Solved

certificate error when opening outlook, exchange 2010

Posted on 2014-01-20
20
396 Views
Last Modified: 2014-03-09
i just setup exchange 2010 on server 2012 and had to get a new ucc certificate.  i have owa working and the phones but when they go into outlook they get 2 errors about mail.***.com not be trusted?  i know it has something to do with certificate pointing to outside address on the inside but don't know what to change?

here are 2 pictures, one of the alert and one of the certificate, i cant seem to get rid of them? help?
cmb-cert-error.JPG
cmb-cert-error2.JPG
0
Comment
Question by:bowlerman25
  • 9
  • 5
  • 4
  • +2
20 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39796122
Hi

It appears to be a self signed certificate which mean you need to click, 'install certificate' (next next) on all devices.
0
 

Author Comment

by:bowlerman25
ID: 39796123
i dont want a self signed, i paid for a ucc certificate.  how do i take this out or get rid of error?
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 39796124
where did you get this certificate from?
the name on the certificate must match the name of the host
if your mail server is mail.foo.com which is what clients connect to, then your certificate should include mail.foo.com and should be from a trusted authority (verisign, go daddy, etc.)
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39796131
Hi,

This certificate seems to be issued to 00:13:F7:9C:FE:38 which offcourse does not reflect your exchange inside NOR outside adress.
It should read something like mail.mydomain.org  so domain, not mac adress.
0
 

Author Comment

by:bowlerman25
ID: 39796132
got from godaddy and im pretty sure i verified that the mail.ourdomainname.com is a sub in the certificate. the outlooks connect just to exchange which uses the name of the server. what do i change or check?
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39796136
Check in ESM if you have assigned the right certificate to the right services.
The certificate you are showing was issued by some cable modem and is valid for 20 years, seems not a godaddy certificate.
0
 

Author Comment

by:bowlerman25
ID: 39796137
the 00:13:F7:9C:FE:38 comes up twice because there are 2 dialog boxes. Ive tried to install them but they just come back when your reopen outlook?
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39796144
Hi again,

Please have a read here on how to assign a certificate to services in ESM.
0
 

Author Comment

by:bowlerman25
ID: 39796152
in emc under server config, i show 3 cert's. 2 are valid and 1 of the valid are self signed. the 1 that i paid for all 4 protocols and it only shows the domain name and not mail.domain.com.  that might be my problem?
0
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39796158
For sure. Plus assignment is not right.
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 

Author Comment

by:bowlerman25
ID: 39796164
the one alert is for mail.domain.com and other alert is autodiscover.domain.com.  i have to add both these to cert in emc?
0
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 39796519
Create a new certificate from vendor adding the following domain to resovle your issue.

"mail.domain.com"
"Autodiscover.domain.com"

If you have above mention domain certificate then bind the same certificate in IIS and reset the issue.

To bind the certificate refer below link :

http://www.sslshopper.com/article-installing-an-ssl-certificate-in-windows-server-2008-iis-7.0.html
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 39802760
If you bought a UCC type certificate, did you include Autodiscover in the list of domains?
If not, then that is the part of the problem.
You also need to reconfigure Exchange to use the external host name internally.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:bowlerman25
ID: 39805554
should i delete the existing certificates all 3 or just add a new one? i think its my internal url for autodiscover, is one issue and the other security alert is for the mail.***.com url.  i have found lots of documents on iis7 and server 2008 but not much for server 2012. anyone have the changes for the new server? i just dont know how to fix this?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 39806216
Forget about it being Server 2012. Do everything in Exchange. That includes the certificate request, install and removal.

Sort out the host names first, then remove certificates that are not being used. In most deployments you will end up with two certificates

- a trusted certificate for all web services, POP, IMAP etc.
- a self signed certificate for internal email flow.

You may find that you are unable to remove one of the certificates because it is being used for the internal transport - that is fine.

Simon.
0
 

Author Comment

by:bowlerman25
ID: 39855506
i changed all the url from http://semb.ee/hostnames. still have 2 certificate errors about mail.***.com and 2nd pop up from autodiscover.***.com when they open outlook from inside organization. they both show this picture for a certificate that doesn't exist. why am i getting these pop ups?cert
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 39862893
For some reason they are trying to access a cable modem of some description.
That would tend to suggest that your DNS is not setup correctly and the traffic is going to the wrong place.

Simon.
0
 

Author Comment

by:bowlerman25
ID: 39875461
i did fix it.  i had to make new dns primary zones for mydomainname.com and then put an a record for each certificate error pointing to the internal ip address of the server. before when i ping the mail.***.com it was replying with the external ip.  that fixed both errors. why is that?

because active directory domain was .local and the mail is .com?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39876511
What you have done is created a split DNS system, which you need to have done as part of the guidance I provided above - that is so the external host name resolves internally.
The problem with creating a primary zone for example.com, rather than host.example.com is that any external hosts you may have (like your web site) would also need to be included in that zone. If you did a single host name replacement (so created a zone for each host) then you wouldn't have that problem.

Simon.
0
 

Author Comment

by:bowlerman25
ID: 39916693
i also had one more problem with autodiscover.***.com popping up in outlook but i didnt have it listed in the certificate as a SAN.  figured that out myself.  thanks!
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now