Outlook 2007 security alert - Exchange 2010 CAS + SAN certificate

#1
Just installed my Exchange 2010 CAS servers and applied our new

certificate with 3 Subject Alternative Names (mail.domain.com,

autodiscover.domain.com, legacy.domain.com). This certificate was

applied on Monday.

Now I have 2 users (possibly more, but have only heard from these 2)

that report getting a Security Alert when opening Outlook 2007:

-----------------------------
CAS01.corp.domin.com

Information you exchange with this site cannot be viewed or changed by

others. However, there is a problem with the site's security

certificate:

(green check) The security certificate is from a trusted certifying

authority.

(green check) The security certificate date is valid.

(red X) The name on the security certificate is invalid

or does not match the name of the site.

Do you want to proceed? [Yes] [No] [view certificate]

-----------------------------
Clicking Yes gives same alert from CAS02 server.

Tried installing the certificate, to no avail.

Tried applying Outlook 2007 hotfix (KB968858) which is supposed to let

Outlook 2007 recognize SAN certificates; no good.

Tried applying SP2 for Office 2007; no good. (applying the above

hotfix after SP2 was installed gives "the update is already

installed").

I found a KB article (940726) that seems to describe this perfectly,

but I hesitate to modify the URLs for the appropriate Exchange 2010

components when this is only happening with 2 (reported) users. Why

wouldn't EVERYONE with Outlook 2007 have this problem if the cause is

some mis-named URLs on the servers?

Can anyone explain why this is happening (to only 2 users) and what I

need to do to get rid of their Security Alerts?

Thanks in advance.

-RAM
 
E

Ed Crowley [MVP]

#2
Your certificate doesn't have the server names as SANs. Check all the

internal (and external if necessary) virtual directory settings like in

Get-OABVirtualDirectory, Get-WebServicesVirtualDirectory,

Get-AutodiscoverVirtualDirectory, Get-ActiveSyncVirtualDirectory and

Get-ClientAccessServer (AutodiscoverServiceInternalUri property) and verify

that all are set to the URL hostnames and not the server hostnames and that

should fix it. Or you could add the DNS and NetBIOS names as SANs. Or you

could do both. Obviously adding the hostnames as SANs is easier if you're

using an internal certificate and you don't have to pay for the additional

names.

Ed Crowley MVP

"There are seldom good technological solutions to behavioral problems."

> .

"RAM" <rmilbrand@gfnet.com> wrote in message

news:cc1a982d-9768-473a-ba8e-3c89339dbf3b@o15g2000vbb.googlegroups.com...
> Just installed my Exchange 2010 CAS servers and applied our new
> certificate with 3 Subject Alternative Names (mail.domain.com,
> autodiscover.domain.com, legacy.domain.com). This certificate was
> applied on Monday.

> Now I have 2 users (possibly more, but have only heard from these 2)
> that report getting a Security Alert when opening Outlook 2007:
> -----------------------------> CAS01.corp.domin.com

> Information you exchange with this site cannot be viewed or changed by
> others. However, there is a problem with the site's security
> certificate:

> (green check) The security certificate is from a trusted certifying
> authority.
> (green check) The security certificate date is valid.
> (red X) The name on the security certificate is invalid
> or does not match the name of the site.

> Do you want to proceed? [Yes] [No] [view certificate]
> -----------------------------
> Clicking Yes gives same alert from CAS02 server.

> Tried installing the certificate, to no avail.

> Tried applying Outlook 2007 hotfix (KB968858) which is supposed to let
> Outlook 2007 recognize SAN certificates; no good.

> Tried applying SP2 for Office 2007; no good. (applying the above
> hotfix after SP2 was installed gives "the update is already
> installed").

> I found a KB article (940726) that seems to describe this perfectly,
> but I hesitate to modify the URLs for the appropriate Exchange 2010
> components when this is only happening with 2 (reported) users. Why
> wouldn't EVERYONE with Outlook 2007 have this problem if the cause is
> some mis-named URLs on the servers?

> Can anyone explain why this is happening (to only 2 users) and what I
> need to do to get rid of their Security Alerts?

> Thanks in advance.

> -RAM
 
R
#3
Ok - that's pretty much what the KB article said. So we'll go ahead

and change the URLs in Exchange/AD. Thanks.

I just don't understand why only a few users are seeing the security

alert and not ALL of us. Any idea explanation for that?

-RAM
 

Similar threads

Top