self signed and 3rd party exchange certificate

Hello,

I have totally replaced an expired godaddy certificate, but i have a mix of clients on the site.  A lot of OWA shortcuts can be replaced centrally, but I have a lot that can't.

Our internal domain is different to our email domain name (.local and .org)

Most clients connect to OWA using https://local-exchange-server/owa from their domain desktops and are authenticated using Windows Integrated Authentication.

With the new 3rd party certificate rules for dropping local server names, these shortcuts are now showing Certificate errors as you'd expect.

If i point the clients to the new certificates SAN addresses, they need to authenticate (as you'd expect!)

Firstly, can i just add a self signed cert on exchange and trust using a GPO or will this interfere with the 3rd party cert i've installed?

How is best to enable Windows Integrated Authentication for desktop users using the new certs SAN names like https://mail.exchange.com?

I seem to have a mess with certificates - 7 certs currently visible through the powershell get-exchangecertificate command although some are expired.  

I can provide the list if someone cares to help?

Can i just delete those expired ones?


Appreciate any help here as struggling. The more i read the more confused i become!
LVL 13
leegclystvaleAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Lets start with the easy bit.
If the certificate is expired, then remove it.

Moving forwards, you have two options here.

Option 1, which is the option I prefer.
Tell users to use https://mail.example.com/owa (Where mail.example.com is your external host name). Configure Exchange with that as its host names etc. (I would do that anyway, no matter what you do).
Use forms based authentication, rather than Windows based, so they have to enter their credentials when getting email. That is a more secure way of accessing email, as it means a user hitting log out is actually disconnected. Without using FBA, pressing back on a browser will get you back in again.

Option 2
Deploy a second site on the server. Use new-owavirtualdirectory to create the virtual directory on that site.
Then deploy an internal CA and distribute the root to your clients via group policy.
You can then use Windows Authentication with that new site. It needs to be that way round, as I have seen problems when done the other way round, particularly with Outlook Anywhere.

If you really want to use a single web site with the public name internally, then you need to use group policy to adjust the browser configuration to send credentials through to that URL.

Simon.



Long term, option 1 is the best option. You need to get the users off using the real name of the server, and on to a generic name. Then when you come to migrate to a new server you will be able to simply move the DNS record about, rather than trying to force them to move at that point.
Will SzymkowskiSenior Solution ArchitectCommented:
Our internal domain is different to our email domain name (.local and .org)

If you are going to be using an External SSL cert (which is recommend, for ease of manageability) you will also need to create a internal DNS zone for your External domain. You will then need to create an A record as well. So it should look like below...

ExternalDomain.com (zone)
mail.ExternalDomain.com (A record pointing to CAS server)

Will.
leegclystvaleAuthor Commented:
cheers gents, I will get to your suggestions in a minute Simon! Thanks reply

I have deleted an expired certificate for the Internal server name which was showing expired in the  Personal certificate store.

Mail troubleshooter says "Mail submission failed: Error message: Server does not support secure connections."

and event log says "Microsoft Exchange could not find a certificate that contains the domain name EXCH2007SRV.internaldomain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default EXCH2007SRV with a FQDN parameter of EXCH2007SRV.internaldomain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

I haven't restarted any services etc but this ain't good ....

any clues?  I'm positive when I installed the 3rd party godaddy cert I included the SMTP service and I omitted the local server name as per SSL rules
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Will SzymkowskiSenior Solution ArchitectCommented:
As the error message has suggested you need to enable the services on the certificate. You cannot simply import the cert, you also have to enable the services as well.

Run the following commands...
Get-ExchangeCertificate | ft

Check to make sure the cert is enabled

If it is not run the below command...

Enable-ExchangeCertificate -thumbprint <> -Services "pop,imap,smtp,iis"
Press Y to accept the change

Then try again.

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
leegclystvaleAuthor Commented:
cheers for reply.

I did that Will when I installed the godaddy Cert the day before yesterday.  One of the expired EXCH2007SRV certs also had SMTP listed on the services in the get-cert command.  This is what I had deleted as it's expired

I've just done a reboot to see what happens!
Will SzymkowskiSenior Solution ArchitectCommented:
have you changed all of your virtual directories to match your certificate (https://mail.domain.com/....)

Will.
leegclystvaleAuthor Commented:
well that didn't help.

here is my get-cert


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.DOMAIN-1.org, www.mail.DOMAIN-1.org, autodiscover.DOMAIN-1.org, autodiscover.DOMAIN-2.uk, mail.DOMAIN-2.uk}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.",L=Scottsdale, S=Arizona, C=US
NotAfter           : 05/03/2018 11:31:38
NotBefore          : 05/03/2015 11:31:38
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : HHY9C907D974C897C6
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.DOMAIN-1.org, OU=Domain Control Validated
Thumbprint         : GBGB0150E9CF8905C9277EE81B71D48B705FED92

not a mention about the local server name which is mentioned in the event log message. Should it have a self cert regardless of 3rd party installation for it's own working benefit?

ffs, doing my nut in this is
leegclystvaleAuthor Commented:
have you changed all of your virtual directories to match your certificate (https://mail.domain.com/....)

Will.

Yep , been working on this for hours and hours.  OWA is accessible (from inside anyway). I can't send mail from my iphone though...just says cant send!

Can send and receive via outlook on the network
Will SzymkowskiSenior Solution ArchitectCommented:
Where are you getting the cert error message? From OWA/Autodiscover?

Will.
leegclystvaleAuthor Commented:
the event logs and the mail troubleshooter
leegclystvaleAuthor Commented:
it gets worse -

event log now says "The account 'internaldomain\administrator' provided valid credentials, but is not authorized to use the server; failing authentication."   1020 MSExchangeTransport
Will SzymkowskiSenior Solution ArchitectCommented:
This definitely seems to be a more systemic issue. Certs will not affect mail flow. The error that you provided above is related to the permissions on your Receive/Send Connectors. Check those.

Will.
Simon Butler (Sembee)ConsultantCommented:
This is an internal only certificate, used for internal transport.

Run

new-exchangecertificate

Nothing else.

Exchange will create a new certificate for just the SMTP service, which will let everything work.
If you get a prompt about replacing the default SMTP certificate, say yes.

With the changes in the rules for certificates, most servers need two - an internal self signed for transport and a public one for client access.

Simon.
leegclystvaleAuthor Commented:
Ah brilliant Simon, that has almost sorted it out. thanks for that.

In the troubleshooter, it passed the Mail acceptance tests but still states
"Test mail sent failed:   Server EXCH2007SRV: SMTP: Message failed to be processed. The test message sent from server EXCH2007SRV was sent to the badmail directory on server EXCH2007SRV. Recipient: EXCH2007SRV-SA@ext-domain.org

Still having the Event 1020 MSExchangeTRansport : The account 'internaldomain\administrator' provided valid credentials, but is not authorized to use the server; failing authentication.

Any clues?  as said, i have done nothing but delete that expired certificate, certainly nothing permissions-wise
Simon Butler (Sembee)ConsultantCommented:
" The account 'internaldomain\administrator' provided valid credentials, but is not authorized to use the server; failing authentication"

Is there any reason why the administrator account should be trying to send email through the server?
If not, then it could be that your server is under an authenticated user attack and the credentials have been stolen.

If there is, then you will need to enable logging on the receive connector to see what address it is coming from and track it down. It could be that you have configured something to send email through Exchange and you need to allow it to happen.

Simon.
leegclystvaleAuthor Commented:
Tell you what Simon, a great help indeed!

That is sorted.

Turns out the MSExchangeSyncAppPool was stopped. I started it again and have had no messages since.

Getting "event 5013: A process serving application pool 'MSExchangeSyncAppPool' exceeded time limits during shut down. The process id was '7372'.
I guess a restart doesn't start that if it's stopped!  I will address that separately as has been going on a fair while by the looks of things.

And thanks a lot for the new-cert instructions.  I haven't seen that in any article about needing a self cert and a 3rd party, but maybe i missed it as i have read LOTS and still clueless!

So i guess the expired cert that I deleted was still being used for SMTP services.  I would have thought it would have moaned before being deleted?

Again many thanks  (and thanks to Will for taking an interest in my post)
leegclystvaleAuthor Commented:
ah, it's not sorted

In the troubleshooter, it passes the Mail acceptance tests but still states
"Test mail sent failed:   Server EXCH2007SRV: SMTP: Message failed to be processed. The test message sent from server EXCH2007SRV was sent to the badmail directory on server EXCH2007SRV. Recipient: EXCH2007SRV-SA@ext-domain.org

then says no queues are backing up

I can send and receive mail through my account but i am a domain admin.
leegclystvaleAuthor Commented:
and actually the "" The account 'internaldomain\administrator' provided valid credentials, but is not authorized to use the server; failing authentication" alerts are back again.

i will have to look at this as prior to removal of the expired cert, there was not a hint of this logged in the event logs

sigh...
Simon Butler (Sembee)ConsultantCommented:
Odd that a test message was sent to badmail. That would suggest a transport issue.
Is the server fully patched?

Simon.
leegclystvaleAuthor Commented:
Not fully no.  Quite a lot 'not fully' if the truth be told!

I guess I should do this asap, but it usually breaks things in my experience.

Why would it suddenly throw a wobbly like this?  I'm hardly pushing the boundaries of email technology here. A simple cert installation, and a deletion.

I'll patch it Simon asap although will need many reboots I suspect
Dave HoweSoftware and Hardware EngineerCommented:
There *is* an easier method though.

add a second site to the webserver, make it identical to the original site, but run it on a secondary IP. Put the 3rd party cert on that, generate a local-id cert using your internal CA (or even self signed) and distribute trust for that via GPO. put THAT cert on the default server IP.  Map your web-facing NAT though to the secondary, and you are done :)
leegclystvaleAuthor Commented:
cheers Dave.  I assume SMTP won't be affected by this at all?  We come under a managed firewall and they use a Store and Forward config to our exchange server.

I need to patch it still whatever the outcome as i am sooooooo far behind with updates . Worryingly so!
Simon Butler (Sembee)ConsultantCommented:
I have had issues with Outlook Anywhere and ActiveSync when they are outside of the default web site, which is why I recommend it the other way round.

Simon.
Dave HoweSoftware and Hardware EngineerCommented:
no, smtp is on a different port. Webservers use 443, smtp is on 25 and uses tls after connection to upgrade to a secure link; port 465 (smtp over ssl) is an option, but not the default in exchange.
leegclystvaleAuthor Commented:
ok thanks gents.

I have opted to go the secure route as per Simon's recommendation and use Forms Based Auth only and use the single domain name internally and externally.  Far more standardised, users experience the same procedure inside and out and makes for easier transitions in the future.

Many thanks for your help (still not fully patched as need 175 updates and I can pretty much guarantee something will break with that amount (slaps forehead))
leegclystvaleAuthor Commented:
ah jeez, less haste, more speed. I clicked the incorrect solution when awarding points. It should have been Simon's initial post for 250 and another 250 for advising adding the Self signed cert for local machine name

Anything I can do at this stage to give correct points?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.