?
Solved

Help with Exchange 2007 Certificates:

Posted on 2014-10-14
15
Medium Priority
?
149 Views
Last Modified: 2014-10-16
Hi all. We have 2 issues at the moment and I'm hoping someone can help.
We have an SSL UCC certificate which we use for webmail from outside the company.
The first issue is that users are now getting a security alert when launching Outlook internally.
The message is from mailserver.domain.local and it says the name on the security cert is invalid or does not match the name of the site.
The SSL cert is setup with the name webmail.domain.com
and it has the following SANs:
autodiscover.domain.com
mail.domain.com
mailserver.domain.com

I tried adding mailserver.domain.local to the SSL certificate as a SAN but it looks like I have to wait for CertificatesForExchange.com to get back to me.  Will this fix the issue?  

The second issue I'm seeing is event ID 12014 in the Event Viewer.
It states that it can't find a certificate that contains the domain name mail.domain.com in the personal store.

I don't think this is causing any issues that I can see but it seems like it should be an easy fix.

Any and all help would be appreciated.
0
Comment
Question by:homerslmpson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
15 Comments
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40379766
you need to configure your URLs to match your external domain; don't use .local there or in your cert

Configuring Exchange Server 2007 Web Services URLs
http://www.msexchange.org/articles-tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html

may also need to configure split dns

Windows - Setting Up Split DNS
http://www.petenetlive.com/KB/Article/0000830.htm
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 40379775
I don't understand what this means:
"you need to configure your URLs to match your external domain; don't use .local there or in your cert"

Are you trying to help me with the first issue or the second issue?
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40379884
you need to configure autodiscover, owa...those URLs need to have the external domain (.com) not .local
you also don't use .local for the cert

the second issue, need to enable that cert for services (IIS, smpt, etc.)

Enable-ExchangeCertificate
http://technet.microsoft.com/en-us/library/aa997231%28v=exchg.80%29.aspx
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 1

Author Comment

by:homerslmpson
ID: 40379901
It looks like I already have the split DNS setup.
I have a Forward Lookup Zone named webmail.domain.com and have an A record pointing to the Exchange server's internal IP address.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40379920
ok good
need to verify the exchange URLs are setup properly so that everything matches the cert
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 40380497
Should I use webmail.domain.local for the internal URL or mail.domain.local?
The instructions mention using mail.domain.local but as I mentioned earlier the forward lookup zone and SSL cert use the name webmail.domain.com.
mail.domain.com
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40380517
where are these instructions from?
you don't want to use .local because your cert does not match that and will cause cert errors internally as you stated
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 40380528
I was actually following the very first link you provided.

But yeah, you mentioned everything should match the SSL cert.
If that's the case should I make the following adjustments?

autodiscover = webmail.domain.com
OAB = webmail.domain.com
OOF = webmail.domain.com
Unified Messaging (we don't use) = webmail.domain.com
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 40380532
But that link you provided is old (Nov 2007) so I'm thinking things changed over the last few years.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40380571
it discusses using internally-created cert which is not what you want here; however the EMS commands are the same
you just put in the url of your server (the .com not .local)
scroll down to the autodiscover section for those commands

the link might be old but so is your exchange version :)
procedurally nothing has changed with that version over the years
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 40380582
lol Exchange is expensive.
OK so does this make sense?
autodiscover = webmail.domain.com
OAB = webmail.domain.com
OOF = webmail.domain.com
Unified Messaging (we don't use) = webmail.domain.com
0
 
LVL 35

Accepted Solution

by:
Seth Simmons earned 2000 total points
ID: 40380617
yes it can be as long as DNS records are there and the name is on the cert (which you have)

here is the technet article i was looking for
a bit simpler to read

How to Configure Exchange Services for the Autodiscover Service
http://technet.microsoft.com/en-us/library/bb201695%28EXCHG.80%29.aspx
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 40382420
I went ahead and made the changes.
I added webmail.domain.com for the internal Autodiscover, the internal OAB, the internal and external web services and I enabled Outlook Anywhere.
The error is still in the event viewer about not finding the domain name mail.domain.com in the personal store.
The image below shows the certs inside the personal store.
Some of them have the SAN of mail.domain.com while others don't.
Is there a way to see which one is being used?
personal store
0
 
LVL 1

Author Comment

by:homerslmpson
ID: 40384727
OK I've removed all of the certificates in the personal store except for the one self-signed certificate for SMTP and the SSL certificate for the other things.
After I narrowed down what self-signed certificate was being used for SMTP I ran the following command in EMC:
New-exchangecertificate -ServerName, ServerName.domain.local, mail.domain.com
The first 2 were already on the self signed certs but not the last one.
That idea was thanks to THIS link.
The error is no longer showing in the event log so I'd like to think this has been resolved.
0
 
LVL 1

Author Closing Comment

by:homerslmpson
ID: 40384730
Thanks for your help.
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Suggested Courses
Course of the Month11 days, 8 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question