Solved

Outlook Security Alert on open

Posted on 2014-11-10
3
190 Views
Last Modified: 2014-11-10
On a new Exchange install.  I had a 3rd party cert for owa (iis service). I accidentally put SMTP on it. That caused security warnings in outlook as the cert has a different site (our internal domain is mydomain.loc external mydomain.com).

Since you cannot remove a service from a cert, I put them all back on to the self signed one. Removed the 3rd party one, re imported 3rd party one, added just the iis service to that.

However the outlook clients are still complaining about the cert. Why? Is there some service i need to restart to apply this, maybe client access or hub transport? As far as I know internal outlook clients could care less about the iis cert.
0
Comment
Question by:bhieb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 19

Accepted Solution

by:
Adam Farage earned 500 total points
ID: 40432900
You need to make sure the Autodiscover namespace is on the SSL certificate. You can find the autodiscover namespace not on the virtual directory but within Active Directory as internal Outlook clients will utilize the AutoDiscover Service Connection Point for it.
Get-ClientAccessServer | Select-Object Identity, AutodiscoverServiceInternalUri

Open in new window


If this is showing as the server name, or a name that is not even on the certificate you can change it by doing the following:

Set-ClientAccessServer <servername without brackets> -AutoDiscoverServiceInternalUri https://autodiscover.company.com/autodiscover/autodiscover.xml

Open in new window


You would also want to make sure the InternalURL for EWS is also set for a name on the certificate (typically the same namespace applied to OWA)

Get-WebServicesVirtualDirectory | Select Identity, InternalURL

Open in new window


Since you are not using a public TLD (.loc is not available publically) I would create a forward lookup zone for our external address (domain.com) and set a DNS A record pointing to the CAS (or Virtual IP if you have a load balancer deployed) for AutoDiscover and Mail addresses. The reason for this is because a non-public TLD cannot be added to an SSL certificate, and in theory you can only apply a single SSL certificate to Exchange's IIS service.

Last but not least the self-signed certificate will still error for Outlook users because it is not trusted. I am not sure why this was working before (unless you exported it and trusted it on all internal machines via GPO) but I would recommend fixing your third party certificate, which will most likely be a UC / SAN certificate.
0
 

Author Comment

by:bhieb
ID: 40432970
Ok now it is coming backup been a long time since I've set one up. The DNS is already setup so the external owa.mydomain.com resolves back to mail.mydomain.loc IP.

I had a few things wrong.  First all the CA services were pointing to the internal url https://mail.mydomain.loc  (for OWA, OAB, ECP, Active sync...). I've change them to use the external that matches the cert. https://owa.mydomain.com

Get-WebServicesVirtualDirectory returned similar problems interal was still .loc external .com so i changed internal to .com.

Now when I run outlook autodiscover test, all I see referencing the internal name is te RPC server name itself. How do I get that changed, or do I?
0
 

Author Comment

by:bhieb
ID: 40432987
Disregard the last, I had a typo in your command to reset the auto discover url. Error is gone now, all is well.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange server Error 3 42
Outlook 2007 - export/import TASKS or TO DO list 6 37
Office 365 Spam 3 34
Migration of public folders - Exchange 2010 2 40
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question