we do now?
outlook.jpg
0
Comment
Question by:MongolianNoseFlute
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 9

Expert Comment

by:David Carr
ID: 39237611
Yes the certificate should be installed on your Client Access Server(s).

There is a great step by step guide at
Part 1 http://smtp25.blogspot.com/2010/01/assigning-ssl-certificate-for-owa.html
Part 2 http://smtp25.blogspot.com/2010/01/assigning-ssl-certificate-for-owa_07.html
0
 

Author Comment

by:MongolianNoseFlute
ID: 39237786
Thank you - we tried adding the certificate to client access servers but still receive that security alert. any ideas? It seems to be the same with or without the cert.
Is this something to do with autodiscover?
0
 
LVL 20

Expert Comment

by:Lazarus
ID: 39238488
Autodiscover should be in your SSL, is it?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 3

Expert Comment

by:rafter81
ID: 39240662
It's looking up your .local name, you said you removed that from your certificate - therefore you wouldn't have a name match on the cert - because the .local name is removed.  Your client needs to reference whatever name(s) you have in your certificate.

P.S. what roles have you assigned the new certificate too in exchange?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39240894
I bet this is the classic Internal Autodiscover value.

get-clientaccessserver | select identity, AutodiscoverInternalServiceURI

The host name should be on the SSL certificate, it will be the internal server name by default.
You need a split DNS so the external name resolves internally and then change the values in Exchange.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:MongolianNoseFlute
ID: 39251483
Hi Simon,

this is very useful information in the link you provided.
Unfortunately after all applying changes to URLs and commands below everything just stopped working including external access to OWA

this is what we ran:

Set-ClientAccessServer -AutodiscoverServiceInternalUri https://owa.name.com/autodiscover/autodiscover.xml

and

Set-WebServicesVirtualDirectory -Identity "server1\EWS (Default Web Site)" -InternalUrl https://owa.name.com/ews/exchange.asmx -ExternalUrl https://owa.name.com/ews/exchange.asmx 

Set-WebServicesVirtualDirectory -Identity "server2\EWS (Default Web Site)" -InternalUrl https://owa.name.com/ews/exchange.asmx -ExternalUrl https://owa.name.com/ews/exchange.asmx

everything back to normal after reverting all changes back and External Url to -ExternalUrl https://servername.domain.local/ews/exchange.asmx

any ideas?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39252932
Define not working?
The changes to the URLs are what are required, but you do need to ensure that you have both the internal and external DNS setup correctly.
The script on my web page is something I use three or four times a week, without any issues, so that would tend to indicate the problem is elsewhere.

Simon.
0
 

Author Comment

by:MongolianNoseFlute
ID: 39253539
Hi Simon,

I have tried again but this time without changing –ExternalUrl

This time all works well, no more cert security alert!!! :)

Unfortunately, now some users getting different pop up.
“Outlook is attempting to connect to xxx.xxx@xxx.com If your password has changed, it may need to be re-entered. Click here to re-enter your password.”

When users click on this message nothing happens, they have not changed their password.

any idea on this?

Michal
popup.jpg
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question