locked
SSL Certificates After Merger RRS feed

  • Question

  • CompanyA has Exchange 2007 with a 3rd-party SAN SSL certificate for webmail.companyA.com, autodiscover.companyA.com.
    CompanyB has Exchange 2007 with a 3rd-party SAN SSL certificate for webmail.companyB.com, autodiscover.companyB.com.

    CompanyA and CompanyB merge by moving all mailboxes into CompanyA's Exchange 2007 Organization.  CompanyB's Exchange 2007 Organization is decommissioned.

    Users with a default @companyB.com SMTP-address receive certificate warnings when using their Outlook 2007 client.  What can/should be done to avoid this?

    Tuesday, September 20, 2011 7:53 PM

Answers

  • You need to have autodiscover for every domain that Exchange is supporting users with that domain as their primary email address.

    That means either autodiscover.example.com as one of the additional names, SRV records or the redirect method. The autodiscover DNS host with the name in the SSL certificate is the most common choice. Therefore a new certificate will be required for Exchange.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by Gen Lin Friday, September 30, 2011 8:32 AM
    Tuesday, September 20, 2011 7:59 PM
  • Hi,

    Do you also move the user objects from CompanyB forest to Company A forest, or the the comppanyB users object stil in CompanyB forest ?

    How many CAS servers in Company A?

    If the you have moved the user objects to Company A, the problem could caused by the users try to connect to another CAS server which does not use a 3rd-party SAN SSL.

    Please run Outlook autoconfiguration and see the result:

    a. Open Outlook, on the windows notification area, right click outlook icon and choose "Test E-mail AutoConfirguation"

    b. Uncheck the options "Use Guessmart" and "Secure Guessmart Authentication". Click test.

    c. In Log tab, please check the autodiscover URLs that are tried by outlook client.

    d. When outlook successfully connect to the Autodiscover service. Please click the Result tab and post here.

     

    Gen Lin 
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com 


    • Edited by Gen Lin Friday, September 23, 2011 5:22 AM
    • Marked as answer by Gen Lin Friday, September 30, 2011 8:32 AM
    Friday, September 23, 2011 1:40 AM

All replies

  • You need to have autodiscover for every domain that Exchange is supporting users with that domain as their primary email address.

    That means either autodiscover.example.com as one of the additional names, SRV records or the redirect method. The autodiscover DNS host with the name in the SSL certificate is the most common choice. Therefore a new certificate will be required for Exchange.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    • Marked as answer by Gen Lin Friday, September 30, 2011 8:32 AM
    Tuesday, September 20, 2011 7:59 PM
  • Hi,

    Do you also move the user objects from CompanyB forest to Company A forest, or the the comppanyB users object stil in CompanyB forest ?

    How many CAS servers in Company A?

    If the you have moved the user objects to Company A, the problem could caused by the users try to connect to another CAS server which does not use a 3rd-party SAN SSL.

    Please run Outlook autoconfiguration and see the result:

    a. Open Outlook, on the windows notification area, right click outlook icon and choose "Test E-mail AutoConfirguation"

    b. Uncheck the options "Use Guessmart" and "Secure Guessmart Authentication". Click test.

    c. In Log tab, please check the autodiscover URLs that are tried by outlook client.

    d. When outlook successfully connect to the Autodiscover service. Please click the Result tab and post here.

     

    Gen Lin 
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com 


    • Edited by Gen Lin Friday, September 23, 2011 5:22 AM
    • Marked as answer by Gen Lin Friday, September 30, 2011 8:32 AM
    Friday, September 23, 2011 1:40 AM