Deprecated SSL Nov. 1 for internal SAN names

So I had to change my Exchange 2010 SSL certificate to only use external resolvable names to make the deadline imposed from CA authorities. While this appears to have worked, I am now getting security alert pop-ups on all internal Outlook 2013 clients. I suspect when I configured the new certificate parameters I chose the wrong Common Name, defaulting to my top level domain and not mail.mydomain.com (it was not a wildcard cert).

The Subject Alternative Names I used do point to my mail. and everything *is* working, just this annoying pop-up indicating the certificate is not valid or not yet activated. It's not a clock issue - all endpoints are served by a domain GPS. Can I assume I need to regenerate the certificate with the same parameters but change the common name specifically to mail.? Or did I miss something? I also created a new A record in the forward lookup zone with the mail server IP.
LVL 1
214-042308Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

diperspCommented:
Could be a handful of items.  If you use mail.domain.com and that's one of the SANs, that's fine.  You should also have autodiscover.domain.com as a SAN.

Run the following powershell command and put the output here. If you want to mask the domain name, that's fine, but don't mask too much as we need to see what's internal and external, etc.

get-OwaVirtualDirectory | fl *url*
get-EcpVirtualDirectory | fl *url*
get-ActiveSyncVirtualDirectory | fl *url*
get-OabVirtualDirectory | fl *url*
get-ClientAccessServer | fl *uri*
get-WebServicesVirtualDirectory | fl *url*
get-OABVirtualDirectory | fl *url*
214-042308Author Commented:
So you are suggesting that one of the URL's might not be an exact match to the certificate and therefore causing the security alert to pop-up?
diperspCommented:
More than likely.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

214-042308Author Commented:
Ok, here's your output - sorry for the delay getting back to you (domain.com substituted for actual domain name):

[PS] C:\Windows\system32>get-OwaVirtualDirectory | fl *url*
Creating a new session for implicit remoting of "Get-OwaVirtualDirectory" command...
Url             : {}
Exchange2003Url : https://mail.domain.com/exchange
FailbackUrl     :
InternalUrl     : https://domain.com/owa
ExternalUrl     : https://mail.domain.com/owa

[PS] C:\Windows\system32>get-EcpVirtualDirectory | fl *url*
InternalUrl : https://domain.com/ecp
ExternalUrl : https://mail.domain.com/ecp

[PS] C:\Windows\system32>get-ActiveSyncVirtualDirectory | fl *url*
MobileClientCertificateAuthorityURL :
InternalUrl                         : https://domain.com/Microsoft-Server-ActiveSync
ExternalUrl                         : https://mail.domain.com/Microsoft-Server-ActiveSync

[PS] C:\Windows\system32>get-OabVirtualDirectory | fl *url*
InternalUrl : https://mail.domain.com/OAB
ExternalUrl : https://mail.domain.com/OAB

[PS] C:\Windows\system32>get-ClientAccessServer | fl *uri*
AutoDiscoverServiceInternalUri : https://mail.domain.com/Autodiscover/Autodiscover.xml

[PS] C:\Windows\system32>get-WebServicesVirtualDirectory | fl *url*
InternalNLBBypassUrl : https://email.insidename.local/ews/exchange.asmx
InternalUrl          : https://mail.domain.com/ews/exchange.asmx
ExternalUrl          : https://mail.domain.com/ews/exchange.asmx

[PS] C:\Windows\system32>get-OABVirtualDirectory | fl *url*
InternalUrl : https://mail.domain.com/OAB
ExternalUrl : https://mail.domain.com/OAB

Present behavior is security alert pop-ups continue but everything is working. Creating a new Outlook profile changes the behavior from the security alert putting the red X next to the security certificate date is valid to a new profile that changes it to the name on the security certificate is invalid or does not match the name of the site.
diperspCommented:
OWA, ECP and ActiveSync virtual directories are off for the internals.   Those are showing just domain.com as opposed to mail.domain.com.

These powershell commands will fix those.  Then we can see if anything else pops-up.

Substitute [servername] for your Exchange server name (Such as exch001) and substitute [domain] for your external domain.  When done, re-run the original get powershell commands for OWA, ECP and ActiveSync and your internal and external URLs should match.


Set-OwaVirtualDirectory -Identity "[ServerName]\owa (Default Web Site)" -ExternalUrl "https://mail.[Domain].com/owa" -InternalUrl "https://mail.[domain].com/owa"
Set-EcpVirtualDirectory -Identity "[ServerName]\ecp (Default Web Site)" -ExternalUrl "https://mail.[Domain].com/ecp" -InternalUrl "https://mail.[domain].com/ecp"
Set-ActiveSyncVirtualDirectory -Identity "[ServerName]\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl "https://mail.[domain].com/Microsoft-Server-ActiveSync" –ExternalUrl "https://mail.[domain].com/Microsoft-Server-ActiveSync"
214-042308Author Commented:
It's been quite a weekend. First, the new output from your recommended changes:

[PS] C:\Windows\system32>get-owavirtualdirectory | fl *url*

Url             : {}
Exchange2003Url : https://mail.contoso.com/exchange
FailbackUrl     :
InternalUrl     : https://email.contoso.local/owa
ExternalUrl     : https://mail.contoso.com/owa


[PS] C:\Windows\system32>get-ecpvirtualdirectory | fl *url*

InternalUrl : https://email.contoso.local/ecp
ExternalUrl : https://mail.contoso.com/ecp


[PS] C:\Windows\system32>get-activesyncvirtualdirectory | fl *url*


MobileClientCertificateAuthorityURL :
InternalUrl                         : https://contoso.com/Microsoft-Server-ActiveSync
ExternalUrl                         : https://mail.contoso.com/Microsoft-Server-ActiveSync


[PS] C:\Windows\system32>get-oabvirtualdirectory | fl *url*


InternalUrl : https://mail.contoso.com/OAB
ExternalUrl : https://mail.contoso.com/OAB


PS] C:\Windows\system32>get-clientaccessserver | fl *uri*

AutoDiscoverServiceInternalUri : https://mail.contoso.com/Autodiscover/Autodiscover.xml


[PS] C:\Windows\system32>get-webservicesvirtualdirectory | fl *url*

InternalNLBBypassUrl : https://email.contoso.local/ews/exchange.asmx
InternalUrl          : https://mail.contoso.com/ews/exchange.asmx
ExternalUrl          : https://mail.contoso.com/ews/exchange.asmx


[PS] C:\Windows\system32>get-oabvirtualdirectory | fl *url*


InternalUrl : https://mail.contoso.com/OAB
ExternalUrl : https://mail.contoso.com/OAB


Items of note:
I changed the SSL certificate common name from just the root domain name to the appropriate mail. and regenerated and installed it.

I spent four hours on the phone with Microsoft support. They made a lot of registry and adsiedit changes along with having me create new Outlook profiles (which didn't turn off the security alerts so you're in league with the big boys if you solve it first).

They wanted me to reboot the server during production hours, which i could not do. This may have bearing on the changes they made relative to the results I'm looking for.

Everyone inside the network is getting the security alerts. People on the outside report some do, some don't.
diperspCommented:
I don't think the commands I sent you to run worked.  What was the output from them?

If you run the get commands again -

get-OwaVirtualDirectory | fl *url*
 get-EcpVirtualDirectory | fl *url*
 get-ActiveSyncVirtualDirectory | fl *url*

Look at the internal and external URLs that you're posting.  They're different.  One points to mail.contoso.com, the other to email.contoso.com.  You should have them both point to mail or email, whichever you're using internally and externally and is on your SSL cert.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
214-042308Author Commented:
[PS] C:\Windows\system32>get-owavirtualdirectory | fl *url*
Url             : {}
Exchange2003Url : https://mail.contoso.com/exchange
FailbackUrl     :
InternalUrl     : https://mail.contoso.com/owa
ExternalUrl     : https://mail.contoso.com/owa

[PS] C:\Windows\system32>get-EcpVirtualDirectory | fl *url*
InternalUrl : https://mail.contoso.com/owa
ExternalUrl : https://mail.contoso.com/ecp

[PS] C:\Windows\system32>get-ActiveSyncVirtualDirectory | fl *url*
MobileClientCertificateAuthorityURL :
InternalUrl                         : https://contoso.com/Microsoft-Server-ActiveSync
ExternalUrl                         : https://mail.contoso.com/Microsoft-Server-ActiveSync
214-042308Author Commented:
All URLs except the Internal Active Sync are now all pointing to mail.contoso.com. I still get the certificate errors for the internal email.contoso.local addresses which are no longer present in the configuration.
diperspCommented:
Do the active sync URL as well. No reason to have any urls that are not on your cert listed, even if you think they don't matter.
214-042308Author Commented:
Well this is weird. Now I'm getting a certificate error for *both* the email.contoso.local and now my top-level domain contoso.com is throwing a security alert as well. I have split DNS in my forward lookup zone pointing mail.contoso.com to the internal IP of my Exchange server.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.