Outlook 2010 Certificate Alert when connecting to Exchange 2010 Server

Status
Not open for further replies.
G

George Khalil

Hi,

I am receiving the below security alert when launching a domain joined Outlook 2010 client;

The security certificate was issued by a company you have not chosen to trust

This is a self-signed certificate on the CAS server role which is separate to the Hub and Mailbox. Unless something is completely screwed, Outlook 2007 against Exchange 2007 had no issues with domain joined machines and self-signed certificates.

The following KB article explains the same issue http://support.microsoft.com/default.aspx/kb/2006728 but this is a native Exchange 2010 environment with no previous versions of CAS roles.

Any help appreciated.

Cheers
 
M

Mumin CICEK [MVP]

hi,

please check your SSL status and your internal name must be in your SSL certificate.

just look at here ;

New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName " c=TR, s=, l=, o=, cn=mmncicek" -DomainName mail.mumincicek.com, autodiscover.mumincicek.com, exchangesrv.mumincicek.local, exchangesrv -PrivateKeyExportable $True

and here is link to create CSR for your certificate ;

https://www.digicert.com/easy-csr/exchange2010.htm

and here is video about it ;

http://www.digicert.com/ssl-certificate-installation-microsoft-unified-communications.htm

regards,

Mumin CICEK | Exchange - MVP | www.cozumpark.com | www.mumincicek.com
 
G

George Khalil

Hi, thanks for your prompt response. The certificate contains the internal fqdn of the cas server and the netbios name of the cas server; I.e cas.home.domain.com and cas this was all handled by the CAS role installation which is separate to the Mailbox. I would not expect the alert to appear for a domain joined machine as was the case with exchange 2007 and outlook using internal certificates. The question I'm asking is that do I need to utilize a certificate from a trusted CA for internal domain joined outlook clients? Cheers
 
M

McCue

I'm not sure, but it looks like a self signed certificate will give an error and you may need to create an internal certificate authority or buy an external certificate. Hopefully someone with more info will be able to give us the specific answer.

regards,

Mac
 
X

Xiu Zhang

Hi,

Please check if this certificate has been installed under " ”-“Trusted Root Certification Authorities" from Certificate.mmc.

1. Run “MMC” from a command prompt.

2. Click on file on the toolbar and select “Add/Remove snap in…”

3. In the “Standalone” tab, click on ”Add”-“Certificates”-“Computer account”-“Local computer”

4. Click “Finish” and “Ok”.
5. Expand ”Certificates”-“Personal”-“Certificate”, ”Certificates”-“Trusted Root Certification Authorities”-“Certificate”.

More related information to share with you:

Installing a Self-Signed Certificate as a Trusted Root CA in Windows Vista

http://blogs.technet.com/sbs/archive/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx

Regards,

Xiu
 
G

George Khalil

Hi Xiu,

The certificate is definitely not installed, I know that. The question I am asking is are there stricter conditions for domain joined Outlook clients with Exchange 2010. In Exchange 2007, Domain joined outlook clients did not require the certificate to be installed under the Trusted Root CA. This was only required for " internet" autodiscover clients.

Can anyone please confirm whether this is also required as part of the CAS and Exchange 2010 for domain joined outlook clients.

Thanks
 
C

Casper Pieterse

Do you have Outlook Anywhere enabled?

Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa
 
G

George Khalil

Hi Casper,

Outlook Anywhere is not enabled on the CAS Server. Outlook client is connected to the domain.

Cheers
 
X

Xiu Zhang

Hi,

Yes, when internal user try to use outlook to connect exchange Server, outlook will try to find the e-mail address and exchange server name from AD. After that it will look for SCP and then find the correct the autodiscover server to connect, retrieve settings.

So during the process of connecting to exchange server, it will have to use autodiscover to connect and retrieve user settings. So certificate regard to autodiscover will cause the issue.

I"d like to share the process of how internal outlook user connect to exchange server.

1. Automatically retrieve e-mail address from Active Directory if domain joined machine.

2. Retrieve Exchange Server name if found and store for later.

3. Look for SCP objects or SCP pointer objects that correspond to user"s e-mail address, and find the correct Autodiscover server to connect to; then connect and retrieve settings.

4. If previous step fails, attempt DNS discovery of Autodiscover XML (allowing for 10 redirects).

a. HTTPS POST: https://DOMAIN/autodiscover/autodiscover.xml

b. HTTPS POST: https://autodiscover.DOMAIN/autodiscover/autodiscover.xml

c. HTTP GET: http://autodiscover.DOMAIN/autodiscover/autodiscover.xml (only to follow redirects, not to get settings)

d. DNS SRV lookup: _autodiscover._tcp.DOMAIN (only to follow the redirect the SRV record points to)

5. If previous step fails, attempt local XML discovery and use XML found on the local machine if applicable.

6. If previous step fails but an Exchange Server name is found in step 2, configure Exchange account based on Exchange Server name.

7. If previous step is not applicable, attempt Common Settings Discover, as described in the next section.

More related information to share with you:

Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: " The name of the security certificate is invalid or does not match the name of the site"

http://support.microsoft.com/kb/940726

Regards,

Xiu
 
G

George Khalil

Hi Xiu,

Thanks for your response, however my issue is not related with the name of the security certificate being invalid (that part is fine), mine is all about The security certificate was issued by a company you have not chosen to trust.

This was never an issue with Outlook connecting to Exchange 2007 utilising self signed certificate. The following article confirms the default behaviour in Exchange 2007; Read under the heading ; Using the Self-Signed Certificate with Domain-Joined Outlook 2007 Clients (http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx).

I need clarification that this either still holds true for Exchange 2010, or whether this has changed due to mapi now being closely tied to the CAS role.

I have also read about the following REG key and CAS proxying;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeOWA\AllowInternalUntrustedCerts

I will check later tonight on whether it's set to True or False.

Thanks
 
A

atcnf2008

I got the same ssl ceriticate warning problem with Outlook 2007 internal clients with Exchange 2010 CAS server, I don't care about anything like Outlook anywhere but I always get this warning during connection. the only way I can get rid of this warning is Install this SSL certificate of CAS server on each computer, lots of work, there was nerver such problem between Outlook 2007 and Exchange 2007.Can anyone recommend a SERVER solution which won't require installation of certificate on every PC? thanks.
 
M

McCue

I got the same ssl ceriticate warning problem with Outlook 2007 internal clients with Exchange 2010 CAS server, I don't care about anything like Outlook anywhere but I always get this warning during connection. the only way I can get rid of this warning is Install this SSL certificate of CAS server on each computer, lots of work, there was nerver such problem between Outlook 2007 and Exchange 2007.Can anyone recommend a SERVER solution which won't require installation of certificate on every PC? thanks. You can purchase a SSL certificate from an external provider for the server's fqdn, You can install the Certificate Authority service on Windows Server and issue your own certificate (cheapest solution) You can check out http://support.microsoft.com/default.aspx/kb/940726 and modify the internal Url's

From what I have read, the top option seems to be the way Micrsoft has designed the system to work.

Regards, Mac
 
C

Casper Pieterse

Let's take it back to basics. If you browse to the CAS server (https://serverFQDN) do you get an error message? If so and it is the same error you get when using Outlook, we need to figure out why you are not trusting the certificate issuer.

Let me know and I'll try to guide you through the process in getting this sorted.

Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007
 
D

Derrald

I'm receiving this error as well. Only on Outlook 2010, my Outlook 2007 clients connect without a problem. When I surf to https://serverFQDN, I do receive a certificate error on all machines, not just the Outlook 2010 machine. The issuer is the name of the server, so of course it is not trusted, but why does it work on Outlook 2007. I have installed Certification Authority on a Windows 2008 R2 and may attempt a self-signed cert. Since this is a test box, I do not want to purchase anything. Ideas?
 
G

George Khalil

The certificate warning that I had originally posted about earlier this year (first post) is actually considered by " design" , i.e. domain joined Outlook 2007 clients would ignore the validity check. This is not the case with Exchange 2010, Outlook 2010. The only way around this is to either purchase a 3rd party SAN certificate from a public CA or if it's for testing purposes only, install Windows 2008 Active Directory CA and initiate a SAN certificate request from Exchange 2010 which your Windows 2008 CA will issue. This works a charm and I have done it a number of times in a dev environment.

Henrik confirms the certificate warning in his below post

http://blogs.msexchange.org/walther/2010/05/18/certificate-warning-when-using-self-signed-exchange-certficate-and-outlook-2010/

Cheers

Blog: http://sharepointgeorge.com Twitter: http://twitter.com/georgekhalil
 
C

Casper Pieterse

Agree with George, except on the Public CA statement. Use internal PKI certificate for all internal traffic and only public certificates on your reverse proxy platform. Not only does this drive down costs, but gives you alot more flexibility and control.... apart from every other Microsoft product that will at some stage require a certificate.Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007
 
L

Louis77

The certificate warning that I had originally posted about earlier this year (first post) is actually considered by " design" , i.e. domain joined Outlook 2007 clients would ignore the validity check. This is not the case with Exchange 2010, Outlook 2010. The only way around this is to either purchase a 3rd party SAN certificate from a public CA or if it's for testing purposes only, install Windows 2008 Active Directory CA and initiate a SAN certificate request from Exchange 2010 which your Windows 2008 CA will issue. This works a charm and I have done it a number of times in a dev environment.

Henrik confirms the certificate warning in his below post

http://blogs.msexchange.org/walther/2010/05/18/certificate-warning-when-using-self-signed-exchange-certficate-and-outlook-2010/

Cheers
Blog: http://sharepointgeorge.com Twitter: http://twitter.com/georgekhalil
So basically, with Exchange 2010 and Outlook 2010, they are forcing us to use 3rd party certificates or do more work and have an internal CA??? What the heck? I shouldn't have to go through this when my system is setup with a simple configuration. I have one Exchange 2010 server, no other Exchange servers, no external access is allowed. I have upgraded all clients with Outlook 2010 in preperation for this to make it as smooth as possible. Now I have to manually install a certificate on every workstation or create an internal CA that all my computers trust or purchase a 3rd party cert? Why does it seem like Microsoft goes backwards on so many of their newer products. I'm really upset that there is no other way around this. Louis
 
B

Barry Adkins

An internal CA is actually very easy.

Just install the CA from the Windows Server Setup. Issue a certificate for your internal Exchange Server. What happens fairly quickly after you install the internal CA is that the clients that login to the network will have the internal CA certificate automatically added to their trusted certificate store, and it will all just work quiet easily and well.

-Barry
 
M

McCue

Louis, it isn't backwards, it is more secure so it requires a little more work on your part just as all security implementations do. You can fight it if you want and even turn off the encryption for the OWA or embrace and and in an hour or two you will be set. BTW: I recently purchased a SAN certificate from GoDaddy for under $200 and the best part is I can open up the access to my users when they travel or check from home (they love it).

Cheers

Dave
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
A Exchange 2003 Outlook 2010 64 Bit- AutoDiscover Connection Err - Certificate Exchange Server Administration 9
S Outlook 2010 and certificate problems Using Outlook 9
C Using a mail certificate in Outlook 2010 Using Outlook 2
M Exchange 2010 and Outlook 2010 - The name on the security certificate is invalid Exchange Server Administration 3
e_a_g_l_e_p_i I think it may be time to upgrade from Outlook 2010 Using Outlook 3
T Why does outlook 2010 convert only some forum notifications to plain text? Using Outlook 0
I Error saving screenshots in a custom form in outlook 2016, outlook 365 - ok in outlook 2013, outlook 2010 Outlook VBA and Custom Forms 5
M Outlook 2010 Problem with OutLook 2010 32 bit, after Windows Auto Update Using Outlook 3
M PST import from Outlook 2007 to 2010 - Address Book contacts all in 1 group Using Outlook 4
D Outlook 2010 account setup fails in particular domain Using Outlook 3
B Outlook 2010 is Auto Purging when not configured for that Using Outlook 1
W Outlook 2010 Reading Pane Slows Startup Using Outlook 3
S Outlook 2010 unable to change default font Using Outlook 7
B Outlook 2010 Can not find a certain file in M/S Outlook 2010. Using Outlook 1
Mark Foley Cannot enable add-in in outlook 2010 Using Outlook 0
W Outlook 2010 some sent items marked unread now (was Ok before) Using Outlook 0
RBLampert Updating from Outlook 2010 to Outlook 365 Using Outlook 0
L What are the risks of opening an Outlook 2016 .pst file in Outlook 2010? Using Outlook 4
S Unable to remove rule outlook 2010 Using Outlook 0
N Outlook 2010 Flag blocked for Safe Senders List???? Using Outlook 7
dweller Outlook 2010 Rule Ignores VBA Script Outlook VBA and Custom Forms 2
Mark Foley Unable to subscribe to published calendar in Outlook 2010 Using Outlook 4
K Maximum Categorize Shortcuts In Outlook 2010? Using Outlook 1
E Unable to open Outlook 2010 after adding new email account Using Outlook 4
RBLampert Outlook 2010 no longer (?) shrinks large images Using Outlook 4
N Outlook 2010 will not send nor receive Using Outlook 4
U Outlook 2010 'freezes' before moving emails Using Outlook 2
P Outlook 2010 trusted emails going to spam folder Using Outlook 18
E Outlook 2010 Subject sort uses Thread-Topic for grouping Using Outlook 2
King Mustard Maximum Categorize shortcuts in Outlook 2010? Using Outlook 1
C Outlook 2010 keeps asking for username and password Using Outlook 1
M Duplicate Primary Mail Accounts outlook 2010 Using Outlook 0
T Compacting Outlook 2010 OST results in old emails being re-sent Using Outlook 6
K Outlook 2010 duplicate download emails 1 inbox 1 PST no updates Using Outlook 3
D create an html table in outlook custom form 2010 using vba in MsAccess Outlook VBA and Custom Forms 7
Potty Ash MS Outlook 2010 custom form - validation or formula to request user to check a checkbox Outlook VBA and Custom Forms 16
RBLampert Outlook 2010 sends to/receives from some Gmail addresses but not others Using Outlook 3
e_a_g_l_e_p_i Question about address book in Outlook 2010 Using Outlook 9
e_a_g_l_e_p_i Is there a good third party SPAM filter that intergrates with Outlook 2010 Using Outlook 7
e_a_g_l_e_p_i Another reinstall of Outlook 2010 issue Using Outlook 10
S Outlook 2010 Cannot Open Attachments Using Outlook 14
Justo Horrillo Issue with rules in Outlook 2010 Using Outlook 4
L Upgrade from Outlook 2010-any reason to? Using Outlook 1
C Attached Files outlook 2010 Using Outlook 1
C Attached files on Outlook 2010 Sp1 & Exc 2013 are missing Exchange Server Administration 1
EaglePI Outlook 2010 need help with rules Using Outlook 0
K can not reinstall outlook 2010 Exchange Server Administration 0
T outlook 2010 mail item count doesnt match display Outlook VBA and Custom Forms 3
Werewolf Workaround for the missing Activities tab in Contact Folder Properties in Outlook 2010? Using Outlook 2
G Can't open .pst. Message could not access default folder (Outlook 2010 (.pst). Before that was backi Using Outlook 0
Similar threads


















































Top