Solved

Exchange 2013, Outlook Profile, and security certificate

Posted on 2013-11-05
8
756 Views
Last Modified: 2013-11-14
Hello,

I installed Exchange 2013 and I installed SSL. From outside of the network, I can connect to the Exchange Server with Outlook using autodiscover. When I connect to the Exchange Server using autodiscover, I believe I establish a secure connection and the SSL certificates are trusted. So, everything seems to be working fine.

But, when I am inside of the network and when I use autodiscover, I get a security alert warning saying:

server.domain.com
information you exchange with this site cannot be viewed or changed... there is a problem with the site's security certificate... do you want to proceed?

What do I need to change inside of the network so that my Outlook profile is trusted when I use autodiscover?

By the way, I do not have any DNS records for autodiscover in my server's DNS. If I need to do something here, please be specific.

Thanks,
J:\
0
Comment
Question by:jhieb
  • 4
  • 4
8 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39625058
You need to change the URLs in Exchange to work with the external host name.
That will also require a split DNS.
The Exchange 2010 version of my article applies here: http://semb.ee/hostnames
The script at the end does work.

Must get round to completing the Exchange 2013 version.

Simon.
0
 
LVL 1

Author Comment

by:jhieb
ID: 39626032
Thanks. My internal and external URLs are already set to be the same. Externally, I am using mail.domain.com, and this is what autodiscover uses. Internally, I noticed that I a reverse DNS entry for an internal IP address that is for mail, also. Do you think this reverse DNS entry is conflicting with my external DNS entry? If so, should I remove the internal mail reverse DNS entry?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39627108
Are you sure you have got them all - including the ones in Shell only? The error you are getting would suggest that either you have missed one, or your DNS is wrong so the external name doesn't resolve internally to the correct place.

A reverse DNS entry will not be the cause of this.

Simon.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Author Comment

by:jhieb
ID: 39628177
I will check this in a day or two. I am side tracked because of another project. Thanks.
0
 
LVL 1

Author Comment

by:jhieb
ID: 39632253
When I setup my URLs, I used the following Microsoft article. My settings are the same as in this article. The Internal and External URL's are the same. I also used the PowerShell example in this article to make sure my internal URL's were the same as the external URLs.

I compared my URL's with your URL script. The only difference is autodiscover. In my environment, autodiscover is set to the default web site so there is no external URL displayed. When I look at the ECP for Exchange 2013, there is no URL shown.

This is why I was thinking this was a reverse DNS issue. What do you think the Internal Autodiscover setting should be?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39632893
You haven't included any Microsoft article link, so I don't know what you were following.
My script doesn't set the Autodiscover virtual directories - those should be left as default.
If you haven't changed the value on the CAS Server role then that will cause the problems you see.

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

If that is the default value, which is the server name, then you need to change it to match the host name on your SSL certificate.

Simon.
0
 
LVL 1

Author Comment

by:jhieb
ID: 39633604
Here is the link:
http://technet.microsoft.com/en-us/library/4acc7f2a-93ce-468c-9ace-d5f7eecbd8d4(v=exchg.150)#CreateConnector

I ran the command you gave and here is what the results are:
https://ectsvr02.mydomain.com/Autodiscover/Autodiscove...

The path shows my server name like you thought. Where do I change the value of my CAS server role?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39638225
As with most things with Exchange 2010, change the get to set

set-clientaccessserver -identity servername -AutodiscoverServiceInternalURI https://host.example.com/Autodiscover/Autodiscover.xml

or follow the guide I posted in my first answer.

Simon.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Many people use more than one email account and so it becomes difficult for them to manage them when they use separate accounts,  so, in this article, I have shared an easy way to add Other Mail Accounts in your Google Inbox. It helps to combine all…
This video discusses moving either the default database or any database to a new volume.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question