Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exchange 2010 - Certificate Alerts in Outlook 2010 1

Status
Not open for further replies.
colinmitton

colinmitton

Technical User
Feb 24, 2005
190
GB
I have a single Exchange 2010 server on site. To get activesync & OWA working I got a certificate from an external supplier (GoDaddy.com) for my external Mail server Name: mail.myexternalDNS.co.uk
This worked great and everything was going fine.

I'm now testing Outlook 2010 and when I start it up I get a Security Alert. As Outlook connects to the internal address of exchange.mycompany.local it says that the name on the security certificate is invalid or does not match.

I dont mind pressing yes to proceed (I have to do this twice as I get the message twice) but I'm sure my users will!

Any Ideas on sorting this out, my first guess was adding an internal certificate but I dont know how to create one? then ensure I add it in correctly! I do have Server 2008R2 running on a few servers.

Sadly my training course for Exchange 2010 does not happen till the new year so I'm flying blind at the moment!
 
Sort by date Sort by votes
Your Subject Alternative Name (SAN) certificate needs to include all names by which you'll connect to the server. If you're using one FQDN on the outside and a different one on the inside, both names need to be in the certificate. You also need your autodiscover names, and your OWA names in the cert.

If you're going to allow non-domain joined machines to access Exchange, it needs to be a publicly trusted certificate.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Probabley a daft question, Can I have 2 Certificates? The external one a Paid for from GoDaddy for my non-domain joined machines (I'm guess that means home PC's accessing OWA and Mobile devices), then an Internal certificate (with SAN) for my domain connected devices?
 
Upvote 0 Downvote
Anything is possible. But a single SAN cert that contains all the names will be much easier to manage. Don't forget that devices like mobile phones will need to connect to the autodiscover name, and that needs to be trusted.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
It seems that when I had the system set up they mis-informed me about the requirements of the security certificate!

I'm on to GoDaddy now to see how I can change this! As my Certificate is only for mail.myexternalDNS.co.uk and nothing else I beleave I need a different 'package' to have SAN's added.

How do I find out the Autodiscovery names too? I'm sorry to be a pain but Its all too new to me!

Thanks for the information.
 
Upvote 0 Downvote
You need to read the documentation around certificates. It's way more than what you're obviously prepared for.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Sorry - that sounded mean and it wasn't intended to. My point is that you need to read the docs and take into account the various requirements and options that best fits your organization.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Point taken and no worry about how it came across.

My main issue is that I came from an Exchange 2003 environment which i had no training in and picked things up as I went. Knowing that 2010 was a lot more involved than 2003 I got an 'expert' to set up and install until I could get on a course and have time to read up on the product.

Sadly I dont think the person provided was that good (he did not know about the SAN on the Certificate or a few other things like how the drives should have been setup to the DB / Logs / App!)! He's left me with a few issues that now I'm trying to sort out. Of course this also goes on top of my usual duties here which with my current work load gives me no time what so ever to read up on this sort of thing!

As I'm going through this issue I'm learning more about the whole certificate process and this seems straight forward enough. But having spoken to GoDaddy about my current Cert, its going to cost over £200 to upgrade my cert to what I require! Sadly I do not have enough budget to sort this out.

When I assign an internal 'self sign' cert to the IIS service in the management console I lose the outlook alert but external connection (like my phone) will not work! put the godaddy cert on IIS service in the console and outside works but internal gets the alert back!

Can the IIS service have Both? it just seems to toggle between the Certs?

Thanks once more for being understanding with me on this.
 
Upvote 0 Downvote
You can assign different certificates to different services (do a Get-ExchangeCertificate and you'll see the various certs and what services they are enabled for). I spent like 40 pages talking about certs in a 2007 book. The complexities around using multiple certs includes creating new vdirs and such. It's not pretty.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
Thanks for the help, For now I'm going to try to get the self signed Cert to work at the same time as the external cert on IIS, then look in to getting a external Cert with SAN on it to make it easier in the future (when I get my new budget in April).

I had a look at the book and will give it a try... I need all the help I can get!

Thanks once more.
 
Upvote 0 Downvote

Split DNS issues with Certs and local and remote access issues. our domain is private.local and of course our public face (email) is notprivate.com (not real domains).

Anyways, this MS KB shows how to reconfgure your internal and external URLS to use the same setting (which you want in your case). Of course you have to have all the DNS working first (resolve your public names to intyernal servers while inside your network...hence the split DNS for us. Split DNS is just duplicating your public DNS records so your internal network can use the same names but perhaps resolve the servers to different IP address. You make primary zones in AD like yourserver.yourdomain.com and put a cname record in that zone that resolves to your real servers Internal IP for use by your intewnral network. The public stuff all stays the same.
 
Upvote 0 Downvote
Forgot to mention you will not need wildcard ssl certs for this though they might help if you also have the autodiscover.domain.com DNS pointer out there in the autodiscover.xml somewhere. Not to say my environment is 100% up yet, but I am testing our iPad setup from home tonight, outlook anywhere 2010. OWA already works with this cert setup. Droid won't send email but gets pop3 email fine....

Good luck.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

T
  • Locked
  • Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
1K
DrB0b
DrB0b
microsGuy16
  • Locked
  • Question
Global Address List Names not showing in Outlook OWA 365
Replies
0
Views
2K
microsGuy16
microsGuy16
PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
1K
PatrickRoggers
PatrickRoggers
ComputersUnlimited
  • Locked
  • Question
Migrating to Exchange 2019
Replies
0
Views
1K
ComputersUnlimited
ComputersUnlimited
Brent Fletcher
  • Locked
  • Question
Exchange rule to remove "✉" icon when it appears in a subject title from a supplier
Replies
0
Views
1K
Brent Fletcher
Brent Fletcher

Part and Inventory Search

Sponsor

Back
Top