[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Outlook 2010 gets certificate error after adding purchased SSL

Posted on 2015-01-08
11
Medium Priority
?
191 Views
Last Modified: 2015-01-08
Scenario. We have a customer who is going through the process of migrating from SBS 2003. At the moment, we have Exchange 2003 (SBS) and Exchange 2010 co-existing on the same network.

We have purchased a wildcard SSL cert for *.ourdomain.net and this has been installed onto the Exchange 2010 server.

I have migrated just one test email account onto Exchange 2010 to iron out any issues.

This particular user has Outlook 2010, and since installing the new SSL certificate, when he opens Outlook he gets a warning about the certificate.

Outlook 2010 is connecting to the internal server name of srv-exch2010.ourdomain.local

What I have done so far is:-

1) We already have a DNS zone for ourdomain.net, so I have added exchange.ourdomain.net as a CNAME entry pointing to srv-exch2010.ourdomain.local. I can ping exchange.ourdomain.net and get the desired result back from the internal server IP.

2) After taking note of the existing settings, I have run the following PowerShell commands on the Exchange 2010 server:-

Set-ClientAccessServer -Identity SRV-EXCH2010 -AutodiscoverServiceInternalUri https://exchange.ourdomain.net/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "SRV-EXCH2010\EWS (Default Web Site)" -InternalUrl https://exchange.ourdomain.net/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "SRV-EXCH2010\oab (Default Web Site)" -InternalUrl https://exchange.ourdomain.net/oab

Set-ActiveSyncVirtualDirectory -Identity "SRV-EXCH2010\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl https://exchange.ourdomain.net/Microsoft-Server-ActiveSync

Open in new window


I have restarted the server, and yet still when I go into Outlook 2010 and try and enter the server name of exchange.ourdomain.net, it changes back to SRV-EXCH2010.ourdomain.local

OWA is working fine both internally and externally.
0
Comment
Question by:Chris Millard
  • 5
  • 3
  • 3
11 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 40537418
"I have restarted the server, and yet still when I go into Outlook 2010 and try and enter the server name of exchange.ourdomain.net, it changes back to SRV-EXCH2010.ourdomain.local"

That is NOT the cause of your SSL prompts. Outlook will always connect to the real server name.

When you get the SSL prompt, you need to look at the certificate. It should tell you what certificate it is. First verify that the certificate is the correct one.

I presume you have a split DNS so the external name resolves internally?
You haven't done all of the URLs for use with the trusted certificate. http://semb.ee/hostnames2010

Wildcard certificates are generally not recommended for use with Exchange servers. The preferred certificate type is UC (Unified Communication) aka Multiple Domain certificates.

Simon.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40537430
Simon whilst I haven't yet looked at the URL you supplied above, I should have stated that it is indeed a UC certificate that has been purchased.

And yes, I do have split DNS
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40537489
" We have purchased a wildcard SSL cert for *.ourdomain.net and this has been installed onto the Exchange 2010 server."

Wildcards and UC certificates are not the same thing.

Simon.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 40537519
>> We already have a DNS zone for ourdomain.net, so I have added exchange.ourdomain.net as a CNAME entry pointing to srv-exch2010.ourdomain.local. I can ping exchange.ourdomain.net and get the desired result back from the internal server

This should be added as an A record not CNAME.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40537549
Simon - I have downloaded, modified and run the .ps1 script, but the problem remains.

Suliman - Why should I use an A record instead of a CNAME?
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 40537561
Because the CNAMS resolve names to names so exachange.domain.com will be resolved to srv-exch2010.ourdomain.local for clients and the name srv-exch2010.ourdomain.local is not included in the UCC certificate.

If the A records used the clients will use the name exchange.domain.com.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40537572
Suliman - OK, well I've deleted the CNAME, created an A record pointing to the IP instead. I have stopped and restarted both the DNS Server, DNS Client and flushed the DNS cache.

Pinging still returns the correct IP, but still, when entering the external URL into Outlook 2010, it changes back to the old internal URL.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40537620
As I put in my first post - Outlook will ALWAYS put in the internal server name of the server. That is the expected behaviour and is not the cause of the SSL prompts.

Have you verified that it is your certificate that is generating the prompts?

Hold down CTRL, right click on the Outlook icon in the system tray and choose Test Email Autoconfiguration. Run the test, look at the results. Verify that everything that is being returned is correct.

Simon.
0
 
LVL 17

Author Comment

by:Chris Millard
ID: 40537648
Simon - sorry - I missed that bit.

I can confirm that Outlook IS actually working, and that it makes no difference (for me at least) whether or not DNS has an A or a CNAME record.

I wasn't following through the whole process in Outlook - I incorrectly assumed that because it was showing the internal server name when I was attempting to add an account that it wasn't working properly.

It may well have been that the PowerShell cmdlets I ran had actually worked, however, there were additional steps in Simons post that I hadn't performed.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
ID: 40537651
Simons script had some additional steps that I had not taken, and I have awarded points based on that.

Having tested using both an A and a CNAME record in DNS, both work OK.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 40537834
Good to hear that...and thanks for update.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
Organisation is organized in a pattern to flow the day to day business, every application and system is interdepended on each other and when very important “Exchange Server downtime” happened.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question