Exchange 07 & Outlook 07

Joined
Mar 15, 2002
Messages
782
I installed Exchange 07 several months back at both of our locations here. I installed an SSL cert to work with OWA and that has worked fine since. We never had any Office 07 installs until just now and I've found that a certificate warning pops up when Outlook is opened up. I tried to simply install the cert but that didn't work right, so looked over the MS KB article on the work around but I would rather not do that if I don't have to.

Question: Did you guys buy an SSL cert with unlimted sub domains? The error in Outlook 07 is coming from the fact that the NETBIOS name of the server is different than that on the actual GoDaddy cert (owa.domain.com). That is why Outlook complains from what I can tell.

What method did you guys use to resolve this issue?
 
I installed Exchange 07 several months back at both of our locations here. I installed an SSL cert to work with OWA and that has worked fine since. We never had any Office 07 installs until just now and I've found that a certificate warning pops up when Outlook is opened up. I tried to simply install the cert but that didn't work right, so looked over the MS KB article on the work around but I would rather not do that if I don't have to.

Question: Did you guys buy an SSL cert with unlimted sub domains? The error in Outlook 07 is coming from the fact that the NETBIOS name of the server is different than that on the actual GoDaddy cert (owa.domain.com). That is why Outlook complains from what I can tell.

What method did you guys use to resolve this issue?
We needed to get one of these when we went from 03 to 07: http://www.digicert.com/unified-communications-ssl-tls.htm

That way you can set the SAN so it covers autodiscover, OWA domain, etc.
 
Any other way? I suppose these aren't the same certs as the certs with unlimted subdomains?

That price is steep but I'll do it if needed.
 
we use a multi-domain cert (cheaper than a wildcard) for autodiscover to work correctly.
 
We also found Digicert to be the best deal on a UC (SAN) cert. Depending on exactly how many alternate names you need, other sources may be cheaper or more expensive. Digicert has some nice features though. For example, if you find you need to add one more name to the cert, they'll redo it for you for only the cost of the additional name (as opposed to forcing you to rebuy the whole thing from scratch).
 
have you tried to set the internal URL tobe the same as the external URL for everything on the exchange server? try that and then setup another forward lookup zone and a record for your CAS server and you should be okay. Also, you mentioned GoDadyy, they'll probably let you return the standard ssl certain and upgrade it to a multi-domain UCC cert. I've had to do that a few times and they never complained
Posted via [H] Mobile Device
 
You need the UCC cert... Godaddy is good to work with.. let them know you chose the wrong one.

I tried a 'self-cert' but it would either work in-house or on the internet... not both without throwing up the error you mention.
 
Yeah UCC cert from GoDaddy is the way to go. Make the cert for your primary external hostname like mail.mydomain.com and then add alternate names for the others like exchsrvr, exchsrvr.mylocaldomain.local, autodiscover.mydomain.com, autodiscover.mylocaldomain.local. Then make sure to add the autodiscover a record in both internal and external DNS and you should be good.
 
My way of fixing this issue was to reconfigure auto discovery to use the same FQDN as my SSL OWA cert.

i.e. mail.mycompany.com

Then just created the corresponding DNS entry in my network.

Really was a pain in the ass though lol
 
This issue arises because Outlook 2007 attempts to validate the SSL cert on your Exchange 2007 server, but your SSL cert does not include the internal NetBIOS or FQDN of the server. When requesting a cert for Exchange 2007 you should get a "multi-domain" cert and you should request names for:

ex1 (Internal NetBIOS)
ex1.domain.local (Internal FQDN)
mail.domain.com (External FQDN)
webmail.domain.com (External FQDN of your webmail if it differs)
autodiscover.domain.com (External FQDN used for Outlook 2007 auto discover)

Assuming:
- Your internal exchange hostname is ex1
- Your external hostname is mail
- Your internal domain name is domain.local
- Your external domain name is domain.com

Riley
 
OK. Thanks for the replies everyone. I'll contact Godaddy and see if I can get a multi domain cert. Hopefully they will let me trade in my two regular SSL certs.
 
It's really simple...

Instead of having the clients connecting to internal.domain.local, have them connect to the exchange.public.com.....
On your DNS server just make an entry for exchange.public.com to redirect to the local port (that way anyone internally stays internal, and it won't try to resolve outside the network).

Outlook sees exchange.public.com, it matches the exchange.public.com on the cert.
 
FYI Exchange 2K7 can generate its own certs, you have to do it yearly via commandlets. Don't need to go out and purchase them....but granted they're cheap enough anyways.
 
FYI Exchange 2K7 can generate its own certs, you have to do it yearly via commandlets. Don't need to go out and purchase them....but granted they're cheap enough anyways.

Shoot for the $30 or whatever it cost... It was worth it to not have to install the certificate on everyone's machine.
 
Shoot for the $30 or whatever it cost... It was worth it to not have to install the certificate on everyone's machine.

For local domain users you don not have to go to everyones machine and import certs. Only for remote "Outlook Anywhere" users. So for ZERO dollars it was still worth it not to have to go install it on everyones machine. The self generated cert doesn't come with extra complications save for the annual regeneration.
 
For local domain users you don not have to go to everyones machine and import certs. Only for remote "Outlook Anywhere" users. So for ZERO dollars it was still worth it not to have to go install it on everyones machine. The self generated cert doesn't come with extra complications save for the annual regeneration.

Yep, but spending the extra couple minutes on every new client configuration remotely, versus twenty or thirty bucks...

It's worth it to be done with it.
 
Yep, but spending the extra couple minutes on every new client configuration remotely, versus twenty or thirty bucks...

It's worth it to be done with it.

How many of these have you done? I import the certificates anyways on remote machines that aren't joined to the domain (for Outlook Anywhere or even OWA)..doesn't matter where/who the certificate is from. About 15.5 seconds to run through the cert import wizard either way..be it a self generated cert from the Exchange server, or a GoDaddy or Comodo or Pair cert or wherever you get it from, it does not change the import steps.
 
How many of these have you done? I import the certificates anyways on remote machines that aren't joined to the domain (for Outlook Anywhere or even OWA)..doesn't matter where/who the certificate is from. About 15.5 seconds to run through the cert import wizard either way..be it a self generated cert from the Exchange server, or a GoDaddy or Comodo or Pair cert or wherever you get it from, it does not change the import steps.

If you use a trusted cert you don't have to import anything.
 
If you use a trusted cert you don't have to import anything.

+1.. Just spend the small amount on the multi-domain cert and you don't have to worry about importing certificates, internal/external server names, etc.

In fact, there are so many benefits to getting a trusted SSL cert:

- SSL on ActiveSync enabled phones
- Opportunistic TLS on your send/receive connectors let you secure mail between you and other organizations.
- Don't have to renew the self-signed cert every year (if you get a multi-year cert of course)
- Secured webmail without SSL warnings


Riley
 
How many of these have you done?
Used to do it that way before Exchange 2007 made it a major PITA to not use a trusted certification authority.

Spent the bucks on it, and I'll never screw with manually importing those certs again.

As CC said, you use a trusted root authority and you don't have to import anything. Install the certificate to the server, and profit.

- SSL on ActiveSync enabled phones
- Secured webmail without SSL warnings

While I don't use AS anymore, these were the main reasons.

Get tired of clients and customers asking what to do on those warnings, or having to type out "make sure you just click through the warning" or whatnot. I mean, the thirty bucks to do away with that stuff is well worth it.
 
Back
Top