Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Hosting two mail domains on sbs 2008, getting ssl cert errors on 2nd domain

Posted on 2014-02-06
5
Medium Priority
?
357 Views
Last Modified: 2014-02-18
We have two email domains on our SBS 2008 server running Exchange 2007. The primary domain is generally accessed over LAN with Outlook 2010 in cached exchange mode. No issues there. The 2nd domain is a sister company that is primarily accessed with Outlook 2010 via RPC over HTTP, and a couple of accounts use POP3.

The problem is, the external clients are getting cert mismatch errors that actually freeze Outlook and the connection to the server drops. I have to reset IIS in the server to get mail to flow again, and it happens several times a day.

We have a Godaddy SSL cert with our primary domain name, internal domain name, autodiscover, etc. It wasn't an issue until the owner of the sister company moved the second domain to a new host that used cpanel which supports the autodiscover srv record. Because the cert is issued to the primary, autodiscover throws the error every 2 or three minutes.

I tried configuring Outlook 2010 to suppress name checking with a registry key, but no joy.

Do I need to buy a UCC cert with multiple domain names, and if so, can I successfully import such a cert into SBS 2008 since it isn't supported in the trusted cert authorities by default?
0
Comment
Question by:riley71
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39841103
You can stop using autodiscover and setup it manauly. Just by using a name of domain that have certificate valid.

User mails are asignet on username so they can have server like mail.othercompany.com but use their username and get emails without certification isue.
0
 

Expert Comment

by:ShiekIce
ID: 39848242
How do you stop using autodiscover for exchange? / What affects would that have negatively on a setup that used to rely on autodiscover (either intentionally, or by default)?
0
 
LVL 15

Expert Comment

by:Jaroslav Mraz
ID: 39849825
Simple after check you will select setup manually. You don't need to disable feature but it is just for help by automatic setup of Outlook it provide xml with configuration. But same configuration you can foo manually for example outlook 2003 don't support automatic cfg function.
0
 

Accepted Solution

by:
riley71 earned 0 total points
ID: 39858057
Ok.. So I bought a UCC multi-domain certificate from GoDaddy. In it I had to list the main domain, mail.domain1.com, and these alternates...  mail.domain2.com, autodiscover.domain1.com, autodiscover.domain2.com, and myserver.domain.local. (Funny thing, the GoDaddy support guy told me later this year a FQDN of your server won't be accepted.. He couldn't explain what that was all about, but maybe someone here can.)

Then instead of using the SBS wizard to import the cert, I used powershell. The command was,

 Import-ExchangeCertificate -Path “C:\Cert\mail_ExternalDomaiName_com.crt” -FriendlyName “CompanyName UCC Cert"

Making sure that your path points to where your cert is downloaded, and your FriendlyName being your domain.

Then I went to the IIS manager and under Servername, then sites, I right clicked SBS Web Applications and then "edit bindings". On https on port 433 I hit edit to verify that the right cert was being used.

Then I went to both domain hosts and edited my dns zones to have a cname record of autodiscover that points to mail.domain1.com (or domain2 for the second site), and then an srv record that points to autodiscover.domain1.com.

The correct cert pulls on both mail domains, and now I no longer have the annoying cert error pop ups or password prompts.

Consequently, if you have internal clients that connect via exchange account, it helps to use the same certificate for both internal and external clients. Here's how you do that.

Open Exchange Power Shell with elevated permissions, and enter

Set-ClientAccessServer -Identity MAILSERVER-AutodiscoverServiceInternalUri https://mail.domain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "MAILSERVER\EWS (SBS Web Applications)" -InternalUrl https://mail.domain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "MAILSERVER\oab (SBS Web Applications)" -InternalUrl https://mail.domain.com/oab

Set-UMVirtualDirectory -Identity "MAILSERVER\unifiedmessaging (SBS Web Applications)" -InternalUrl https://mail.domain.com/unifiedmessaging/service.asmx

Being sure to change out "MAILSERVER" for your CAS name, and domain for your domain name on the certificate. Then you won't have your internal clients prompting for certs either.

Cheers.
0
 

Author Closing Comment

by:riley71
ID: 39866928
This was the solution that solved my problem.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Changing a few Outlook Options can help keep you organized!
Outlook for dependable use in a very small business   This article is about using the Outlook application (part of Microsoft Office) in a very small business, or for homeowners where dependability and reliability are critical requirements. This …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question