Solved

Outlook Security Alert on open

Posted on 2014-11-10
3
174 Views
Last Modified: 2014-11-10
On a new Exchange install.  I had a 3rd party cert for owa (iis service). I accidentally put SMTP on it. That caused security warnings in outlook as the cert has a different site (our internal domain is mydomain.loc external mydomain.com).

Since you cannot remove a service from a cert, I put them all back on to the self signed one. Removed the 3rd party one, re imported 3rd party one, added just the iis service to that.

However the outlook clients are still complaining about the cert. Why? Is there some service i need to restart to apply this, maybe client access or hub transport? As far as I know internal outlook clients could care less about the iis cert.
0
Comment
Question by:bhieb
  • 2
3 Comments
 
LVL 19

Accepted Solution

by:
Adam Farage earned 500 total points
ID: 40432900
You need to make sure the Autodiscover namespace is on the SSL certificate. You can find the autodiscover namespace not on the virtual directory but within Active Directory as internal Outlook clients will utilize the AutoDiscover Service Connection Point for it.
Get-ClientAccessServer | Select-Object Identity, AutodiscoverServiceInternalUri

Open in new window


If this is showing as the server name, or a name that is not even on the certificate you can change it by doing the following:

Set-ClientAccessServer <servername without brackets> -AutoDiscoverServiceInternalUri https://autodiscover.company.com/autodiscover/autodiscover.xml

Open in new window


You would also want to make sure the InternalURL for EWS is also set for a name on the certificate (typically the same namespace applied to OWA)

Get-WebServicesVirtualDirectory | Select Identity, InternalURL

Open in new window


Since you are not using a public TLD (.loc is not available publically) I would create a forward lookup zone for our external address (domain.com) and set a DNS A record pointing to the CAS (or Virtual IP if you have a load balancer deployed) for AutoDiscover and Mail addresses. The reason for this is because a non-public TLD cannot be added to an SSL certificate, and in theory you can only apply a single SSL certificate to Exchange's IIS service.

Last but not least the self-signed certificate will still error for Outlook users because it is not trusted. I am not sure why this was working before (unless you exported it and trusted it on all internal machines via GPO) but I would recommend fixing your third party certificate, which will most likely be a UC / SAN certificate.
0
 

Author Comment

by:bhieb
ID: 40432970
Ok now it is coming backup been a long time since I've set one up. The DNS is already setup so the external owa.mydomain.com resolves back to mail.mydomain.loc IP.

I had a few things wrong.  First all the CA services were pointing to the internal url https://mail.mydomain.loc  (for OWA, OAB, ECP, Active sync...). I've change them to use the external that matches the cert. https://owa.mydomain.com

Get-WebServicesVirtualDirectory returned similar problems interal was still .loc external .com so i changed internal to .com.

Now when I run outlook autodiscover test, all I see referencing the internal name is te RPC server name itself. How do I get that changed, or do I?
0
 

Author Comment

by:bhieb
ID: 40432987
Disregard the last, I had a typo in your command to reset the auto discover url. Error is gone now, all is well.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now