Solved

Certificate message in Outlook 2010 connecting to Exchange 2010

Posted on 2013-12-04
17
394 Views
Last Modified: 2013-12-06
Hi guys!  I recently completed my migration from Exchange 2003 to Exchange 2010.  All of my clients are running Outlook 2010.  I bought a new SSL cert for this.  Now every time somebody opens Outlook (and a lot of random times when they already have it open), the stupid SSL message comes up warning about the certificate.  If I install the certificate on the client it seems to make no difference.  Also, I find that Outlook is crashing repeatedly for quite a few of my clients.  I did the "repair" utility under Control Panel --> Mail, and this fixes it for a while, but then it starts happening again after a couple of days.   Help !!!
0
Comment
Question by:zagnutttt4
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 2
17 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696182
Hello,

When the certificate warning comes up, does the name it presents match the name on the certificate? Are you using that same name for all your Outlook Anywhere services?

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39696250
Well, technically no...  The name on the certificate is for the external hostname of our single WAN IP address..   so from the outside world, we are simply known by "mail.externaldomainname.com" and that's the name on my certificate.  Internally, the server's name is obviously different (storage1.internaldomainname.local).  How can I do this correctly without have two different SSL certs?    

To answer your 2nd question, yes, from the outside world, everything that uses Outlook Anywhere, ActiveSync, etc..  uses the same name that is on the cert (mail.externaldomainname.com).
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 400 total points
ID: 39696290
The best practice is to use split-DNS. This is where you have both an internal and external DNS infrastructure for your public zone. Both infrastructures are independent, so you can use internal IPs on your internal DNS infrastructure. You could also use a different DNS zone internally. The caveat with that is that you can no longer register private DNS zones, like .local on SSL certs. You would need to register another domain and use that.

-JJ
0
Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

 

Author Comment

by:zagnutttt4
ID: 39696298
Is there any way to utilize two SSL certificates instead of using split-DNS?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696303
No, you can only use one cert but you can add multiple names to a single SAN cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39696402
Interesting...   What is a SAN cert?  I don't know if mine is that or not...
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696429
Subject Alternate Name cert. Sometimes also referred to as a UCC cert. You really should already have one as you need mail.externaldomainname.com and autodiscover.externaldomainname.com on your cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39696451
Cool - if so, I can just reissue a request then regenerate the cert, redownload the cert and reinstall the cert ?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39696459
You will need to contact your SSL cert vendor to see if you can add names to your cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39698539
It's a GoDaddy cert so I will contact them today and see what they say.  Is there any way to make Exchange use one of the other built in certs for the internal client connections?  It looks like those already have the internal name of the server on them.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39698547
No, Exchange can only use one cert.

-JJ
0
 

Author Comment

by:zagnutttt4
ID: 39698555
Gotcha.  Well, I am on hold with GoDaddy right now so I will see what they have to say !  Wish me luck....
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39698816
Why don't you want to use a split DNS system? If you have the certificate in place then the configuration is 30 seconds and fixed.
You will need to adjust the configuration of Exchange - the problem you have is caused by the introduction of Exchange 2010 - the clients attempt Autodiscover all the time and now it works.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:zagnutttt4
ID: 39698831
Hi Sembee..  I'm willing to try the Split-DNS, but I'm not sure where to start.  RIght now there is one DNS 'zone"..  we have two domain controllers.  Where do I begin ?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 39699732
It is very easy. You just need to create the required zone if your AD domain is something different to your public domain.

http://semb.ee/splitdns

Simon.
0
 

Author Comment

by:zagnutttt4
ID: 39700877
Thank you Simon, I am going to attempt this today after lunch and I will update you on my status afterwards.  Wish me luck!
0
 

Author Comment

by:zagnutttt4
ID: 39701226
Guys, thank you very much!  I implemented split-DNS and it indeed did the trick!  Now to move on to other fires that need to be put out.   Thanks again, I highly appreciate your help with this matter!
0

Featured Post

Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Domain on O365 6 55
Export list of Exchange Online user's Photo 4 46
Office 365:  Hybrid without everyone DirSync 5 70
How to update GAL in O365? 4 33
Read this checklist to learn more about the 15 things you should never include in an email signature.
Changing a few Outlook Options can help keep you organized!
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question