jconklin-ansinc-net
asked on
Outlook clients receiving Security Alert with SSL Certificate
Hello,
I recently re-keyed the SSL certificate for a Exchange 2010 server because the common name in the certificate was not correct. Upon importing the certificate into the certificate store and enabling it for SMTP, POP, IIS and IMAP, all of the Outlook 2007 and Outlook 2010 clients are now receiving a Security Alert "The name on the security certificate is invalid or does not match the name of the site." They were having to click the Yes to proceed button twice until I followed the procedure to change the autodiscover and other components URLs at Microsoft's site:
http://support.microsoft.com/kb/940726
The server does not use UM, so I did receive an error when attempting to run the related commandlet.
The clients are still receiving the SSL Security warning when opening Outlook, however they only have to acknowledge the error once before Outlook connects to the server.
Any experts know what else I need to do to resolve this issue?
I recently re-keyed the SSL certificate for a Exchange 2010 server because the common name in the certificate was not correct. Upon importing the certificate into the certificate store and enabling it for SMTP, POP, IIS and IMAP, all of the Outlook 2007 and Outlook 2010 clients are now receiving a Security Alert "The name on the security certificate is invalid or does not match the name of the site." They were having to click the Yes to proceed button twice until I followed the procedure to change the autodiscover and other components URLs at Microsoft's site:
http://support.microsoft.com/kb/940726
The server does not use UM, so I did receive an error when attempting to run the related commandlet.
The clients are still receiving the SSL Security warning when opening Outlook, however they only have to acknowledge the error once before Outlook connects to the server.
Any experts know what else I need to do to resolve this issue?
You need to update the name being used to answer the requests.
Replace "CAS-Server-Name" with the name of your exchange server that holds the Client Access Server Role.
Replace "mail.example.com" with the name of the mail server URL that you put in your certificate.
Modify the following commands:
You may also need to change the "(Default Web Site)" to match what is shown in IIS, if you have that customized.
Replace "CAS-Server-Name" with the name of your exchange server that holds the Client Access Server Role.
Replace "mail.example.com" with the name of the mail server URL that you put in your certificate.
Modify the following commands:
Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web site)' -ExternalURL 'https://mail.example.com/autodiscover' -InternalURL 'https://mail.example.com/autodiscover' -BasicAuthentication $true
Set-OABVirtualDirectory -Identity "CAS-Server-Name\OAB (Default Web Site)" -ExternalUrl "https://mail.example.com/OAB" -BasicAuthentication $true -RequireSSL $true
Set-OABVirtualDirectory -Identity "CAS-Server-Name\OAB (Default Web Site)" -InternalUrl "https://mail.example.com/OAB" -BasicAuthentication $true -RequireSSL $true
Set-WebServicesVirtualDirectory -Identity "CAS-Server-Name\EWS (Default Web Site)" -BasicAuthentication $true -ExternalUrl https://mail.example.com/EWS/exchange.asmx
Set-WebServicesVirtualDirectory -Identity "CAS-Server-Name\EWS (Default Web Site)" -BasicAuthentication $true -InternalUrl https://mail.example.com/EWS/exchange.asmx
Set-ClientAccessServer -Identity "CAS-Server-Name" -AutodiscoverServiceInternalUri https://mail.example.com/autodiscover/autodiscover.xmlYou may also need to change the "(Default Web Site)" to match what is shown in IIS, if you have that customized.
Your issue is related to URL, one you sort it out your issue would be resolved. Please refer to this article:
http://support.microsoft.com/kb/940726
http://support.microsoft.com/kb/940726
ASKER
amit_gokharu: Thank you. I have already followed that article, and communicated in my initial question. Still does not work as expected and the users are still receiving the Security Alert.
jrhelgeson: Thank you. I tried your solution, replacing "mail.example.com" with the URL for the Exchange servers name indicated as the common name on the SSL certificate. Still receive the Security Alerts.
Mks_: Thank you, but your solution does not address the issue we are dealing with. We are not receiving a message about redirection, but a security alert "The name on the security certificate is invalid or does not match the name of the site" when indeed it does.
jrhelgeson: Thank you. I tried your solution, replacing "mail.example.com" with the URL for the Exchange servers name indicated as the common name on the SSL certificate. Still receive the Security Alerts.
Mks_: Thank you, but your solution does not address the issue we are dealing with. We are not receiving a message about redirection, but a security alert "The name on the security certificate is invalid or does not match the name of the site" when indeed it does.
Okay then, I need the exact error message they get regarding the SSL certificate.
Does the SSL Cert they are getting an error on match the certificate you purchased?
What can happen with Autodiscover is that it can find sites with no relation to yours. Your exchange server is mail.example.com, but it'll throw an SSL Certificate warning/error for www.someothercompany.com.
Please let me know if this is the case, and what the exact error message is.
Does the SSL Cert they are getting an error on match the certificate you purchased?
What can happen with Autodiscover is that it can find sites with no relation to yours. Your exchange server is mail.example.com, but it'll throw an SSL Certificate warning/error for www.someothercompany.com.
Please let me know if this is the case, and what the exact error message is.
ASKER
jrhelgeson: Attached are the error messages, the certificate screenshot and a screenshot showing the SANs.
error.png
cert-san.png
cert.png
error.png
cert-san.png
cert.png
This certificate does not have a private key.
Please speak to the vendor who issued you the certificate, get a cert with private key and then install the same on your exchange 2010 and assign the services which will resolve your issue.
Please speak to the vendor who issued you the certificate, get a cert with private key and then install the same on your exchange 2010 and assign the services which will resolve your issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
get-ClientAccessServer | fl
get-WebServicesVirtualDire
get-OABVirtualDirectory | fl