Thursday, November 8, 2012

Outlook Certificate Warning With Exchange 2007 or 2010

[Originally posted January 10, 2011]  

After installing a third party certificate in Exchange 2007 or Exchange 2010 (for Outlook Web Access and similar services), some Outlook clients may suddenly start complaining:

"The name of the security certificate is invalid or does not match the name of the site."

Here's the relevant Microsoft article. If you have trouble understanding it on the first read, I'll paraphrase!

The Problem

Exchange '07 and '10 automatically generate a self-signed certificate with the fully qualified internal name of the mail server. Outlook 2007 (and possibly Outlook 2010) clients connect to Exchange using — by default — the server's internal name. When the name the client uses and the certificate match, no problem! There's also no problem for Outlook 2003 clients because they don't bother with the certificate.

But what if you replace the Exchange certificate with one that references the external name of the server? 'mail.contoso.com' instead of 'mail-srv.contoso.local', for example? Well, you get the error above!

Expensive Fix

If the new certificate includes Subject Alternate Names, you could include the internal name as one of the alternates. This internal name will be externally viewable to anyone who likes to read certificate details, if you care about that.

The Usual Fix...

The other way to make the warning go away is to instruct internal Outlook clients to look for the mail server under its external name (e.g. 'mail.contoso.com') and make sure internal DNS resolves to the internal IP of the mail server.

...And Its Downside

You'll need to run "split DNS." Create a forward lookup zone on the internal DNS server for the external domain name. LAN clients which try to reach anything that ends in '.contoso.com' will receive their answers from the internal DNS server. Be careful! If you forget to add, for example, 'www.contoso.com' to the internal version, LAN clients may lose access to the company website.

Check Current Values

To be on the safe side, make a record of the relevant Exchange settings before changing them. This process will also help familiarize you with what's going on in the next step. Open Exchange Management Shell. Type the following queries, then note the information on the lines specified:

> get-clientaccessserver | fl

Note the value for 'AutoDiscoverServiceInternalUri'

> get-webservicesvirtualdirectory | fl

Note the value for 'InternalURL'

> get-oabvirtualdirectory | fl

Note the value for 'InternalURL'

(Exchange 2007 only)
> get-umvirtualdirectory | fl

Note the value for 'InternalURL'

Hopefully, the values are all the same for these!

Change To the External Name

Assuming...
Internal name is 'mail-srv.contoso.local' and
External name is 'mail.contoso.com'.

> Set-ClientAccessServer -Identity mail-srv.contoso.local -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

> Set-WebServicesVirtualDirectory -Identity "mail-srv.contoso.local\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

> Set-OABVirtualDirectory -Identity "mail-srv.contoso.local\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

(Exchange 2007 only)
> Set-UMVirtualDirectory -Identity "mail-srv.contoso.local\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx

Then either reboot the server, or open IIS, browse to application pools, and recycle 'MSExchangeAutodiscoverAppPool'.

4 comments:

  1. This was incredibly helpful. Thank you!

    ReplyDelete
  2. This was the right solution and Always needed after install a FQDN certificate. Thank you very much!

    ReplyDelete
  3. The other way to make the warning go away is to instruct internal Outlook clients to look for the mail server under its external name (e.g. 'mail.contoso.com') and make sure internal DNS resolves to the internal IP of the mail server.

    would not be Set-OABVirtualDirectory -Identity "mail.contoso"instead of Set-OABVirtualDirectory -Identity "mail-srv.contoso" if the external interface has the certificate?

    ReplyDelete
  4. Lots has been written on fixing this issue but clearly yours explains the solution the best, thanks.

    ReplyDelete