EX2K7 - Internal Outlook 2K7 clients getting cert error on startup

Status
Not open for further replies.
A

Adam

Hello all. We are experiencing a problem where our internal Outlook 2007

clients are reporting a certificate error on startup/connection to our

Exchange 2007 server. Here is a brief overview of our setup:

Domain: Windows Server 2003 AD domain with 2 DCs running Server 2008 (64)

Exchange setup: 1 member server running Server 2008 (64) w/ 1 HUB Server and

1 Mailbox Server - 1 member server running Server 2008 (64) w/ 1 CAS server.

On the CAS server, we've implemented 1 UCC cert containing all necessary

names for external access. We've also enabled the default simple cert that

ships with Ex2K7 strictly for internal clients.

Now for the issue at hand - when an internal client w/ Outlook 2K7 opens

Outlook, they receive a cert error stating that the name on the cert doesn't

match the name of the site. When you view the cert, it is showing the name of

the external site name, not the internal name of the CAS server. I've checked

the certs on the CAS server: both are correct and valid and the internal cert

does list both the NETBIOS and FQDN name of the CAS server. I've also checked

the SCP and it too is listing the correct internal names for the CAS server.

The services that are currently enabled for the internal cert are IMAP4 and

POP.

I've gone through numerous blogs and posts and have checked all the settings

they recommend and can't find the issue. Anyone have any ideas? Do we need to

enable the IIS service for the internal cert (can't see why we would)? Any

help would be greatly appreciated.

Adam
 
A

Adam

I should also point out that we went with the above configuration because our

external domain name is different from our internal domain name. The external

3rd party cert only lists the external names for our CAS along with the MX

record listings. I read several posts on the "You had me at EHLO" blog which

said that this should work fine (and it saved us quite a bit of money on the

3rd party cert what with not having to add the internal NETBIOS and FQDN

names to the cert). Were they wrong?

"Adam" wrote:


> Hello all. We are experiencing a problem where our internal Outlook 2007
> clients are reporting a certificate error on startup/connection to our
> Exchange 2007 server. Here is a brief overview of our setup:
> Domain: Windows Server 2003 AD domain with 2 DCs running Server 2008 (64)
> Exchange setup: 1 member server running Server 2008 (64) w/ 1 HUB Server and
> 1 Mailbox Server - 1 member server running Server 2008 (64) w/ 1 CAS server.
> On the CAS server, we've implemented 1 UCC cert containing all necessary
> names for external access. We've also enabled the default simple cert that
> ships with Ex2K7 strictly for internal clients.
> Now for the issue at hand - when an internal client w/ Outlook 2K7 opens
> Outlook, they receive a cert error stating that the name on the cert doesn't
> match the name of the site. When you view the cert, it is showing the name of
> the external site name, not the internal name of the CAS server. I've checked
> the certs on the CAS server: both are correct and valid and the internal cert
> does list both the NETBIOS and FQDN name of the CAS server. I've also checked
> the SCP and it too is listing the correct internal names for the CAS server.
> The services that are currently enabled for the internal cert are IMAP4 and
> POP.
> I've gone through numerous blogs and posts and have checked all the settings
> they recommend and can't find the issue. Anyone have any ideas? Do we need to
> enable the IIS service for the internal cert (can't see why we would)? Any
> help would be greatly appreciated.
> Adam
 
E

Ed Crowley [MVP]

Please post the complete error message you are receiving.

Ed Crowley MVP

"There are seldom good technological solutions to behavioral problems."

> .

"Adam" <Adam> wrote in message

news:E6AB874B-DCE9-4A32-9058-D2711C3CA77D@microsoft.com...
> I should also point out that we went with the above configuration because
> our
> external domain name is different from our internal domain name. The
> external
> 3rd party cert only lists the external names for our CAS along with the MX
> record listings. I read several posts on the "You had me at EHLO" blog
> which
> said that this should work fine (and it saved us quite a bit of money on
> the
> 3rd party cert what with not having to add the internal NETBIOS and FQDN
> names to the cert). Were they wrong?

> "Adam" wrote:
>
> > Hello all. We are experiencing a problem where our internal Outlook 2007
> > clients are reporting a certificate error on startup/connection to our
> > Exchange 2007 server. Here is a brief overview of our setup:
> > Domain: Windows Server 2003 AD domain with 2 DCs running Server 2008 (64)
> > Exchange setup: 1 member server running Server 2008 (64) w/ 1 HUB Server
> > and
> > 1 Mailbox Server - 1 member server running Server 2008 (64) w/ 1 CAS
> > server.
> > On the CAS server, we've implemented 1 UCC cert containing all necessary
> > names for external access. We've also enabled the default simple cert
> > that
> > ships with Ex2K7 strictly for internal clients.
> > Now for the issue at hand - when an internal client w/ Outlook 2K7 opens
> > Outlook, they receive a cert error stating that the name on the cert
> > doesn't
> > match the name of the site. When you view the cert, it is showing the
> > name of
> > the external site name, not the internal name of the CAS server. I've
> > checked
> > the certs on the CAS server: both are correct and valid and the internal
> > cert
> > does list both the NETBIOS and FQDN name of the CAS server. I've also
> > checked
> > the SCP and it too is listing the correct internal names for the CAS
> > server.
> > The services that are currently enabled for the internal cert are IMAP4
> > and
> > POP.
> > I've gone through numerous blogs and posts and have checked all the
> > settings
> > they recommend and can't find the issue. Anyone have any ideas? Do we
> > need to
> > enable the IIS service for the internal cert (can't see why we would)?
> > Any
> > help would be greatly appreciated.
> > Adam
 
A

Adam

Re: EX2K7 - Internal Outlook 2K7 clients getting cert error on sta

Ed,

Thanks for your reply. Sorry I wasn't able to get back to you. Have been

going round the houses with this one and things have progressed and changed,

though we are no closer to a resolution. I will abandon this post and re-open

a new one with all the new relevant details. Thanks again,

Adam

"Ed Crowley [MVP]" wrote:


> Please post the complete error message you are receiving.
> > Ed Crowley MVP
> "There are seldom good technological solutions to behavioral problems."
> ..

> "Adam" <Adam> wrote in message
> news:E6AB874B-DCE9-4A32-9058-D2711C3CA77D@microsoft.com...
> >I should also point out that we went with the above configuration because
> >our
> > external domain name is different from our internal domain name. The
> > external
> > 3rd party cert only lists the external names for our CAS along with the MX
> > record listings. I read several posts on the "You had me at EHLO" blog
> > which
> > said that this should work fine (and it saved us quite a bit of money on
> > the
> > 3rd party cert what with not having to add the internal NETBIOS and FQDN
> > names to the cert). Were they wrong?
> > "Adam" wrote:
> >
> >> Hello all. We are experiencing a problem where our internal Outlook 2007
> >> clients are reporting a certificate error on startup/connection to our
> >> Exchange 2007 server. Here is a brief overview of our setup:
> >> Domain: Windows Server 2003 AD domain with 2 DCs running Server 2008 (64)
> >> Exchange setup: 1 member server running Server 2008 (64) w/ 1 HUB Server
> >> and
> >> 1 Mailbox Server - 1 member server running Server 2008 (64) w/ 1 CAS
> >> server.
> >> On the CAS server, we've implemented 1 UCC cert containing all necessary
> >> names for external access. We've also enabled the default simple cert
> >> that
> >> ships with Ex2K7 strictly for internal clients.
> >> Now for the issue at hand - when an internal client w/ Outlook 2K7 opens
> >> Outlook, they receive a cert error stating that the name on the cert
> >> doesn't
> >> match the name of the site. When you view the cert, it is showing the
> >> name of
> >> the external site name, not the internal name of the CAS server. I've
> >> checked
> >> the certs on the CAS server: both are correct and valid and the internal
> >> cert
> >> does list both the NETBIOS and FQDN name of the CAS server. I've also
> >> checked
> >> the SCP and it too is listing the correct internal names for the CAS
> >> server.
> >> The services that are currently enabled for the internal cert are IMAP4
> >> and
> >> POP.
> >> I've gone through numerous blogs and posts and have checked all the
> >> settings
> >> they recommend and can't find the issue. Anyone have any ideas? Do we
> >> need to
> >> enable the IIS service for the internal cert (can't see why we would)?
> >> Any
> >> help would be greatly appreciated.
> >> Adam


> .
>
 
Status
Not open for further replies.
Top