Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Outlook Security Alert on open

Posted on 2014-11-10
3
Medium Priority
?
196 Views
Last Modified: 2014-11-10
On a new Exchange install.  I had a 3rd party cert for owa (iis service). I accidentally put SMTP on it. That caused security warnings in outlook as the cert has a different site (our internal domain is mydomain.loc external mydomain.com).

Since you cannot remove a service from a cert, I put them all back on to the self signed one. Removed the 3rd party one, re imported 3rd party one, added just the iis service to that.

However the outlook clients are still complaining about the cert. Why? Is there some service i need to restart to apply this, maybe client access or hub transport? As far as I know internal outlook clients could care less about the iis cert.
0
Comment
Question by:bhieb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 19

Accepted Solution

by:
Adam Farage earned 2000 total points
ID: 40432900
You need to make sure the Autodiscover namespace is on the SSL certificate. You can find the autodiscover namespace not on the virtual directory but within Active Directory as internal Outlook clients will utilize the AutoDiscover Service Connection Point for it.
Get-ClientAccessServer | Select-Object Identity, AutodiscoverServiceInternalUri

Open in new window


If this is showing as the server name, or a name that is not even on the certificate you can change it by doing the following:

Set-ClientAccessServer <servername without brackets> -AutoDiscoverServiceInternalUri https://autodiscover.company.com/autodiscover/autodiscover.xml

Open in new window


You would also want to make sure the InternalURL for EWS is also set for a name on the certificate (typically the same namespace applied to OWA)

Get-WebServicesVirtualDirectory | Select Identity, InternalURL

Open in new window


Since you are not using a public TLD (.loc is not available publically) I would create a forward lookup zone for our external address (domain.com) and set a DNS A record pointing to the CAS (or Virtual IP if you have a load balancer deployed) for AutoDiscover and Mail addresses. The reason for this is because a non-public TLD cannot be added to an SSL certificate, and in theory you can only apply a single SSL certificate to Exchange's IIS service.

Last but not least the self-signed certificate will still error for Outlook users because it is not trusted. I am not sure why this was working before (unless you exported it and trusted it on all internal machines via GPO) but I would recommend fixing your third party certificate, which will most likely be a UC / SAN certificate.
0
 

Author Comment

by:bhieb
ID: 40432970
Ok now it is coming backup been a long time since I've set one up. The DNS is already setup so the external owa.mydomain.com resolves back to mail.mydomain.loc IP.

I had a few things wrong.  First all the CA services were pointing to the internal url https://mail.mydomain.loc  (for OWA, OAB, ECP, Active sync...). I've change them to use the external that matches the cert. https://owa.mydomain.com

Get-WebServicesVirtualDirectory returned similar problems interal was still .loc external .com so i changed internal to .com.

Now when I run outlook autodiscover test, all I see referencing the internal name is te RPC server name itself. How do I get that changed, or do I?
0
 

Author Comment

by:bhieb
ID: 40432987
Disregard the last, I had a typo in your command to reset the auto discover url. Error is gone now, all is well.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question