Solved

Certificate message in Outlook 2010 connecting to Exchange 2010

Posted on 2013-12-04
17
392 Views
Last Modified: 2013-12-06
Hi guys!  I recently completed my migration from Exchange 2003 to Exchange 2010.  All of my clients are running Outlook 2010.  I bought a new SSL cert for this.  Now every time somebody opens Outlook (and a lot of random times when they already have it open), the stupid SSL message comes up warning about the certificate.  If I install the certificate on the client it seems to make no difference.  Also, I find that Outlook is crashing repeatedly for quite a few of my clients.  I did the "repair" utility under Control Panel --> Mail, and this fixes it for a while, but then it starts happening again after a couple of days.   Help !!!
0
Comment
Question by:zagnutttt4
  • 9
  • 6
  • 2
17 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696182
Hello,

When the certificate warning comes up, does the name it presents match the name on the certificate? Are you using that same name for all your Outlook Anywhere services?

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39696250
Well, technically no...  The name on the certificate is for the external hostname of our single WAN IP address..   so from the outside world, we are simply known by "mail.externaldomainname.com" and that's the name on my certificate.  Internally, the server's name is obviously different (storage1.internaldomainname.local).  How can I do this correctly without have two different SSL certs?    

To answer your 2nd question, yes, from the outside world, everything that uses Outlook Anywhere, ActiveSync, etc..  uses the same name that is on the cert (mail.externaldomainname.com).
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 400 total points
ID: 39696290
The best practice is to use split-DNS. This is where you have both an internal and external DNS infrastructure for your public zone. Both infrastructures are independent, so you can use internal IPs on your internal DNS infrastructure. You could also use a different DNS zone internally. The caveat with that is that you can no longer register private DNS zones, like .local on SSL certs. You would need to register another domain and use that.

-JJ
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:zagnutttt4
ID: 39696298
Is there any way to utilize two SSL certificates instead of using split-DNS?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696303
No, you can only use one cert but you can add multiple names to a single SAN cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39696402
Interesting...   What is a SAN cert?  I don't know if mine is that or not...
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696429
Subject Alternate Name cert. Sometimes also referred to as a UCC cert. You really should already have one as you need mail.externaldomainname.com and autodiscover.externaldomainname.com on your cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39696451
Cool - if so, I can just reissue a request then regenerate the cert, redownload the cert and reinstall the cert ?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696459
You will need to contact your SSL cert vendor to see if you can add names to your cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39698539
It's a GoDaddy cert so I will contact them today and see what they say.  Is there any way to make Exchange use one of the other built in certs for the internal client connections?  It looks like those already have the internal name of the server on them.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39698547
No, Exchange can only use one cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39698555
Gotcha.  Well, I am on hold with GoDaddy right now so I will see what they have to say !  Wish me luck....
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39698816
Why don't you want to use a split DNS system? If you have the certificate in place then the configuration is 30 seconds and fixed.
You will need to adjust the configuration of Exchange - the problem you have is caused by the introduction of Exchange 2010 - the clients attempt Autodiscover all the time and now it works.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:zagnutttt4
ID: 39698831
Hi Sembee..  I'm willing to try the Split-DNS, but I'm not sure where to start.  RIght now there is one DNS 'zone"..  we have two domain controllers.  Where do I begin ?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 39699732
It is very easy. You just need to create the required zone if your AD domain is something different to your public domain.

http://semb.ee/splitdns

Simon.
0
 

Author Comment

by:zagnutttt4
ID: 39700877
Thank you Simon, I am going to attempt this today after lunch and I will update you on my status afterwards.  Wish me luck!
0
 

Author Comment

by:zagnutttt4
ID: 39701226
Guys, thank you very much!  I implemented split-DNS and it indeed did the trick!  Now to move on to other fires that need to be put out.   Thanks again, I highly appreciate your help with this matter!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question