none
Outlook 2010 Certificate Alert when connecting to Exchange 2010 Server

    Question

  • Hi,

    I am receiving the below security alert when launching a domain joined Outlook 2010 client; 

    The security certificate was issued by a company you have not chosen to trust

    This is a self-signed certificate on the CAS server role which is separate to the Hub and Mailbox.  Unless something is completely screwed, Outlook 2007 against Exchange 2007 had no issues with domain joined machines and self-signed certificates. 

    The following KB article explains the same issue http://support.microsoft.com/default.aspx/kb/2006728 but this is a native Exchange 2010 environment with no previous versions of CAS roles.

    Any help appreciated.

    Cheers


    Monday, January 04, 2010 11:33 AM

Answers

  • Hi,

     

    Yes, when internal user try to use outlook to connect exchange Server, outlook will try to find the e-mail address and exchange server name from AD. After that it will look for SCP and then find the correct the autodiscover server to connect, retrieve settings.

     

    So during the process of connecting to exchange server, it will have to use autodiscover to connect and retrieve user settings. So certificate regard to autodiscover will cause the issue.

     

    I’d like to share the process of how internal outlook user connect to exchange server.

     

     

    1.    Automatically retrieve e-mail address from Active Directory if domain joined machine.

    2.    Retrieve Exchange Server name if found and store for later.

    3.    Look for SCP objects or SCP pointer objects that correspond to user’s e-mail address, and find the correct Autodiscover server to connect to; then connect and retrieve settings.

    4.    If previous step fails, attempt DNS discovery of Autodiscover XML (allowing for 10 redirects).

    a.    HTTPS POST: https://DOMAIN/autodiscover/autodiscover.xml

    b.    HTTPS POST: https://autodiscover.DOMAIN/autodiscover/autodiscover.xml

    c.    HTTP GET: http://autodiscover.DOMAIN/autodiscover/autodiscover.xml (only to follow redirects, not to get settings)

    d.    DNS SRV lookup: _autodiscover._tcp.DOMAIN (only to follow the redirect the SRV record points to)

    5.    If previous step fails, attempt local XML discovery and use XML found on the local machine if applicable.

    6.    If previous step fails but an Exchange Server name is found in step 2, configure Exchange account based on Exchange Server name.

    7.    If previous step is not applicable, attempt Common Settings Discover, as described in the next section.

     

    More related information to share with you:

     

    Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site"

    http://support.microsoft.com/kb/940726

     

    Regards,

    Xiu

     

    Wednesday, January 06, 2010 6:09 AM

All replies

  • hi,

    please check your SSL status and your internal name must be in your SSL certificate.

    just look at here ;

    New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=TR, s=, l=, o=, cn=mmncicek" -DomainName mail.mumincicek.com, autodiscover.mumincicek.com, exchangesrv.mumincicek.local, exchangesrv -PrivateKeyExportable $True

    and here is link to create CSR for your certificate ;

    https://www.digicert.com/easy-csr/exchange2010.htm

    and here is video about it ;

    http://www.digicert.com/ssl-certificate-installation-microsoft-unified-communications.htm

    regards,



    Mumin CICEK | Exchange - MVP | www.cozumpark.com | www.mumincicek.com
    Monday, January 04, 2010 11:53 AM
  • Hi, thanks for your prompt response. The certificate contains the internal fqdn of the cas server and the netbios name of the cas server; I.e cas.home.domain.com and cas this was all handled by the CAS role installation which is separate to the Mailbox. I would not expect the alert to appear for a domain joined machine as was the case with exchange 2007 and outlook using internal certificates. The question I'm asking is that do I need to utilize a certificate from a trusted CA for internal domain joined outlook clients? Cheers
    Monday, January 04, 2010 12:21 PM
  • I'm not sure, but it looks like a self signed certificate will give an error and you may need to create an internal certificate authority or buy an external certificate.  Hopefully someone with more info will be able to give us the specific answer.

    regards,
    Mac

    • Proposed as answer by Phil Osment Wednesday, December 19, 2012 2:08 PM
    Tuesday, January 05, 2010 1:29 AM
  • Hi,

    Please check if this certificate has been installed under "”-“Trusted Root Certification Authorities" from Certificate.mmc.

    1.    Run “MMC” from a command prompt.

    2.    Click on file on the toolbar and select “Add/Remove snap in…”

    3.    In the “Standalone” tab, click on ”Add”-“Certificates”-“Computer account”-“Local computer”

    4.    Click “Finish” and “Ok”.

    5.    Expand ”Certificates”-“Personal”-“Certificate”, ”Certificates”-“Trusted Root Certification Authorities”-“Certificate”.

    More related information to share with you:

    Installing a Self-Signed Certificate as a Trusted Root CA in Windows Vista
    http://blogs.technet.com/sbs/archive/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx

    Regards,
    Xiu


    Tuesday, January 05, 2010 7:32 AM
  • Hi Xiu,

    The certificate is definitely not installed, I know that.  The question I am asking is are there stricter conditions for domain joined Outlook clients with Exchange 2010.  In Exchange 2007, Domain joined outlook clients did not require the certificate to be installed under the Trusted Root CA.  This was only required for "internet" autodiscover clients.

    Can anyone please confirm whether this is also required as part of the CAS and Exchange 2010 for domain joined outlook clients.

    Thanks
    Tuesday, January 05, 2010 8:02 AM
  • Do you have Outlook Anywhere enabled?


    Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa
    Tuesday, January 05, 2010 9:29 AM
  • Hi Casper,

    Outlook Anywhere is not enabled on the CAS Server.  Outlook client is connected to the domain.

    Cheers
    Tuesday, January 05, 2010 11:10 AM
  • Hi,

     

    Yes, when internal user try to use outlook to connect exchange Server, outlook will try to find the e-mail address and exchange server name from AD. After that it will look for SCP and then find the correct the autodiscover server to connect, retrieve settings.

     

    So during the process of connecting to exchange server, it will have to use autodiscover to connect and retrieve user settings. So certificate regard to autodiscover will cause the issue.

     

    I’d like to share the process of how internal outlook user connect to exchange server.

     

     

    1.    Automatically retrieve e-mail address from Active Directory if domain joined machine.

    2.    Retrieve Exchange Server name if found and store for later.

    3.    Look for SCP objects or SCP pointer objects that correspond to user’s e-mail address, and find the correct Autodiscover server to connect to; then connect and retrieve settings.

    4.    If previous step fails, attempt DNS discovery of Autodiscover XML (allowing for 10 redirects).

    a.    HTTPS POST: https://DOMAIN/autodiscover/autodiscover.xml

    b.    HTTPS POST: https://autodiscover.DOMAIN/autodiscover/autodiscover.xml

    c.    HTTP GET: http://autodiscover.DOMAIN/autodiscover/autodiscover.xml (only to follow redirects, not to get settings)

    d.    DNS SRV lookup: _autodiscover._tcp.DOMAIN (only to follow the redirect the SRV record points to)

    5.    If previous step fails, attempt local XML discovery and use XML found on the local machine if applicable.

    6.    If previous step fails but an Exchange Server name is found in step 2, configure Exchange account based on Exchange Server name.

    7.    If previous step is not applicable, attempt Common Settings Discover, as described in the next section.

     

    More related information to share with you:

     

    Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site"

    http://support.microsoft.com/kb/940726

     

    Regards,

    Xiu

     

    Wednesday, January 06, 2010 6:09 AM
  • Hi Xiu,

    Thanks for your response, however my issue is not related with the name of the security certificate being invalid (that part is fine), mine is all about The security certificate was issued by a company you have not chosen to trust.

    This was never an issue with Outlook connecting to Exchange 2007 utilising self signed certificate.  The following article confirms the default behaviour in Exchange 2007; Read under the heading ;  Using the Self-Signed Certificate with Domain-Joined Outlook 2007 Clients (http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx).

    I need clarification that this either still holds true for Exchange 2010, or whether this has changed due to mapi now being closely tied to the CAS role.

    I have also read about the following REG key and CAS proxying;

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeOWA\AllowInternalUntrustedCerts

    I will check later tonight on whether it's set to True or False.

    Thanks
    • Proposed as answer by TeoVe Saturday, February 02, 2013 7:54 PM
    • Unproposed as answer by TeoVe Saturday, February 02, 2013 7:54 PM
    Wednesday, January 06, 2010 8:39 AM
  • I got the same  ssl ceriticate  warning problem with Outlook 2007 internal clients with Exchange 2010 CAS server,  I  don't  care about anything like  Outlook anywhere but  I always  get this warning during connection. the only way I can  get rid of  this warning is  Install this  SSL certificate of  CAS server on  each computer, lots of  work,  there was nerver  such problem between Outlook 2007 and Exchange 2007.Can anyone recommend a SERVER solution which won't require installation of  certificate on every PC?  thanks.
    Wednesday, January 06, 2010 5:32 PM
  • I got the same  ssl ceriticate  warning problem with Outlook 2007 internal clients with Exchange 2010 CAS server,  I  don't  care about anything like  Outlook anywhere but  I always  get this warning during connection. the only way I can  get rid of  this warning is  Install this  SSL certificate of  CAS server on  each computer, lots of  work,  there was nerver  such problem between Outlook 2007 and Exchange 2007.Can anyone recommend a SERVER solution which won't require installation of  certificate on every PC?  thanks.
    • You can purchase a SSL certificate from an external provider for the server's fqdn,
    • You can install the Certificate Authority service on Windows Server and issue your own certificate (cheapest solution)
    • You can check out http://support.microsoft.com/default.aspx/kb/940726 and modify the internal Url's

    From what I have read, the top option seems to be the way Micrsoft has designed the system to work.
    Regards, Mac

    Wednesday, January 06, 2010 8:35 PM
  • Exchange 2010. Outlook 2007.

    Tried that.

    Still get the error message when opening Outlook.

    Tried http://support.microsoft.com/kb/940726 and still get the error message when trying to open outlook.

    Thursday, May 20, 2010 11:51 AM
  • Let's take it back to basics. If you browse to the CAS server (https://serverFQDN) do you get an error message? If so and it is the same error you get when using Outlook, we need to figure out why you are not trusting the certificate issuer.

    Let me know and I'll try to guide you through the process in getting this sorted.


    Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007
    Friday, May 21, 2010 11:12 AM
  • I'm receiving this error as well.  Only on Outlook 2010, my Outlook 2007 clients connect without a problem.  When I surf to https://serverFQDN, I do receive a certificate error on all machines, not just the Outlook 2010 machine.  The issuer is the name of the server, so of course it is not trusted, but why does it work on Outlook 2007.  I have installed Certification Authority on a Windows 2008 R2 and may attempt a self-signed cert.  Since this is a test box, I do not want to purchase anything.  Ideas?
    Monday, May 24, 2010 6:34 PM
  • The certificate warning that I had originally posted about earlier this year (first post) is actually considered by "design", i.e. domain joined Outlook 2007 clients would ignore the validity check.  This is not the case with Exchange 2010, Outlook 2010.  The only way around this is to either purchase a 3rd party SAN certificate from a public CA or if it's for testing purposes only, install Windows 2008 Active Directory CA and initiate a SAN certificate request from Exchange 2010 which your Windows 2008 CA will issue.  This works a charm and I have done it a number of times in a dev environment.

    Henrik confirms the certificate warning in his below post

    http://blogs.msexchange.org/walther/2010/05/18/certificate-warning-when-using-self-signed-exchange-certficate-and-outlook-2010/

     

    Cheers


    Blog: http://sharepointgeorge.com Twitter: http://twitter.com/georgekhalil
    Monday, May 24, 2010 8:59 PM
  • Agree with George, except on the Public CA statement. Use internal PKI certificate for all internal traffic and only public certificates on your reverse proxy platform. Not only does this drive down costs, but gives you alot more flexibility and control.... apart from every other Microsoft product that will at some stage require a certificate.
    Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007
    Tuesday, May 25, 2010 5:21 AM
  • The certificate warning that I had originally posted about earlier this year (first post) is actually considered by "design", i.e. domain joined Outlook 2007 clients would ignore the validity check.  This is not the case with Exchange 2010, Outlook 2010.  The only way around this is to either purchase a 3rd party SAN certificate from a public CA or if it's for testing purposes only, install Windows 2008 Active Directory CA and initiate a SAN certificate request from Exchange 2010 which your Windows 2008 CA will issue.  This works a charm and I have done it a number of times in a dev environment.

    Henrik confirms the certificate warning in his below post

    http://blogs.msexchange.org/walther/2010/05/18/certificate-warning-when-using-self-signed-exchange-certficate-and-outlook-2010/

     

    Cheers


    Blog: http://sharepointgeorge.com Twitter: http://twitter.com/georgekhalil

    So basically, with Exchange 2010 and Outlook 2010, they are forcing us to use 3rd party certificates or do more work and have an internal CA???  What the heck?  I shouldn't have to go through this when my system is setup with a simple configuration.  I have one Exchange 2010 server, no other Exchange servers, no external access is allowed.  I have upgraded all clients with Outlook 2010 in preperation for this to make it as smooth as possible.  Now I have to manually install a certificate on every workstation or create an internal CA that all my computers trust or purchase a 3rd party cert?  Why does it seem like Microsoft goes backwards on so many of their newer products.  I'm really upset that there is no other way around this.
    Louis
    Wednesday, June 23, 2010 3:36 PM
  • An internal CA is actually very easy.

    Just install the CA from the Windows Server Setup.  Issue a certificate for your internal Exchange Server.  What happens fairly quickly after you install the internal CA is that the clients that login to the network will have the internal CA certificate automatically added to their trusted certificate store, and it will all just work quiet easily and well.

    -Barry

    Friday, June 25, 2010 8:08 AM
  • Louis, it isn't backwards, it is more secure so it requires a little more work on your part just as all security implementations do.  You can fight it if you want and even turn off the encryption for the OWA or embrace and and in an hour or two you will be set.  BTW: I recently purchased a SAN certificate from GoDaddy for under $200 and the best part is I can open up the access to my users when they travel or check from home (they love it).

    Cheers

    Dave

    Friday, June 25, 2010 8:01 PM
  • I too get the cert. error and been reading all over but still not solved hope someone can point me the way.

    I have a star alias ssl certificate *.domain.com I want to use and already using for webmail and OMA. Im running OL2010 and Exchange 2010 - did not install the exchange server myself just popped in to solve the cert. issue when outlook internal users autoconfigures but must say its a bit unclear for me.

    I recieve certificate untrusted and it is pointing to NETBIOSSRVNAME.localdomain.local which I have no cert for and I wish to use the 3rd party *cert.

    I have tried changing the AutoDiscoverServiceInternalUri to: https://WEBMAIL.INTERNETDOM.COM/Autodiscover/Autodiscover.xml

    Wich gives me a popup when autoconfigurering asking for username/password for user initials@internetdom.com but typing the password doesnt get pass this point and I have to do it manually it keeps asking for password.

    If I Internally access WEBMAIL.INTERNETDOM.COM using IE I get to OWA login page and can login no problem.

    However if I access the server (still with IE) using "localhost" or the "netbios.fqdn" I get the certificate error - so I think it might be IIS making the trouble here...??

    Any suggestions much appreciated

    Lars

    PS. 

    This is how the URLs looked when I arrived:

    Identity    : NETBIOSSRVNAME\Autodiscover (Default Web Site)
    InternalUrl :
    ExternalUrl :

    Identity                       : NETBIOSSRVNAME
    AutoDiscoverServiceInternalUri : https://NETBIOSSRVNAME/Autodiscover/Autodiscover.xml

    Identity    : NETBIOSSRVNAME\EWS (Default Web Site)
    InternalUrl : https://NETBIOSSRVNAME.LOCALDOM.LOCAL/EWS/Exchange.asmx
    ExternalUrl : https://WEBMAIL.INTERNETDOM.COM/ews/exchange.asmx

    Identity    : NETBIOSSRVNAME\OAB (Default Web Site)
    InternalUrl : http://NETBIOSSRVNAME.LOCALDOM.LOCAL/OAB
    ExternalUrl : https://WEBMAIL.INTERNETDOM.COM/OAB

    Identity        : NETBIOSSRVNAME\owa (Default Web Site)
    InternalUrl     : https://NETBIOSSRVNAME.LOCALDOM.LOCAL/owa
    ExternalUrl     : https://WEBMAIL.INTERNETDOM.COM/owa
    Exchange2003Url : https://legacy.lcpharma.com/exchange

    Identity    : NETBIOSSRVNAME\ecp (Default Web Site)
    InternalUrl : https://NETBIOSSRVNAME.LOCALDOM.LOCAL/ecp
    ExternalUrl : https://WEBMAIL.INTERNETDOM.COM/ecp

    Identity    : NETBIOSSRVNAME\Microsoft-Server-ActiveSync (Default Web Site)
    InternalUrl : https://NETBIOSSRVNAME.LOCALDOM.LOCAL/Microsoft-Server-ActiveSync
    ExternalUrl : https://WEBMAIL.INTERNETDOM.COM/Microsoft-Server-ActiveSync

    Tuesday, July 20, 2010 12:16 PM
  • An internal CA is actually very easy.

    Just install the CA from the Windows Server Setup.  Issue a certificate for your internal Exchange Server.  What happens fairly quickly after you install the internal CA is that the clients that login to the network will have the internal CA certificate automatically added to their trusted certificate store, and it will all just work quiet easily and well.

    -Barry


    Do you have some more information on this?  I want to get rid of the certificate warning you get for OWA at a server level.  I added the Active Directory Certicate Services.  I believe the certicate template in question is CA Exchange.  I don't quite understand how to get it trusted though.
    • Proposed as answer by McCue Wednesday, July 21, 2010 10:37 PM
    Tuesday, July 20, 2010 4:03 PM
  • You will want to become a Certificate Authority for your internal organization. if you follow this Technet page with that in mind you will see how to take the certificate request you created in EX2010 and give that to the CA and have the CA create the return .crt file to use when completing the Cert Request wizard in EX2010. 

    http://technet.microsoft.com/en-us/library/bb727098.aspx

    Umphid, you should really ask a separate question since this on was already answered - high up in the list. :-)

    Dave

    • Proposed as answer by McCue Wednesday, July 21, 2010 10:42 PM
    Wednesday, July 21, 2010 10:40 PM
  • Hi,

    You can export the certificate ".cer" file, and configure a group policy to trust the Root Certification Authority, and then apply group policy to the clients:

    1. From the "Security Alert" window Click "View Certificate", then go to "Details" tab, and copy the .cer file

    2. Import the .cer file to the group policy object "Computer Configuration\Policies\Windows Setting\Public Key Policies\Trusted Root Certification Authorities"

    Regrads


    Mohammad Rabie
    • Proposed as answer by mhRabie Wednesday, September 22, 2010 3:05 PM
    Wednesday, September 22, 2010 12:22 PM
  • Thanks for that "Henrik Walther" post: http://blogs.msexchange.org/walther/2010/05/18/certificate-warning-when-using-self-signed-exchange-certficate-and-outlook-2010/

    Remark these words in the post that supports the MS design decision to change the first validty check from OL2007 to follow best practices in OL2010:

    "What does this mean to you? Probably not much since it’s always recommended to use certificates issued by your internal PKI or a public certificate authority. Anyway this is good to know in case you end up in a situation where you see Outlook 2007 and Outlook 2010 behavior is different when it comes to deployments where Exchange 2007 or 2010 uses self-signed certificates."

    Because of all the posts here - I will just repeat the text from blog below. Now you don't have to click the link to read that more or less "precise" answer to this issue.

    Ref. http://blogs.msexchange.org/walther/2010/05/18/certificate-warning-when-using-self-signed-exchange-certficate-and-outlook-2010/

    Certificate warning when using a self-signed Exchange certficate and Outlook 2010

    As some of us are aware and as stated in the Exchange 2007 Autodisover Service whitepaper (more specifically the “Autodiscover and Certificates” section) for a certificate to be considered valid, it must have the following criteria for the Autodiscover service:

    • The client can follow the certificate chain up to the trusted root.
    • The name matches the URL that the client is trying to communicate with.
    • The certificate is current and has not expired.

    However for domain-joined Outlook 2007 clients were designed to ignore the first validity check. This meant that we wouldn’t get any certificate errors in Outlook 2007 even though a self-signed certificate (created by Exchange 2007 setup) was used.

    With Outlook 2010 this is no longer the case. You see with Outlook 2010 the Outlook team decided that the default behavior should be that Outlook always warn the end user if a self-signed certificate is used.

    What does this mean to you? Probably not much since it’s always recommended to use certificates issued by your internal PKI or a public certificate authority. Anyway this is good to know in case you end up in a situation where you see Outlook 2007 and Outlook 2010 behavior is different when it comes to deployments where Exchange 2007 or 2010 uses self-signed certificates.

    Friday, September 24, 2010 3:33 AM
  • Very simple, elegant solution.

    Issuing by a CA is always a safer option, however, I love valid work arounds to the little problems Microsoft creates.

    Wednesday, January 19, 2011 11:31 PM
  • I fought this for a couple days and finally installed an Internal CA

     

    Now I seem to be be fighting issues with old certificates or something.

     

    OWA works great, internally and externally, no more Certificate Errors

    Outlook 2003 clients connect to the server and can read mail, create mail, and print their attachments.   If they try to print an email they get an error message that says they can't connect to the Exchange Server

    Outlook 2010 clients, only have 7.   3 are working great.   4 can no longer connect to the server.

     

    Been beating my head against a wall for two days trying to figure this out.


    Don Miller Network Administrator Teton Machine Company
    Thursday, January 20, 2011 12:01 AM
  • Hi all just sharing my finding hoping it can help If , as recommended , you want to use an external 3rd party certificate for your exchange server you have to change the autodiscover internal URI for stopping outlook to prompt for certificate warning I've generate a single name ( not SAN ) certificate for our server ie owa.company.com ( the internal domain being company.local ) Then I installed it on the CAS server I used the following command on the CAS server to change the URI Set-ClientAccessServer -Identity "<ExchangeClient Access Server name>" -AutoDiscoverServiceInternalUri "https://owa.company.com/autodiscover/autodiscover.xml" Hope this help stefano
    Friday, January 21, 2011 9:53 AM
  • Hello friends,

     

    the below KB resolved my Certificate problem in outlook

    http://support.microsoft.com/kb/940726

     

    Thanks for all support.

     

    Naren

    Tuesday, March 01, 2011 11:05 AM
  • thanks for this detail, computermensch.

    wouldn't it be great if they gave us a choice, like a group policy or registry hack to tell outlook 2010 to "ignore certificate errors?" since, you know. this was the default behavior in outlook 2007. good old microsoft.

    Friday, March 11, 2011 4:13 PM
  • Open Outlook , Once you get certificate alert, view and install it

    Use internet explorer -->content and export certificate

    Or use MMC snap-in certificate  to export certificate.

    Use GPO to deloy certificate to computers and computer settings --> Trusted Root Certificate Authorities.

    • Proposed as answer by R G Sunday, March 13, 2011 10:10 PM
    • Unproposed as answer by R G Sunday, March 13, 2011 10:24 PM
    • Proposed as answer by R G Sunday, March 13, 2011 10:24 PM
    Sunday, March 13, 2011 10:08 PM
  • thanks for this detail, computermensch.

    wouldn't it be great if they gave us a choice, like a group policy or registry hack to tell outlook 2010 to "ignore certificate errors?" since, you know. this was the default behavior in outlook 2007. good old microsoft.


    I completely agree with you.  Especially when this will probably change if you want to allow external connectivity and you'll probably have to get a SAN from a 3rd party CA anyway.

    Why still have Exchange by default/design install a cert its clients won't trust anyway unless one either installs a CA or configures and deploys a GPO?  Considering the AD paradigm is based on implicit trusts, it would be nice for an internal-only Exchange deployment to also follow suit.  Btw, regardless of how "easy" deploying a CA is said to be there are always gotchas somewhere.  Even more so with GPOs when a seemingly innocent "Not configured" setting in an unrelated section of a GPO can make some fundamental changes to your desktops.

    Thursday, March 17, 2011 4:04 PM
  • answer found by accident

     

    i was haaving the same issue - so i double checked the configuration from sbcgloball.net for my mail account

    it showed me for example to put pop.sbcglobal.yahoo.com in the incoming mail server

    i noticed when the error popped open it said view certificate. on the front it said att and under details it showed sbcglobal

    WHEN I CHANGED THE POP  - i put in pop.att.yahoo.com and THIS STOPPED THE errors

    Thursday, August 04, 2011 5:45 PM
  • Just a note: This is no longer possble with public Certs. Internal names are now banned (or very shortly will be). If you attempt to get a 2 year cert currently, you cannot do it with a private name in the cert.

    See http://support.godaddy.com/help/article/6935/using-intranet-and-reserved-ip-addresses-as-the-primary-domain-or-subject-alternative-name-in-ssls on Godaddy or go to the source at https://www.cabforum.org/ .

    Monday, August 27, 2012 5:44 PM
  • Sorry, McCue, but going from 99% secure to 99.1% secure is not much use. No one hacked email because of internal names in ssl certs.

    Sunny

    Monday, August 27, 2012 5:47 PM
  • If you can avoid it at all, AVOID putting an internal CA into your network. They are incredibly difficult to migrate to a new machine, so in 4 years, basically, you have to rip and replace. (Read: hassel every machine in the network) If you accidentally put it on an old server, you may have to do this even sooner.

    CA's are great for large institutions, but for smaller groups, you might try publishing the internal and external URLs as the same (use the external URLs) and make your router translate them for in or out of the network. Then set your autodiscover to point to the outside address for autodiscover, and you can then probably use only external names.

    This is basically how SBS gets away with a single name certificate, doing the same thing.

    Sunny Lowe

    Monday, August 27, 2012 5:51 PM
  • After years of having to lookup dozens of different articles every time i needed to fix this issue, I think I've finally found the definitive answer for fixing this problem in a single set of steps. Please feel free to add or append.

    This assumes you've already installed your SSL cert on the CAS Server.

    1. Install and configure certificate in IIS.
    2. Open Exchange Manager/Server Configuration from the CAS server
      • From the certificates window, right click the certificate with the cn that matches the EXTERNAL URL and choose Assign Services.
      • Follow the wizard and bind IIS services to new certificate.
    3. From any Domain Controller open DNS manager
      • Add primary zone that matches certificate Uri (eg. mail.contoso.com)
        1. Add root A entry that matches IP address of internal Exchange server
      • Right click on the primary AD domain (eg. contoso.local) and add A record named autodiscover that points to the internal address of the Exchange server.
    4. From any system on the INTERNAL network, verify that you can ping both external (eg. mail.contoso.com) and autodiscover (eg. autodiscover.contoso.local) URLs and that they show the INTERNAL address of your CAS server.
    5. Start the Exchange Management Shell.
      • Change the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To change this URL, type the following command, and then press Enter: Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
      • Change the InternalUrl attribute of the EWS. To do this, type the following command, and then press Enter: Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
      • Change the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press Enter: Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
    6. Open Exchange Manager/Client Access from the CAS server
      • Right click and open properties of Outlook Web Access item owa.
      • Change all internal URL values to match external URL.
      • Repeat on tabs Exchange Control Panel, Exchange ActiveSync and Offline Address Book Distribution
    7. Open IIS Manager
      • Expand the local computer, and then expand Application Pools.
      • Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
    8. Test from workstation with Outlook installed
      • Hold CTRL and Click the outlook Icon in the system tray and select “Test Email Auto Configuration”
      • Verify that all URL’s point to the Certificate URL

    Thursday, January 30, 2014 7:31 PM