Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

internal external certificate problem exchange 2007 on SBS 2008 1

Status
Not open for further replies.
grobbu

grobbu

Programmer
Jun 25, 2002
40
BE
Hello all,

I'm pretty new with Exchange 2007 on a sbs server2008 and having some troubles with my certificate.

Problem:
users can check their mail with owa and this is working. Certificate shows allright. (I added a binding to sbs sites in the iis manager)
But when my users start up their outlook in the internal network they get an certificat error.
I can see the problem. certificate is mail.xxxsite.be and the error with my client says..sites not matching normal because remote.xxxsite.be is not mail.xxxsite.be Problem is I don't know how to adjust.

I did a connection test on a client and this is xml output:
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns=" <Response xmlns=" <User>
<DisplayName>xxxxxxxxxxxxxxx</DisplayName>
<LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=FrederikDeBuck</LegacyDN>
<DeploymentId>48babe7d-4318-4008-a36a-450085376e47</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>SERVER.xxxdomain.local</Server>
<ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=SERVER</ServerDN>
<ServerVersion>720180F0</ServerVersion>
<MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=SERVER/cn=Microsoft Private MDB</MdbDN>
<PublicFolderServer>SERVER.xxxdomain.local</PublicFolderServer>
<AD>SERVER.xxxdomain.local</AD>
<ASUrl> <EwsUrl> <OOFUrl> <UMUrl> <OABUrl> </Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.xxxsite.be</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl> <EwsUrl> <OOFUrl> <UMUrl> <OABUrl> </Protocol>
<Protocol>
<Type>WEB</Type>
<External>
<OWAUrl AuthenticationMethod="Fba"> <Protocol>
<Type>EXPR</Type>
<ASUrl> </Protocol>
</External>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba"> <Protocol>
<Type>EXCH</Type>
<ASUrl> </Protocol>
</Internal>
</Protocol>
</Account>
</Response>
</Autodiscover>

So i can see the remote.xxxsite.be is not right, it should be mail.xxxsite.be but where do I adjust this?

Tx for any help!
grt
 
Sort by date Sort by votes
Normally the initial Connect to Internet wizard sets all this up properly, using one cert for the remote.domain.com and another internal self-signed cert for the internal name. Did you run through that wizard AFTER working on the bindings, or before? You shouldn't have needed to do anything in IIS in your situation, but it's possible that you might need to generate a new internal name cert.

When you go to the certificates MMC and look at the certs in the Personal store on the local computer, what do you see? Two certs, or one?

Dave Shackelford
ThirdTier.net
 
Upvote 0 Downvote
Hello Dave,

thanks for the fast reply.
Initially the customer didn't want a certificate. So I ran the wizard and a week after I added a binding in IIS manager.

When i look in certificates mmc I see a lot of certificates.

I see
mail.xxxsite.be issued by Equifax
remote.xxxsite.be issued by Domainname-Servername-CA

SERVER.Domainname.local issued by Domainname-Servername-CA



So you think it's a good idea to run the wizard again?

thanks for the effort!

 
Upvote 0 Downvote
Yes, it should never hurt to run the wizard again, and it will often fix things.

I see you have an internal Equifax cert? Are you using the same domain name internally and externally? It's fine if you are, but I just need to know in order to guide you.

Dave Shackelford
ThirdTier.net
 
Upvote 0 Downvote
Hello again

I don't think domain is the same internal and external. But not sure what you mean.
external the name is mail.xxsitename.be
internal it is domainname (BEBBEA in this case)

it's possible I accidently imported the certificate to the local store. Tried a lot of things.

But If I understand this i should use the equifax cert for the external site like owa and i can use a certificate from my server for internal network..Or am I mixing up now..

grt and tx again

 
Upvote 0 Downvote
Don't worry about the "mail" or "remote" part of the name. Let's pretend your external domain name is BELGIAN.BE. Is your internal name BELGIAN with no suffix (.local or .com)?

You are right: equifax cert should be used for external, and when you run the Internet wizard, you should not accept the "remote.BELGIAN.be" name, but instead should use the name that matches your cert. Your server should have automatically generated a cert for your internal name.

Dave Shackelford
ThirdTier.net
 
Upvote 0 Downvote
hello and thanks again for the fast reply.

If I log on the server and check the advanced properties of my computer and look at domain is see BELGIAN.local
and computername SERVER.Belgian.local


I already looked at the connection wizard.
It asks me my domain name. Belgian.be
but i can click advanced and choose a prefix. standard it is remote so i guess i have to replace this with mail and next time i purchase a certifictae ic hoose remote or wildcard instead of mail to make my life easier.

Do I have to remove the equifax certificate from the personal store before running the wizard?

grt
bazz
 
Upvote 0 Downvote
It finally worked :) !

I had to remove my current bindings, run the fix network wizard, run the setup internet wizard and the add certificate wizard.

Tx for all help Dave

grt
Bazz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

T
  • Locked
  • Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
1K
DrB0b
DrB0b
PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
1K
PatrickRoggers
PatrickRoggers
ComputersUnlimited
  • Locked
  • Question
Migrating to Exchange 2019
Replies
0
Views
1K
ComputersUnlimited
ComputersUnlimited
stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
1K
Wesaf
Wesaf
Brent Fletcher
  • Locked
  • Question
Exchange rule to remove &quot;✉&quot; icon when it appears in a subject title from a supplier
Replies
0
Views
1K
Brent Fletcher
Brent Fletcher

Part and Inventory Search

Sponsor

Back
Top