Solved

Outlook 2010 gets certificate error after adding purchased SSL

Posted on 2015-01-08
11
181 Views
Last Modified: 2015-01-08
Scenario. We have a customer who is going through the process of migrating from SBS 2003. At the moment, we have Exchange 2003 (SBS) and Exchange 2010 co-existing on the same network.

We have purchased a wildcard SSL cert for *.ourdomain.net and this has been installed onto the Exchange 2010 server.

I have migrated just one test email account onto Exchange 2010 to iron out any issues.

This particular user has Outlook 2010, and since installing the new SSL certificate, when he opens Outlook he gets a warning about the certificate.

Outlook 2010 is connecting to the internal server name of srv-exch2010.ourdomain.local

What I have done so far is:-

1) We already have a DNS zone for ourdomain.net, so I have added exchange.ourdomain.net as a CNAME entry pointing to srv-exch2010.ourdomain.local. I can ping exchange.ourdomain.net and get the desired result back from the internal server IP.

2) After taking note of the existing settings, I have run the following PowerShell commands on the Exchange 2010 server:-

Set-ClientAccessServer -Identity SRV-EXCH2010 -AutodiscoverServiceInternalUri https://exchange.ourdomain.net/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "SRV-EXCH2010\EWS (Default Web Site)" -InternalUrl https://exchange.ourdomain.net/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "SRV-EXCH2010\oab (Default Web Site)" -InternalUrl https://exchange.ourdomain.net/oab

Set-ActiveSyncVirtualDirectory -Identity "SRV-EXCH2010\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl https://exchange.ourdomain.net/Microsoft-Server-ActiveSync

Open in new window


I have restarted the server, and yet still when I go into Outlook 2010 and try and enter the server name of exchange.ourdomain.net, it changes back to SRV-EXCH2010.ourdomain.local

OWA is working fine both internally and externally.
0
Comment
Question by:Chris Millard
  • 5
  • 3
  • 3
11 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
"I have restarted the server, and yet still when I go into Outlook 2010 and try and enter the server name of exchange.ourdomain.net, it changes back to SRV-EXCH2010.ourdomain.local"

That is NOT the cause of your SSL prompts. Outlook will always connect to the real server name.

When you get the SSL prompt, you need to look at the certificate. It should tell you what certificate it is. First verify that the certificate is the correct one.

I presume you have a split DNS so the external name resolves internally?
You haven't done all of the URLs for use with the trusted certificate. http://semb.ee/hostnames2010

Wildcard certificates are generally not recommended for use with Exchange servers. The preferred certificate type is UC (Unified Communication) aka Multiple Domain certificates.

Simon.
0
 
LVL 17

Author Comment

by:Chris Millard
Comment Utility
Simon whilst I haven't yet looked at the URL you supplied above, I should have stated that it is indeed a UC certificate that has been purchased.

And yes, I do have split DNS
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
" We have purchased a wildcard SSL cert for *.ourdomain.net and this has been installed onto the Exchange 2010 server."

Wildcards and UC certificates are not the same thing.

Simon.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
>> We already have a DNS zone for ourdomain.net, so I have added exchange.ourdomain.net as a CNAME entry pointing to srv-exch2010.ourdomain.local. I can ping exchange.ourdomain.net and get the desired result back from the internal server

This should be added as an A record not CNAME.
0
 
LVL 17

Author Comment

by:Chris Millard
Comment Utility
Simon - I have downloaded, modified and run the .ps1 script, but the problem remains.

Suliman - Why should I use an A record instead of a CNAME?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
Because the CNAMS resolve names to names so exachange.domain.com will be resolved to srv-exch2010.ourdomain.local for clients and the name srv-exch2010.ourdomain.local is not included in the UCC certificate.

If the A records used the clients will use the name exchange.domain.com.
0
 
LVL 17

Author Comment

by:Chris Millard
Comment Utility
Suliman - OK, well I've deleted the CNAME, created an A record pointing to the IP instead. I have stopped and restarted both the DNS Server, DNS Client and flushed the DNS cache.

Pinging still returns the correct IP, but still, when entering the external URL into Outlook 2010, it changes back to the old internal URL.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
As I put in my first post - Outlook will ALWAYS put in the internal server name of the server. That is the expected behaviour and is not the cause of the SSL prompts.

Have you verified that it is your certificate that is generating the prompts?

Hold down CTRL, right click on the Outlook icon in the system tray and choose Test Email Autoconfiguration. Run the test, look at the results. Verify that everything that is being returned is correct.

Simon.
0
 
LVL 17

Author Comment

by:Chris Millard
Comment Utility
Simon - sorry - I missed that bit.

I can confirm that Outlook IS actually working, and that it makes no difference (for me at least) whether or not DNS has an A or a CNAME record.

I wasn't following through the whole process in Outlook - I incorrectly assumed that because it was showing the internal server name when I was attempting to add an account that it wasn't working properly.

It may well have been that the PowerShell cmdlets I ran had actually worked, however, there were additional steps in Simons post that I hadn't performed.
0
 
LVL 17

Author Closing Comment

by:Chris Millard
Comment Utility
Simons script had some additional steps that I had not taken, and I have awarded points based on that.

Having tested using both an A and a CNAME record in DNS, both work OK.
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Comment Utility
Good to hear that...and thanks for update.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now