Certificate error: Outlook 2007 & Exchange 2007 (Full Version)

All Forums >> [Microsoft Exchange 2007] >> General



Message

flapjack -> Certificate error: Outlook 2007 & Exchange 2007 (10.Jan.2008 2:01:28 PM)

When I connect to my Exchange 2007 server via Outlook 2007 from within the network, I get a certificate error.  This is because of the way I have my DNS set up, but it shouldn't even be happening, as I'm inside the network. 

Basically, the certificate is for domain.net, and the internal network name is obviously not that.  I do have that domain added in DNS, and it resolves internally and externally (which works great for EVERYTHING besides Outlook 2007). 

The mail server has two domain suffixes.  The default network (which doesn't match the certificate), and the external network address domain.net.  If you nslookup/ping mail.domain.net or mail.internal both resolve correctly. 

The issue lies with setting up Outlook, but I don't understand why it's happening in the first place. 

Since I'm internal to the network, I should just be able to type "mail" for the mail server.  However, when I go back to check the account properties (after I've finished), Outlook has automatically appended the internal DNS address.  When I open Outlook, I get the certificate error message.  I've even tried typing "mail.domain.net" as the server address, but checking properties afterwards just shows Outlook to have corrected it to mail.internal-address.

The Outlook 2007 client is running on a Vista machine, if that helps.  The mail server is running Win2k3-64.  Under System Properties > Computer Name, I've tried clicking "Change", then "More" and changing the primary DNS suffix of the server to domain.net, but that just made it just about inaccessible from the world.  It would still receive mail, but you couldn't get to it... even from OWA.

Any ideas on how to fix this?  RPC over HTTPS works fine, obviously, as the PC external to the network and the certificate matches.  Why is Outlook even looking for a certificate inside the network?  Can't I disable that?  Maybe it's some function of Vista??



John Weber -> RE: Certificate error: Outlook 2007 & Exchange 2007 (10.Jan.2008 2:16:20 PM)

Please verify that it does NOT do this with OL2k3.
If that is the case, that this is restricted to OL2k7, then I have various fixes for you.

-jmw



flapjack -> RE: Certificate error: Outlook 2007 & Exchange 2007 (10.Jan.2008 3:19:30 PM)

**EDIT**

I replied to the wrong post... sorry. 

It definitely does not happen in Windows XP/Outlook 2003.  I made now DNS or Exchange changes.  I have not tried Outlook 2007 in XP, or Outlook 2003 in Vista.

I will try both using VMWare sessions tonight.



John Weber -> RE: Certificate error: Outlook 2007 & Exchange 2007 (10.Jan.2008 5:48:15 PM)

OK.
What is going on here (I think) is that the cert was changed from the original installed self-generated cert.  I would have changed it also.  Reduces the client-side remote errors.
However, what gets missed is that the URL's of the various web components may need to change.
OL2k3 does not have any knowledge of these, so you don't see the error using until you use ol2k7.
This is not my material.  I have used it several times with great results.
Read it all before you start.
I suspect that you will just need to change a few URL entries.



Outlook 2007 Certificate Error?
When importing a new certificate into Exchange 2007, you might encounter a certificate error in Outlook 2007. I have included a screenshot of the error I encountered today:
[image]http://forums.msexchange.org/file:///C:/DOCUME~1/JWeber/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg[/image]
When you choose the View Certificate button, it brings up another window that shows you what certificate is in error. In this case, the certificate name is “mail.shudnow.net.”
So the million dollar question? Why the error?
Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here.
So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) of mail.shudnow.net We install this certificate onto our Exchange box with its’ private key. In our case we were migrating so we did not have to request a certificate via IIS. We just exported it with its’ private key and imported onto the new box. We then assigned this certificate to IIS. Now I went to the Exchange Management Shell and enabled Exchange services to use this certificate. In order to do this, you must run the following commands:
Get-ExchangeCertificate
Thumbprint Services Subject
———- ——– ——-
BCF9F2C3D245E2588AB5895C37D8D914503D162E9 SIP.W CN=mail.shudnow.net.com
What I did was go ahead and enable all new services to use every available service by using the following command:
Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP -Thumbprint BCF9F2C3D245E2588AB5895C37D8D914503D162E9
The next step would be to ensure the AutodiscoverInternalURI is pointed to the CAS that will be your primary CAS for Autodiscover servicing.
Get-ClientAccessServer -Identity CASServer | FL
AutoDiscoverServiceInternalUri : https://casnetbiosname/Autodiscover/Autodiscover.xml
See the issue here? We are not using a UC certificate that contains the names, “casnetbiosname, casnetbiosname.shudnow.net, mail.shudnow.net, and autodiscover.shudnow.net” Since the Autodiscover directory in IIS will be requring SSL encryption, the url specified in the AutoDiscoverServiceInternalURI must match what is specified in your certificate. You must also ensure there is a DNS record that allows mail.shudnow.net to resolve to your CAS. We should re-configure the AutoDiscoverServiceInternalURI by using the following command:
Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml
We now need to go configure all the InternalURLs for each web distributed service. Here is the reason why we were receiving the certificate errors. Your InternalURLs most likely are not using mail.shudnow.net. Your InternalURLs are most likely pointed to something such as https://casnetbiosname/ServiceURL which will fail since this is not the CN of your simple certificate.
You can run the following commands to fix your internalURLs so your Outlook 2007 client can successfully take advantage of your web distribution services.
Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://mail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true
Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://mail.shudnow.net/OAB -BasicAuthentication:$true
Enable-OutlookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ExternalAuthenticationMethod “Basic”-SSLOffloading:$False
Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://mail.shudnow.net/Microsoft-Server-Activesync
Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” -InternalURL https://mail.shudnow.net/UnifiedMessaging -BasicAuthentication:$true
Elan Shudnow :: Aug.10.2007 :: Exchange, Microsoft :: No Comments »



flapjack -> RE: Certificate error: Outlook 2007 & Exchange 2007 (1.Feb.2008 9:03:17 PM)

I've been so busy lately, I just now got around to trying the suggestions in John's post. 

They worked!!

I no longer get the cert error when opening Outlook.  Thanks!!!



Page: [1]