Exchange 2010 Ssl Outlook Error
Contents |
(עברית)المملكة العربية السعودية (العربية)ไทย (ไทย)대한민국 (한국어)中华人民共和国 (中文)台灣 (中文)日本 (日本語) HomeOnline20132010Other VersionsLibraryForumsGalleryEHLO Blog Ask a question Quick access Forums home Browse forums users FAQ Search related threads Remove From My Forums Answered by: Outlook 2010 Certificate Alert when connecting to Exchange 2010 exchange 2010 ssl certificate warning outlook Server Previous Versions of Exchange > Exchange Server 2010 Question 0 Sign
Outlook Certificate Error Exchange 2010 Name Does Not Match
in to vote Hi, I am receiving the below security alert when launching a domain joined Outlook 2010 exchange 2010 certificate error when opening outlook client; The security certificate was issued by a company you have not chosen to trust This is a self-signed certificate on the CAS server role which is separate to the
Outlook 2010 Certificate Error Exchange 2013
Hub and Mailbox. Unless something is completely screwed, Outlook 2007 against Exchange 2007 had no issues with domain joined machines and self-signed certificates. The following KB article explains the same issuehttp://support.microsoft.com/default.aspx/kb/2006728 but this is a native Exchange 2010 environment with no previous versions of CAS roles. Any help appreciated. Cheers Monday, January 04, 2010 11:33 AM Reply | Quote outlook 2010 certificate error exchange 2007 Answers 2 Sign in to vote Hi, Yes, when internal user try to use outlook to connect exchange Server, outlook will try to find the e-mail address and exchange server name from AD. After that it will look for SCP and then find the correct the autodiscover server to connect, retrieve settings. So during the process of connecting to exchange server, it will have to use autodiscover to connect and retrieve user settings. So certificate regard to autodiscover will cause the issue. I’d like to share the process of how internal outlook user connect to exchange server. 1. Automatically retrieve e-mail address from Active Directory if domain joined machine. 2. Retrieve Exchange Server name if found and store for later. 3. Look for SCP objects or SCP pointer objects that correspond to user’s e-mail address, and find the correct Autodiscover server to connect to; then connect and retrieve settings. 4. If previous step fails, attempt DNS discovery of Autodiscover XML (allowing for 10 redirects). a. HTTPS POST: https://DOMAIN/autodiscover/autodiscover.xml b. HTTPS POST: https://autodiscover.DOMAIN/autodiscover
Availability Migration You are here: Home / Articles / Autodiscover and SSL Warnings during Exchange 2010 MigrationAutodiscover and SSL Warnings during Exchange 2010 Migration December 29, 2010 by Paul Cunningham
Exchange 2010 Ssl Certificate Name Mismatch
29 Comments This article is an excerpt from the Exchange Server 2003
Exchange 2010 Ssl Certificate Expired
to 2010 Migration Guide. When Exchange Server 2010 is first installed many administrators encounter an issue with Outlook exchange 2010 ssl certificate autodiscover clients and SSL certificate warnings, relating to the Autodiscover service and the use of SSL for Exchange Server 2010 by default. Autodiscover is a service that allows compatible Outlook versions and https://social.technet.microsoft.com/Forums/exchange/en-US/6d000de1-4549-4135-946a-4c5abeac4859/outlook-2010-certificate-alert-when-connecting-to-exchange-2010-server?forum=exchange2010 mobile devices to automatically detect and configure a user’s mailbox settings. When the Exchange Server 2010 Client Access server role is installed into an Exchange organization it automatically registers the Autodiscover service in Active Directory. Outlook clients will connect to Autodiscover using SSL (HTTPS), but the new Exchange 2010 Client Access server is only configured with a self-signed SSL certificate when http://exchangeserverpro.com/autodiscover-ssl-warnings-exchange-2010-migration/ it is first installed. This can lead to certificate warnings for your end users who are running Outlook 2007 or Outlook 2010. Outlook Warning for Untrusted SSL Certificate So you may wish to install the first Exchange 2010 server outside of business hours, so that you have time to resolve the SSL certificate warnings without impacting your end users. There are three ways to quickly resolve the Outlook SSL certificate warnings in Exchange 2010 environments: Adding the Exchange Server certificate to the Trusted Root Certification Authorities on all of your end user computers using a Group Policy (not recommended) Issuing a new Exchange 2010 SSL certificate from a private Certificate Authority on your network (not ideal, but resolves the issue for computers that are domain members) Purchasing a new Exchange 2010 SSL certificate from a commercial Certificate Authority and installing it on the Exchange 2010 server (this is the best solution, but will of course require you to spend money) Articles AutoDiscover, Certificates, Exchange 2010, Outlook 2007, Outlook 2010, SSLAbout Paul CunninghamPaul is a Microsoft MVP for Office Servers and Services
Products Neal (Exclaimer) Sales & Marketing Manager GROUP SPONSORED BY EXCLAIMER TECHNOLOGY IN THIS DISCUSSION Join the Community! Creating your account only takes a few minutes. Join Now We've recently built https://community.spiceworks.com/topic/148488-exchange-2010-and-outlook-2010-certificate-issue an Exchange 2010 server and at the same time have been upgrading our workstations https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm to Win7 with Office 2010. The new Exchange. 2010 server also hosts OWA and we have a Verisign certificate for our external webmail address. As I migrate users from the old Exchange 2003 server to the 2010 server, they're getting certificate errors that the server name doesn't match the certificate. The Verisign cert is for exchange 2010 webmail.xxx.com. The Outlook 2010 users get 3 cert errors, one for exm02 (the netbios name) another for the FQDN, and one for mail.xxxx.com. For $800 per name I can add these to the Verisign cert, but trying to avoid that. I set up an internal CA, and issued a cert to the new Exchange server, but Outlook users are STILL getting the certificate errors. Outlook still sees the verisign cert, exchange 2010 ssl but doesn't seem to care about the cert issued from my internal CA. My CA is a trusted authority on the workstations per group policy. I'm new to certs and CA's and even Exchange 2010 so I have no idea what I'm doing wrong here. Can anyone help? Reply Subscribe View Best Answer RELATED TOPICS: Exchange 2010 - Split DNS and Certificate Upgrade - Outlook 2010 Connectivity Outlook 2010 wont connect to exchange 2010 Outlook 2010 - Exchange 2010   13 Replies Datil OP Mark McKinlay Jul 21, 2011 at 8:54 UTC cant swear to this but something in the back of my head is telling me that you can only use one certificate ate a time and the certificate needs to be a UC certificate such as http://www.comodo.com/e-commerce/ssl-certificates/exchange-ssl.php 0 Mace OP Nick-C Jul 21, 2011 at 8:55 UTC Since Exchange 2007 the standard practice for SSL certs has been to require a SAN (Subject Alternative Name), certificate (also known as a Unified Communications cert), that should cover various names: computername computername.domain.local computername.domain.com (if different to the internal domain) autodiscover.domain.com webmail.domain.com (or whatever you want to use for OWA access) Whether you use an external CA like verisign or and intern
to secure internal domains for your Exchange deployment such as the Client Access Server's internal FQDN (e.g. CASServer01.yourcompanyinternaldomain.com)then you will need to make preparations to not use these internal names in your SSL Certificate because of a recent CAB Forum change Certificate Authorities can no longer issue SSL Certificates with internal domain names supported. Redirecting your Exchange Server to use the External DNS Name For more detailed Exchange Management Shell instructions, please see our blog - Replace Your Certificates for Internal Names – Part II. To update your Exchange 2007, Exchange 2010, or Exchange 2013 server you will need to run the following commands from the Exchange Management Shell and replace the Server running the Client Access Role with your external domain name. These commands update the URL for the Autodiscover service, Exchange Web Services (EWS) and the OWA Web-based Offline Address book respectively. Before running these commands, check to make sure that a DNS record exists mapping the IP Address to the Exchange Client Access (CAS) server. Note: Each of these commands below should be run on a single line in the Exchange Management Shell (EMS): Run These Commands: Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab Depending on Your Configuration, You May Need to Run Some Additional Commands: Set-ActiveSyncVirtualDirectory -Identity "HostName\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl https://mail.yourdomain.com/Microsoft-Server-ActiveSync Set-OWAVirtualDirectory -Identity "HostName\owa (Default Web Site)" -InternalUrl https://mail.yourdomain.com/owa Set-ECPVirtualDirectory -I