Solved

Exchange 2010 Certificates

Posted on 2014-04-11
8
313 Views
Last Modified: 2014-04-11
Layout:
Domain:  eyecare.com
Exchange 2010 with all SPs and RUs.
Most clients use OWA, using https://mail.eyecare.com/owa (yes even internally)

Own a godaddy SSl certificate that covers eyecare.com, mail.eyecare.com, and autodiscover.eyecare.com. OWA users are covered under this.

ISSUE:
GoDaddy will not cover our internal addresses any longer. I recently had to rekey our certificate and lost coverage of my .local addresses.

Internal:  exchange.eyecare.local - I have a built-in Exchange certificate that does cover this internal address.

My OWA clients are fine - they do not get SSL errors because they are using mail.eyecare.com.

However, those that use Outlook 2010 are getting errors:

"The name on the security certificate is invalid or does not match the name of the site."

When you select "view certificate" on this error, it is pointing to the godaddy certificate for mail.eyecare.com.

When I configure Outlook 2010 to our server, it automatically inserts exchange.eyecare.local under mail server.

So, how do I tell Exchange to use the built-in exchange.eyecare.local certificate for the Outlook clients?
0
Comment
Question by:SECC_IT
  • 5
  • 3
8 Comments
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39994565
The simple no impact solution is to update your internal urls to match the external URLs:


You can get the external urls here :
Get-ActiveSyncVirtualDirectory   | ft server,*lur* -AutoSize
Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize
Get-ClientAccessServer           | ft name,  *lur* -AutoSize
Get-EcpVirtualDirectory          | ft server,*lur* -AutoSize
Get-OabVirtualDirectory          | ft server,*lur* -AutoSize
Get-OwaVirtualDirectory          | ft server,*lur* -AutoSize
Get-WebServicesVirtualDirectory  | ft server,*lur* –AutoSize


Then change your internal urls to match the external urls:

Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
0
 

Author Comment

by:SECC_IT
ID: 39994643
My internal mail doesn't need an SSL certificate.

How do I tell Exchange to use the built-in exchange.eyecare.local certificate for the Outlook clients?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39994660
If you have not configured your internal url to require SSL why are your internal users going to SSL ?

The fact your internal users are getting SSL prompts indicate that it is configured to use SSL.

The option I outline above simply resolves an addition future problem you might have where users DO NOT trust your self signed certificate (without additional work).
It is also minimizes your workload in terms of certificates to manage.

If you want to proceed using a self signed certificate, simply go to the .local sites in IIS and update the bindings to your self-signed certificate you will create.

I do not suggest this however, as I know it might probably just lead to a question later of client NOT TRUSTING your new .local certificate.
0
 

Author Comment

by:SECC_IT
ID: 39994669
Honestly, your solution was actually my first thought, and you saved me some Googling by listing exactly how to do it.

Is there a downside to your solution?
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 29

Expert Comment

by:becraig
ID: 39994684
There is no downside to be honest, it is the path most folks will end up going as a result of the certificate vendors change from honoring requests with .local domains.
0
 

Author Comment

by:SECC_IT
ID: 39994687
Okay. I am going to try this. I will leave this ticket open in case I run into issues. Thank you! If it works, you'll get the points!
0
 

Author Comment

by:SECC_IT
ID: 39994874
I did everything you said. The commands ran without incident. I restarted the  Exchange Transport service and the IIS Admin service and, voila! - no more certificate errors!

Thank you for your help!
0
 

Author Closing Comment

by:SECC_IT
ID: 39994875
It is a workaround, but it will have to do. Thank you!
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now