Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 198
  • Last Modified:

Outlook Security Alert on open

On a new Exchange install.  I had a 3rd party cert for owa (iis service). I accidentally put SMTP on it. That caused security warnings in outlook as the cert has a different site (our internal domain is mydomain.loc external mydomain.com).

Since you cannot remove a service from a cert, I put them all back on to the self signed one. Removed the 3rd party one, re imported 3rd party one, added just the iis service to that.

However the outlook clients are still complaining about the cert. Why? Is there some service i need to restart to apply this, maybe client access or hub transport? As far as I know internal outlook clients could care less about the iis cert.
0
bhieb
Asked:
bhieb
  • 2
1 Solution
 
Adam FarageEnterprise ArchCommented:
You need to make sure the Autodiscover namespace is on the SSL certificate. You can find the autodiscover namespace not on the virtual directory but within Active Directory as internal Outlook clients will utilize the AutoDiscover Service Connection Point for it.
Get-ClientAccessServer | Select-Object Identity, AutodiscoverServiceInternalUri

Open in new window


If this is showing as the server name, or a name that is not even on the certificate you can change it by doing the following:

Set-ClientAccessServer <servername without brackets> -AutoDiscoverServiceInternalUri https://autodiscover.company.com/autodiscover/autodiscover.xml

Open in new window


You would also want to make sure the InternalURL for EWS is also set for a name on the certificate (typically the same namespace applied to OWA)

Get-WebServicesVirtualDirectory | Select Identity, InternalURL

Open in new window


Since you are not using a public TLD (.loc is not available publically) I would create a forward lookup zone for our external address (domain.com) and set a DNS A record pointing to the CAS (or Virtual IP if you have a load balancer deployed) for AutoDiscover and Mail addresses. The reason for this is because a non-public TLD cannot be added to an SSL certificate, and in theory you can only apply a single SSL certificate to Exchange's IIS service.

Last but not least the self-signed certificate will still error for Outlook users because it is not trusted. I am not sure why this was working before (unless you exported it and trusted it on all internal machines via GPO) but I would recommend fixing your third party certificate, which will most likely be a UC / SAN certificate.
0
 
bhiebAuthor Commented:
Ok now it is coming backup been a long time since I've set one up. The DNS is already setup so the external owa.mydomain.com resolves back to mail.mydomain.loc IP.

I had a few things wrong.  First all the CA services were pointing to the internal url https://mail.mydomain.loc  (for OWA, OAB, ECP, Active sync...). I've change them to use the external that matches the cert. https://owa.mydomain.com

Get-WebServicesVirtualDirectory returned similar problems interal was still .loc external .com so i changed internal to .com.

Now when I run outlook autodiscover test, all I see referencing the internal name is te RPC server name itself. How do I get that changed, or do I?
0
 
bhiebAuthor Commented:
Disregard the last, I had a typo in your command to reset the auto discover url. Error is gone now, all is well.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now