Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Certificate message in Outlook 2010 connecting to Exchange 2010

Posted on 2013-12-04
17
Medium Priority
?
398 Views
Last Modified: 2013-12-06
Hi guys!  I recently completed my migration from Exchange 2003 to Exchange 2010.  All of my clients are running Outlook 2010.  I bought a new SSL cert for this.  Now every time somebody opens Outlook (and a lot of random times when they already have it open), the stupid SSL message comes up warning about the certificate.  If I install the certificate on the client it seems to make no difference.  Also, I find that Outlook is crashing repeatedly for quite a few of my clients.  I did the "repair" utility under Control Panel --> Mail, and this fixes it for a while, but then it starts happening again after a couple of days.   Help !!!
0
Comment
Question by:zagnutttt4
  • 9
  • 6
  • 2
17 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696182
Hello,

When the certificate warning comes up, does the name it presents match the name on the certificate? Are you using that same name for all your Outlook Anywhere services?

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39696250
Well, technically no...  The name on the certificate is for the external hostname of our single WAN IP address..   so from the outside world, we are simply known by "mail.externaldomainname.com" and that's the name on my certificate.  Internally, the server's name is obviously different (storage1.internaldomainname.local).  How can I do this correctly without have two different SSL certs?    

To answer your 2nd question, yes, from the outside world, everything that uses Outlook Anywhere, ActiveSync, etc..  uses the same name that is on the cert (mail.externaldomainname.com).
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 1600 total points
ID: 39696290
The best practice is to use split-DNS. This is where you have both an internal and external DNS infrastructure for your public zone. Both infrastructures are independent, so you can use internal IPs on your internal DNS infrastructure. You could also use a different DNS zone internally. The caveat with that is that you can no longer register private DNS zones, like .local on SSL certs. You would need to register another domain and use that.

-JJ
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:zagnutttt4
ID: 39696298
Is there any way to utilize two SSL certificates instead of using split-DNS?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696303
No, you can only use one cert but you can add multiple names to a single SAN cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39696402
Interesting...   What is a SAN cert?  I don't know if mine is that or not...
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696429
Subject Alternate Name cert. Sometimes also referred to as a UCC cert. You really should already have one as you need mail.externaldomainname.com and autodiscover.externaldomainname.com on your cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39696451
Cool - if so, I can just reissue a request then regenerate the cert, redownload the cert and reinstall the cert ?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696459
You will need to contact your SSL cert vendor to see if you can add names to your cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39698539
It's a GoDaddy cert so I will contact them today and see what they say.  Is there any way to make Exchange use one of the other built in certs for the internal client connections?  It looks like those already have the internal name of the server on them.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39698547
No, Exchange can only use one cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39698555
Gotcha.  Well, I am on hold with GoDaddy right now so I will see what they have to say !  Wish me luck....
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39698816
Why don't you want to use a split DNS system? If you have the certificate in place then the configuration is 30 seconds and fixed.
You will need to adjust the configuration of Exchange - the problem you have is caused by the introduction of Exchange 2010 - the clients attempt Autodiscover all the time and now it works.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:zagnutttt4
ID: 39698831
Hi Sembee..  I'm willing to try the Split-DNS, but I'm not sure where to start.  RIght now there is one DNS 'zone"..  we have two domain controllers.  Where do I begin ?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 400 total points
ID: 39699732
It is very easy. You just need to create the required zone if your AD domain is something different to your public domain.

http://semb.ee/splitdns

Simon.
0
 

Author Comment

by:zagnutttt4
ID: 39700877
Thank you Simon, I am going to attempt this today after lunch and I will update you on my status afterwards.  Wish me luck!
0
 

Author Comment

by:zagnutttt4
ID: 39701226
Guys, thank you very much!  I implemented split-DNS and it indeed did the trick!  Now to move on to other fires that need to be put out.   Thanks again, I highly appreciate your help with this matter!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses
Course of the Month11 days, 16 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question