locked
UCC Certificate not working on TMG

    Question

  • Thank you for reading this post.

    I have purchased UCC certificates from godaddy for our exchange 2010 server:

    mail.mydomain.com, autodiscover.mydomain.com, outlookanywhere.mydomain.com and exch2k10.mydomain.com(Internal)

    I have exported the certificate to TMG and installed it, however after generating and testing the publishing OWA rule, red cross marks states:

    Category: Destination server certificate error
    Error details: 0x80090325 - The certificate chain was issued by an authority that is not trusted.
    Action: Go to http://go.microsoft.com/fwlink/?LinkId=115965

    I have already installed root and immediate certificate to TMG, however, this error still occurs.

    If any of you experts can offer some help, I truly appreciate it.

    Best Regards,

    Hill

    vendredi 17 septembre 2010 22:03

Réponses

  • Hi,

    the Godaddy certificate should be trusted because the Godaddy Root CA certificate should be already installed. Please check if the Godaddy certificate is in the local computer certificate store of the TMG machine in the Trusted Root CA certificate container.
    Doubleclick the imported Godaddy certificate and check if the certificate is trusted.
    I think everything is fine and you have a problem with the trust from the internal certificate. Exchange 2010 use a self signed certificate by default, so you have to export the self signed certificate on the Exchange Server. After that import the Exchange Server certificate into the local computer certificate store on TMG in the Trusted Root Certificate Authority container. You can also check this when you try to access OutlookWebApp from your TMG Server

     


    regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    • Marqué comme réponse Hill Zhou samedi 18 septembre 2010 03:38
    samedi 18 septembre 2010 03:05
  • Hi,

    to avoid this message you must export the self signed certificate on the Exchange Server and import it into every client PC with Outlook installed. You can use Group Policies to deploy the certificate. Create a new GPO - Computer configuration - Policy - Security - Public Key policy - Trusted Root Authorities - and there you can import the exported .CER file. After the Group Policy update intervall has finished every client should have the exported certificate in its local computer certificate store.


    regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    • Marqué comme réponse Hill Zhou samedi 18 septembre 2010 06:37
    samedi 18 septembre 2010 06:25

Toutes les réponses

  • Hi,

    the Godaddy certificate should be trusted because the Godaddy Root CA certificate should be already installed. Please check if the Godaddy certificate is in the local computer certificate store of the TMG machine in the Trusted Root CA certificate container.
    Doubleclick the imported Godaddy certificate and check if the certificate is trusted.
    I think everything is fine and you have a problem with the trust from the internal certificate. Exchange 2010 use a self signed certificate by default, so you have to export the self signed certificate on the Exchange Server. After that import the Exchange Server certificate into the local computer certificate store on TMG in the Trusted Root Certificate Authority container. You can also check this when you try to access OutlookWebApp from your TMG Server

     


    regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    • Marqué comme réponse Hill Zhou samedi 18 septembre 2010 03:38
    samedi 18 septembre 2010 03:05
  • Hi Marc,

    Can't say enough thanks, that's exactly what my problem is.  I didn't know I had to export the self-cert from Exchange.

    Thanks again for spending time this late on Friday.  Have a great weekend!

    Hill

    samedi 18 septembre 2010 03:38
  • Hi Hill,

    no problem. Have a nice day.

    greetings from germany


    regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    samedi 18 septembre 2010 04:27
  • Hi Marc, sorry to bother you again, if you are still reading this post, would you please answer me one more question?

    As I purchased the UCC certificates for the exchange, one of them is exch2010.mydomain.com which is for internal use.  Now I have only assigned the services to the TMG.  My problem now is, whenever I open Outlook 2010, I get a security warning indicates that "the security certificate was issued by a company you have not chosen to trust..." is it because I haven't assigned the services to Exchange 2010?  If I do, is it going to cause conflict between TMG and Exchange?

    Thank you so much!

    Hill

    samedi 18 septembre 2010 05:16
  • Hi,

    to avoid this message you must export the self signed certificate on the Exchange Server and import it into every client PC with Outlook installed. You can use Group Policies to deploy the certificate. Create a new GPO - Computer configuration - Policy - Security - Public Key policy - Trusted Root Authorities - and there you can import the exported .CER file. After the Group Policy update intervall has finished every client should have the exported certificate in its local computer certificate store.


    regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
    • Marqué comme réponse Hill Zhou samedi 18 septembre 2010 06:37
    samedi 18 septembre 2010 06:25
  • Many thanks Marc!  I'll do that.

    I expect I'll have more questions along the way, it's my pleasure to know you.

    Best Regards,

    Hill

    samedi 18 septembre 2010 06:39