Solved

Outlook 2010 gets certificate error after adding purchased SSL

Posted on 2015-01-08
11
182 Views
Last Modified: 2015-01-08
Scenario. We have a customer who is going through the process of migrating from SBS 2003. At the moment, we have Exchange 2003 (SBS) and Exchange 2010 co-existing on the same network.

We have purchased a wildcard SSL cert for *.ourdomain.net and this has been installed onto the Exchange 2010 server.

I have migrated just one test email account onto Exchange 2010 to iron out any issues.

This particular user has Outlook 2010, and since installing the new SSL certificate, when he opens Outlook he gets a warning about the certificate.

Outlook 2010 is connecting to the internal server name of srv-exch2010.ourdomain.local

What I have done so far is:-

1) We already have a DNS zone for ourdomain.net, so I have added exchange.ourdomain.net as a CNAME entry pointing to srv-exch2010.ourdomain.local. I can ping exchange.ourdomain.net and get the desired result back from the internal server IP.

2) After taking note of the existing settings, I have run the following PowerShell commands on the Exchange 2010 server:-

Set-ClientAccessServer -Identity SRV-EXCH2010 -AutodiscoverServiceInternalUri https://exchange.ourdomain.net/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "SRV-EXCH2010\EWS (Default Web Site)" -InternalUrl https://exchange.ourdomain.net/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "SRV-EXCH2010\oab (Default Web Site)" -InternalUrl https://exchange.ourdomain.net/oab

Set-ActiveSyncVirtualDirectory -Identity "SRV-EXCH2010\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl https://exchange.ourdomain.net/Microsoft-Server-ActiveSync

Open in new window


I have restarted the server, and yet still when I go into Outlook 2010 and try and enter the server name of exchange.ourdomain.net, it changes back to SRV-EXCH2010.ourdomain.local

OWA is working fine both internally and externally.
0
Comment
Question by:Chris Millard
  • 5
  • 3
  • 3
11 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40537418
"I have restarted the server, and yet still when I go into Outlook 2010 and try and enter the server name of exchange.ourdomain.net, it changes back to SRV-EXCH2010.ourdomain.local"

That is NOT the cause of your SSL prompts. Outlook will always connect to the real server name.

When you get the SSL prompt, you need to look at the certificate. It should tell you what certificate it is. First verify that the certificate is the correct one.

I presume you have a split DNS so the external name resolves internally?
You haven't done all of the URLs for use with the trusted certificate. http://semb.ee/hostnames2010

Wildcard certificates are generally not recommended for use with Exchange servers. The preferred certificate type is UC (Unified Communication) aka Multiple Domain certificates.

Simon.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40537430
Simon whilst I haven't yet looked at the URL you supplied above, I should have stated that it is indeed a UC certificate that has been purchased.

And yes, I do have split DNS
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40537489
" We have purchased a wildcard SSL cert for *.ourdomain.net and this has been installed onto the Exchange 2010 server."

Wildcards and UC certificates are not the same thing.

Simon.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 40537519
>> We already have a DNS zone for ourdomain.net, so I have added exchange.ourdomain.net as a CNAME entry pointing to srv-exch2010.ourdomain.local. I can ping exchange.ourdomain.net and get the desired result back from the internal server

This should be added as an A record not CNAME.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40537549
Simon - I have downloaded, modified and run the .ps1 script, but the problem remains.

Suliman - Why should I use an A record instead of a CNAME?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 40537561
Because the CNAMS resolve names to names so exachange.domain.com will be resolved to srv-exch2010.ourdomain.local for clients and the name srv-exch2010.ourdomain.local is not included in the UCC certificate.

If the A records used the clients will use the name exchange.domain.com.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40537572
Suliman - OK, well I've deleted the CNAME, created an A record pointing to the IP instead. I have stopped and restarted both the DNS Server, DNS Client and flushed the DNS cache.

Pinging still returns the correct IP, but still, when entering the external URL into Outlook 2010, it changes back to the old internal URL.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40537620
As I put in my first post - Outlook will ALWAYS put in the internal server name of the server. That is the expected behaviour and is not the cause of the SSL prompts.

Have you verified that it is your certificate that is generating the prompts?

Hold down CTRL, right click on the Outlook icon in the system tray and choose Test Email Autoconfiguration. Run the test, look at the results. Verify that everything that is being returned is correct.

Simon.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40537648
Simon - sorry - I missed that bit.

I can confirm that Outlook IS actually working, and that it makes no difference (for me at least) whether or not DNS has an A or a CNAME record.

I wasn't following through the whole process in Outlook - I incorrectly assumed that because it was showing the internal server name when I was attempting to add an account that it wasn't working properly.

It may well have been that the PowerShell cmdlets I ran had actually worked, however, there were additional steps in Simons post that I hadn't performed.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
ID: 40537651
Simons script had some additional steps that I had not taken, and I have awarded points based on that.

Having tested using both an A and a CNAME record in DNS, both work OK.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 40537834
Good to hear that...and thanks for update.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now