Emiel Zwart
asked on
Certificate Error when Outlook starts
We have Exchange 2010 server and someone has installed a third party certificate on the exchange server so we have a legit webmail url (owa). This works without any problems but the internal users now have the problem that when outlook starts they get a certificate error message that the certificate is not trusted. And if they click on 'view certificate' they see the third party certificate. So it looks like all the services are assigned to that third party certificate.
So I have created a new self signed exchange certificate and moved the services SMTP, IMAP & POP and rebooted the server. But the clients are still getting this error. Do I missing something?
So I have created a new self signed exchange certificate and moved the services SMTP, IMAP & POP and rebooted the server. But the clients are still getting this error. Do I missing something?
ASKER
Thanks! Where do I set the -set -urlpath? For clarification: if I go to https://webmail.contoso.nl/owa from the internet it works. But the clients that have outlook internally get a error that the certificate is nog valid. When I view this certificate it's the third party certificate that we used for the external URL webmail.contoso.nl/owa. But that must be changed to the internal self signed certificate that I created.
Get-ExchangeCertificate | fl Issuer,CertificateDomains
Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri
Get-OabVirtualDirectory | fl Server,Identity,internalurl,externalurl
Get-WebServicesVirtualDirectory | fl Server,Identity,internalurl,externalurl
have you enabled self signed certificate with ISS ,SMTP,IMAP ..etc ?
Also, an exchngrcertificate has to have the corresponding SAN. When viewing the certificate do check SAN (subject alternative names) details .
To be clear, the only way to use a self signed cert is to import the issuer chain into every tool you use.
Or to serve the issuing cert via a specific URL. You'll have to lookup how to do this.
Far easier, use https://LetsEncrypt.org certs as all tools (browser, mail clients, etc...) contain the LE issuer chain as a valid cert issuing authority.
Use LE cert + your problems will either simplify or completely resolve.
Or to serve the issuing cert via a specific URL. You'll have to lookup how to do this.
Far easier, use https://LetsEncrypt.org certs as all tools (browser, mail clients, etc...) contain the LE issuer chain as a valid cert issuing authority.
Use LE cert + your problems will either simplify or completely resolve.
Well
if you have
DomA.com
and
DomB.com
you need just 2 SAN for each
for DomA: (autodiscover.DomA.com and webmail.DomA.com)
and for DomB (autodiscover.DomB.com and webmail.DomB.com)
So the registry would be any of those 2.
Autodiscover.domA.com (Internally) to resolve to the ip of the server
and you can create a webmail on domA.com as a Cname or another A record to Autodiscover (or vice-versa, create the webmail, and then create the Cname record to webmail, this is the approach I always Use).
If you just have one wildcard certificate, then you would need to use the SRV method.
Abut the PowerShell script, to run the script: open an elevated PS console (how? open windows start menu on the server, then exchange PowerShell console, right click open as administrative privileges), then run
you can close that console and open a regular one
Navigate where you saved your script using cd
We aren't clear in what is your environment, what you have and what do you want to do.
if you have
DomA.com
and
DomB.com
you need just 2 SAN for each
for DomA: (autodiscover.DomA.com and webmail.DomA.com)
and for DomB (autodiscover.DomB.com and webmail.DomB.com)
So the registry would be any of those 2.
Autodiscover.domA.com (Internally) to resolve to the ip of the server
and you can create a webmail on domA.com as a Cname or another A record to Autodiscover (or vice-versa, create the webmail, and then create the Cname record to webmail, this is the approach I always Use).
If you just have one wildcard certificate, then you would need to use the SRV method.
Abut the PowerShell script, to run the script: open an elevated PS console (how? open windows start menu on the server, then exchange PowerShell console, right click open as administrative privileges), then run
set-executionpolicy unrestrictedyou can close that console and open a regular one
Navigate where you saved your script using cd
cd C:\users\me\Downloads
#and run it
.\SetScp.ps1 -GET
#the parameter is what goes after the name of the script.
#on the SET parameter would be:
.\SetScp.ps1 -set -urlpath "https://webmail.contoso.nl/owa"We aren't clear in what is your environment, what you have and what do you want to do.
your autodiscover URL should be the .nl address, not .local
that is why you get a certificate error
change that autodiscover address to match the external address and that will fix it
you can't use .local externally, so .nl should be used for both and match the name used in the certificate
that is why you get a certificate error
change that autodiscover address to match the external address and that will fix it
you can't use .local externally, so .nl should be used for both and match the name used in the certificate
ASKER
I already tried that without any luck. The problem is that I have external domain certificate for webmail.delmo.nl. Because it's a domain certificate I can only use this url. So the autodiscover must use a internal self signed certificate. But the problem now is when I start Outlook locally it points to the external certificate but must be pointing tot the internal self signed certificate that I have created.
ASKER
Also, the strange thing is that the AutoDiscoverServiceUri stays empty if I change it:
Hi Emiel Zwart,
Please check this article to fix the certificate error. If not fixed please let me know.
https://www.experts-exchange.com/articles/29657/Exchange-2010-Fix-for-an-Invalid-certificate-and-related-issues.html?headerLink=workspace_article
Please check this article to fix the certificate error. If not fixed please let me know.
https://www.experts-exchange.com/articles/29657/Exchange-2010-Fix-for-an-Invalid-certificate-and-related-issues.html?headerLink=workspace_article
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
InternalUrl Look like this : https://leexchange.deleede.local
ExternalUrl Look Like this : https://webmail.delmo.nl
so AutoDiscoverService should look like this : shttps://webmail.delmo.nl/autodiscover/autodiscover.xml
ExternalUrl Look Like this : https://webmail.delmo.nl
so AutoDiscoverService should look like this : shttps://webmail.delmo.nl/autodiscover/autodiscover.xml
ASKER
Everything works. Looks like I'v had to put a scope definition after the command set-clientaccesserver. Thanks for the effort!
You need to make sure the IIS and SMTP services are on the New 3rd party certificate.
And you just need to make sure that the internal Entry points (SCPs are the same and match your name in OWA).
How should you do this?
Well, you can go to the site and do one by one or just run a script to solve this:
1st Use the script with the option -get
https://gallery.technet.microsoft.com/office/Script-to-configure-the-5a58558b
2nd use it with the Option -set -urlpath "https://owa.domain.com"
This was part of the job that the person with the 3rd party certificate install does.