Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security Alert-outlook 2010 1

Status
Not open for further replies.

Encino40

MIS
Apr 6, 2012
19
CA
I purchased a SSL cert and it works fine. My only issue is when you open Outlook 2010 I get a security Alert:
Encino-W2k8.mydomain.com
The security certificate is from a trusted certifying authority (Checked)

THe security Certificate date is valid (checked)

The name on the security certificate is invalid or does not match the name of the site (Red X).

WHen I did the cert I only did it for mail.mydomain.com
I can goto mail.mydomain.com and its fine. When I need to renew do I need a SAN cert that has the name of my server?

I can click Yes to proceed but just curious how to fix this so the error doesnt come up everytime outlook opens.
 
You purchased a single-name cert when technically you should have purchased a SAN cert. It's still possible to use a single-name cert, (SBS 2011 uses a single name cert with Exchange 2010) but it's more complicated to set up.

At this point you need to use powershell to change the Internal/ExternalURL values for the WebServicesVirtualDirectory and several other virtual directories (although the others can be set in the GUI--you may have already done so). That URLs all need to match your cert, but right now the internal URLs still match your internal server name.

You will also need to change the AutodiscoverURI seen when you do a Get-ClientAccessServer so that that URL matches the cert too.

Lastly, you'll want to create a new forward lookup zone in your internal DNS that matches the name on your cert. So if your domain is monkeybrains.com and your cert is poo.monkeybrains.com, then you will NOT create a new forward lookup zone for MonkeyBrains.com and add an A-record for "poo". Instead you will create a new forward lookup zone for "poo.monkeybrains.com" and then create a blank (or @) A-record that points to the internal IP of your mail server. That will allow the name on your cert to be resolved internally as well as externally without disrupting your users ability to reach other monkeybrains.com websites.

Cheers!

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top