Solved

Certificate message in Outlook 2010 connecting to Exchange 2010

Posted on 2013-12-04
17
391 Views
Last Modified: 2013-12-06
Hi guys!  I recently completed my migration from Exchange 2003 to Exchange 2010.  All of my clients are running Outlook 2010.  I bought a new SSL cert for this.  Now every time somebody opens Outlook (and a lot of random times when they already have it open), the stupid SSL message comes up warning about the certificate.  If I install the certificate on the client it seems to make no difference.  Also, I find that Outlook is crashing repeatedly for quite a few of my clients.  I did the "repair" utility under Control Panel --> Mail, and this fixes it for a while, but then it starts happening again after a couple of days.   Help !!!
0
Comment
Question by:zagnutttt4
  • 9
  • 6
  • 2
17 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
Hello,

When the certificate warning comes up, does the name it presents match the name on the certificate? Are you using that same name for all your Outlook Anywhere services?

-JJ
0
 

Author Comment

by:zagnutttt4
Comment Utility
Well, technically no...  The name on the certificate is for the external hostname of our single WAN IP address..   so from the outside world, we are simply known by "mail.externaldomainname.com" and that's the name on my certificate.  Internally, the server's name is obviously different (storage1.internaldomainname.local).  How can I do this correctly without have two different SSL certs?    

To answer your 2nd question, yes, from the outside world, everything that uses Outlook Anywhere, ActiveSync, etc..  uses the same name that is on the cert (mail.externaldomainname.com).
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 400 total points
Comment Utility
The best practice is to use split-DNS. This is where you have both an internal and external DNS infrastructure for your public zone. Both infrastructures are independent, so you can use internal IPs on your internal DNS infrastructure. You could also use a different DNS zone internally. The caveat with that is that you can no longer register private DNS zones, like .local on SSL certs. You would need to register another domain and use that.

-JJ
0
 

Author Comment

by:zagnutttt4
Comment Utility
Is there any way to utilize two SSL certificates instead of using split-DNS?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
No, you can only use one cert but you can add multiple names to a single SAN cert.

-JJ
0
 

Author Comment

by:zagnutttt4
Comment Utility
Interesting...   What is a SAN cert?  I don't know if mine is that or not...
0
 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
Subject Alternate Name cert. Sometimes also referred to as a UCC cert. You really should already have one as you need mail.externaldomainname.com and autodiscover.externaldomainname.com on your cert.

-JJ
0
 

Author Comment

by:zagnutttt4
Comment Utility
Cool - if so, I can just reissue a request then regenerate the cert, redownload the cert and reinstall the cert ?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
You will need to contact your SSL cert vendor to see if you can add names to your cert.

-JJ
0
 

Author Comment

by:zagnutttt4
Comment Utility
It's a GoDaddy cert so I will contact them today and see what they say.  Is there any way to make Exchange use one of the other built in certs for the internal client connections?  It looks like those already have the internal name of the server on them.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
Comment Utility
No, Exchange can only use one cert.

-JJ
0
 

Author Comment

by:zagnutttt4
Comment Utility
Gotcha.  Well, I am on hold with GoDaddy right now so I will see what they have to say !  Wish me luck....
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Why don't you want to use a split DNS system? If you have the certificate in place then the configuration is 30 seconds and fixed.
You will need to adjust the configuration of Exchange - the problem you have is caused by the introduction of Exchange 2010 - the clients attempt Autodiscover all the time and now it works.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:zagnutttt4
Comment Utility
Hi Sembee..  I'm willing to try the Split-DNS, but I'm not sure where to start.  RIght now there is one DNS 'zone"..  we have two domain controllers.  Where do I begin ?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
Comment Utility
It is very easy. You just need to create the required zone if your AD domain is something different to your public domain.

http://semb.ee/splitdns

Simon.
0
 

Author Comment

by:zagnutttt4
Comment Utility
Thank you Simon, I am going to attempt this today after lunch and I will update you on my status afterwards.  Wish me luck!
0
 

Author Comment

by:zagnutttt4
Comment Utility
Guys, thank you very much!  I implemented split-DNS and it indeed did the trick!  Now to move on to other fires that need to be put out.   Thanks again, I highly appreciate your help with this matter!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now