Solved

OWA settings in Outlook

Posted on 2014-01-31
7
716 Views
Last Modified: 2014-02-09
2 days ago, we changed our exchange SSL certificate from a wildcard type (*.domain.com) to a std UCC certificate. The issue this has caused is for some reason, users OWA settings in Outlook continue to still show the wildcard setting for the Mutual Authentication Principal Name: (msstd:*.domain.com) for existing users. Checked this against against a new user as well and the setting automatically pushed out wrong (still using the wildcard name).
How can I get the settings for OWA to automatically push out correctly to outlook?
0
Comment
Question by:keamalsa
  • 3
  • 3
7 Comments
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 150 total points
ID: 39824382
Have you restarted IIS?

 iisreset /stop

 net stop http

 net start http

iisreset /start


Also did you install the new certificate via EMS? If so then you may need to take the steps summarised in the posts:

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1248

and

https://sslguru.com/faq/technical-questions/why-does-owa-still-use-the-old-certificate-even-if-it-was-changed.html
0
 

Author Comment

by:keamalsa
ID: 39824530
I did not install with the EMS. I used the Command shell.

I had not restarted IIS or http.

So, I just did on both of our exchange servers.
I immediately went back in to check the OWA settings, but they still have not changed. Arent these setting really in AD on the Domain Controller?
Do I need to wait a period of time before this change is sync'd over to the DCs?
I did open the 1st link you sent anyway and followed it to verify that indeed yes, IIS is using the new certificate. What next?
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39824592
Have you fully removed the old certificate so it can't be referenced?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:keamalsa
ID: 39824607
No, I have not removed it. What is the best method to remove it?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 350 total points
ID: 39824833
Autodiscover isn't affected by the old certificate.
Have you changed the MSSTD value in Exchange?

get-outlookprovider | select identity, certprinciplename

Then to change it run:

Set-OutlookProvider -identity EXPR -CertPrincipalname msstd:host.example.com

Simon.
0
 

Author Comment

by:keamalsa
ID: 39825013
Thanks Simon!!!
Running the get command showed me that the CertPrincipalName still had the old setting.
After running the set command and verifying the change, then waiting for Exchange and AD to replicate, the msstd setting for OWA in outlook has changed to the value we need. Checked OWA using the Microsoft Remote Connectivity Analyzer (set to use Autodiscover), and all is now good. Also closed outlook on a client side computer then re-launched outlook and the msstd Setting is now changed correctly in the OWA settings.
As far as rewarding points, I would give you all except I dont know if I also needed to restart IIS and HTTP as was suggested by "Jerseysam". So If I needed to do both things, I would split the points. If I did not need to restart those services, then I would give you all the points. Please advise.
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39825115
May have been a combination of both as you say.

Put it to moderators maybe?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
how to add IIS SMTP to handle application/Scanner relays into office 365.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now