none
Autodiscover in Exchange 2010 and Outlook 2010 - Certification Warning

    Question

  • Hello,

    I´ve got an Autodiscover error that is being difficult to sort out.Here the scenario: I have Exchange 2010, Enterprise edition servers deployed on Windows 2008 R2 Enterprise. I got 2 CAS servers with only CAS role intalled on them in Windows NLB with CAS Array configuration. No Certificates installed. All Ports are open on NLB. NLB name is "nlbcas.smpn.net". Cas array name is "casarraysitea", FQDN is "casarraysitea.smpn.net" Site Name is "SiteA". CAS servers names are - SRPAPXCH03 and SRPAPXCH04. There are 2 Mailbox servers in a DAG configuration, installed in 2 separate servers with roles Mailbox, HUB and UM.

    When I open Outlook 2010 I get this message:  "The security certificate was issued by a company you have not chosen to trust. View the certificate to determine wether you want to trust the certifying authority". Then the user have to click on the "OK" button to proceed and then access his mailbox.

    The name that was being shown was the NLB name: I changed that name to the CAS Array Name and the same error happend.Then I used the following commands do set the autodiscover to the individual CAS server names:

    Set-ClientAccessServer -identity srpapxch03 -AutodiscoverServiceInternalUri "https://srpapxch03.smpn.net/Autodiscover/Autodiscover.xml"

    Set-ClientAccessServer -identity srpapxch04 -AutodiscoverServiceInternalUri "https://srpapxch04.smpn.net/Autodiscover/Autodiscover.xml"

    EWS and OAB were configured the same way, to their respective CAS server names. Am I missing an internal CA authority, or there is a powershell command that gets rid of this error?

    I really need help with ths..

    Thanks!

    WBO

    Saturday, May 29, 2010 1:32 PM

Answers

All replies

  • Are these domain-joined workstations that are getting the certificate error? The self-signed Exchange certificate is installed by default. Is that the cert its referring to?

     

    Saturday, May 29, 2010 2:08 PM
    Moderator
  • Please attach the information from the certificate warning in outlook..

     

    From what you describe it seems like you are using the self signed cerificate that is installed by default.. Either install a CA in you domain and issue a certificate to you client access servers OR buy a certificate from an online authoroty... 

     

     

    Saturday, May 29, 2010 3:58 PM
  • Hello

    Even if with a self-signed certificate , Outlook should not prompt the user for certifcate trust, this is hard-coded in Outlook with self-signed certificates. Also changing the names will not resolve your problem because it is trust error. If you have a standalone certification authority, you have to import the certificate of your CA to all your users, or consider to purchase a commercial certificate that is trusted by all computers by default.

    Thanks, 

    Saturday, May 29, 2010 4:22 PM
  • Even if with a self-signed certificate , Outlook should not prompt the user for certifcate trust, this is hard-coded in Outlook with self-signed certificates.

    No I don't think so...

    Active Directory, 4th Edition - www.briandesmond.com/ad4/
    Saturday, May 29, 2010 4:57 PM
  • Yep, Outlook should trust the Exchange self-signed cert. However, I have heard of people claiming that Outlook 2010 sometimes throws this error when accessing the Exchange self-signed cert. Havent seen or tested however.

     

    Saturday, May 29, 2010 5:21 PM
    Moderator
  • http://blogs.msexchange.org/walther/2010/05/18/certificate-warning-when-using-self-signed-exchange-certficate-and-outlook-2010/

    Certificate warning when using a self-signed Exchange certficate and Outlook 2010

     

    Not sure if this applies in this situation.

     

     

    Saturday, May 29, 2010 5:50 PM
    Moderator
  • According to this article, beginning Outlook 2010 , users get warnnings about self-signed certificate. This was no the case with Exchange 2007 & Outlook 2007

    Reference is Autodiscover whitepaper on TechNet

    Saturday, May 29, 2010 9:55 PM
  • Yep, thats what the article says. Since the poster is using Outlook 2010, it may apply.

     

    Saturday, May 29, 2010 10:17 PM
    Moderator
  • Thanks Andy,

    Yeah, the article clarifies the whole thing, the MS outlook team decided that from now on we have to either setup an internal CA or buy a SAN certificate from a trusted, public CA.

    Thanks for your help, now we know we need to include a CA Design into our projects to avoid this warning pop-up, as it is really frustrating.

    Thanks again,

    WBO.

     

    Sunday, May 30, 2010 3:33 PM
  • All,

    It seems that the problem is with exchange 2010, not oulook 2010, as this certificate warning will happen with either outlook 2007 or 2010, when they connect to exchange 2010 CAS servers. You see, I got outlook 2010 connect to exchange 2007 without any errors. To me It proves that the issue is with exchange 2010 CAS servers that will prompt the end-user, no matter they are using outlook 2007 or 2010, that they need to install a certificate, either from an internal CA or a public CA.

    Cheers,

    WBO

    Sunday, May 30, 2010 3:46 PM
  • Yeah, the article clarifies the whole thing, the MS outlook team decided that from now on we have to either setup an internal CA or buy a SAN certificate from a trusted, public CA.

    Thanks for your help, now we know we need to include a CA Design into our projects to avoid this warning pop-up, as it is really frustrating.


    So go to www.digicert.com and buy a SAN cert - they're like $300 or something. I've done alot of these projects as a consultant and I've *never* includd any sort of PKI deployment in the project. That's a significant project in-it-self.
    Active Directory, 4th Edition - www.briandesmond.com/ad4/
    Sunday, May 30, 2010 5:33 PM
  • Hi,

    You should create internal CA or buy third party certificate to rectify the issue.

    Thanks

    Allen

    Tuesday, June 01, 2010 6:02 AM
    Moderator
  • Hi,

    You can export the certificate ".cer" file, and configure a group policy to trust the Root Certification Authority, and then apply group policy to the clients:

    1. From the "Security Alert" window Click "View Certificate", then go to "Details" tab, and copy the .cer file

    2. Import the .cer file to the group policy object "Computer Configuration\Policies\Windows Setting\Public Key Policies\Trusted Root Certification Authorities"

    Regrads


    Mohammad Rabie
    • Proposed as answer by mhRabie Wednesday, September 22, 2010 3:05 PM
    Wednesday, September 22, 2010 12:25 PM