Solved

Exchange 2010 Cert error

Posted on 2013-11-22
9
68 Views
Last Modified: 2015-06-20
Hi all,

I am looking to see if someone can link me to a workaround for issuing a new cert that includes SAN to resolve my issues on a network I inherited.

Currently - I just resolved the Free/Busy, OOF issues internally by adjusting all my internal URL's.  I have a single issue cert. that includes only webmail.domain.ca.  It has no SAN.

I know the proper resolution is to issue a multi-cert (can't recall the actual name for that right now) that includes autodiscover.domain.ca and localservername.domain.local.

Is there a workaround to Exchange 2010 that can let me prevent the Outlook pop up with security alert "servername.domain.local" and 'The name on the security certificate is invalid or does not match the name of the site'.

Thanks!
0
Comment
Question by:browningit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 12

Accepted Solution

by:
Julian123 earned 250 total points
ID: 39669629
Yes, user set-clientaccessserver -autodiscoverinternalserviceuri to https://webmail.domain.ca/autodiscover/autodiscover.xml. This article has more detail: http://www.shudnow.net/2013/07/26/outlook-certificate-error-and-autodiscover-domain-com-not-working/

You will also want to do this for the other URLs Exchange uses as described here: http://www.bing.com/search?q=exchange+2010+web+serivices+urls&src=IE-TopResult&FORM=IE11TR&conversationid=.

I recommend setting the internal and external urls to use the FQDN that's on your certificate. You should make sure that that FQDN is reachable by both users inside the firewall and outside.
0
 
LVL 2

Author Comment

by:browningit
ID: 39669656
Thanks for the reply Julian.

However, it was set to the webmail.domain.ca previously, and would not resolve/time out looking for it hence my change to the internally resolve-able FQDN.

I am looking over your article now.  I can always hit the URL externally on all /ews /autodiscover /owa etc., but internally was the issue and my 'forced hand' at changing all the URL's to reflect FQDN to make sure that my users could hit the OOF buttons and so on to make it work.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 250 total points
ID: 39669759
You need a split DNS so the external host name resolves internally.
http://semb.ee/splitdns

Then you can configure everything to use the external host name internally.

Simon.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 2

Author Comment

by:browningit
ID: 39669793
Looks like a reasonable solution sembee, I'll hammer that out after hours today and see what happens.  

Thanks!
0
 
LVL 12

Expert Comment

by:Julian123
ID: 39670074
Agreed, the urls mentioned in the article I sent above must be reachable internally and proper DNS configuration will enable that..
0
 
LVL 2

Author Comment

by:browningit
ID: 39673547
Simon,

I just flipped all the records for internal URL's back to webmail, and configured the internal DNS server ( hosted on another virtual server internally ) as suggested.  I am essentially back at square one.  I have an SRV record, and the new zone for webmail.domain.ca pointing to my internal IP for the Exchange server.  Doesn't fly.  No OOF, no Free/Busy.
0
 
LVL 2

Author Comment

by:browningit
ID: 39673601
Tentatively, I appear to have resolved it through catching a typo, and making some other network changes.  More testing and an update on the matter tomorrow.

As far as my message about DNS testing not working, it could be related to a record I am unable to clear linking to the previous and dead DNS server.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40841367
I've requested that this question be closed as follows:

Accepted answer: 500 points for Simon Butler (Sembee)'s comment #a39669759

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question