1. Here's a thread that needs an answer: Problems with Outlook Connector in Outlook 2010

Autodiscover in Exchange 2010 and Outlook 2010 - Certification Warning

Discussion in 'Exchange Server Questions' started by WBO, May 29, 2010.

  1. WBO

    WBO

    Guest
    Hello,

    I´ve got an Autodiscover error that is being difficult to sort out.Here the scenario: I have Exchange 2010, Enterprise edition servers deployed on Windows 2008 R2 Enterprise. I got 2 CAS servers with only CAS role intalled on them in Windows NLB with CAS Array configuration. No Certificates installed. All Ports are open on NLB. NLB name is " nlbcas.smpn.net" . Cas array name is " casarraysitea" , FQDN is " casarraysitea.smpn.net" Site Name is " SiteA" . CAS servers names are - SRPAPXCH03 and SRPAPXCH04. There are 2 Mailbox servers in a DAG configuration, installed in 2 separate servers with roles Mailbox, HUB and UM.

    When I open Outlook 2010 I get this message: " The security certificate was issued by a company you have not chosen to trust. View the certificate to determine wether you want to trust the certifying authority" . Then the user have to click on the " OK" button to proceed and then access his mailbox.

    The name that was being shown was the NLB name: I changed that name to the CAS Array Name and the same error happend.Then I used the following commands do set the autodiscover to the individual CAS server names:

    Set-ClientAccessServer -identity srpapxch03 -AutodiscoverServiceInternalUri " https://srpapxch03.smpn.net/Autodiscover/Autodiscover.xml"

    Set-ClientAccessServer -identity srpapxch04 -AutodiscoverServiceInternalUri " https://srpapxch04.smpn.net/Autodiscover/Autodiscover.xml"

    EWS and OAB were configured the same way, to their respective CAS server names. Am I missing an internal CA authority, or there is a powershell command that gets rid of this error?

    I really need help with ths..

    Thanks!

    WBO
     
  2. AndyD_ [MVP]

    AndyD_ [MVP]

    Guest
    Are these domain-joined workstations that are getting the certificate error? The self-signed Exchange certificate is installed by default. Is that the cert its referring to?
     
  3. Em0

    Em0

    Guest
    Please attach the information from the certificate warning in outlook..

    From what you describe it seems like you are using the self signed cerificate that is installed by default.. Either install a CA in you domain and issue a certificate to you client access servers OR buy a certificate from an online authoroty...
     
  4. Ramy Messiha

    Ramy Messiha

    Guest
    Hello

    Even if with a self-signed certificate , Outlook should not prompt the user for certifcate trust, this is hard-coded in Outlook with self-signed certificates. Also changing the names will not resolve your problem because it is trust error. If you have a standalone certification authority, you have to import the certificate of your CA to all your users, or consider to purchase a commercial certificate that is trusted by all computers by default.

    Thanks,
     
  5. Brian Desmond -MVP-

    Brian Desmond -MVP-

    Guest
    Even if with a self-signed certificate , Outlook should not prompt the user for certifcate trust, this is hard-coded in Outlook with self-signed certificates.

    No I don't think so...

    Active Directory, 4th Edition - www.briandesmond.com/ad4/
     
  6. AndyD_ [MVP]

    AndyD_ [MVP]

    Guest
    Yep, Outlook should trust the Exchange self-signed cert. However, I have heard of people claiming that Outlook 2010 sometimes throws this error when accessing the Exchange self-signed cert. Havent seen or tested however.
     
  7. AndyD_ [MVP]

    AndyD_ [MVP]

    Guest
  8. Ramy Messiha

    Ramy Messiha

    Guest
    According to this article, beginning Outlook 2010 , users get warnnings about self-signed certificate. This was no the case with Exchange 2007 & Outlook 2007

    Reference is Autodiscover whitepaper on TechNet
     
  9. AndyD_ [MVP]

    AndyD_ [MVP]

    Guest
    Yep, thats what the article says. Since the poster is using Outlook 2010, it may apply.
     
  10. WBO

    WBO

    Guest
    Thanks Andy,

    Yeah, the article clarifies the whole thing, the MS outlook team decided that from now on we have to either setup an internal CA or buy a SAN certificate from a trusted, public CA.

    Thanks for your help, now we know we need to include a CA Design into our projects to avoid this warning pop-up, as it is really frustrating.

    Thanks again,

    WBO.
     
  11. WBO

    WBO

    Guest
    All,

    It seems that the problem is with exchange 2010, not oulook 2010, as this certificate warning will happen with either outlook 2007 or 2010, when they connect to exchange 2010 CAS servers. You see, I got outlook 2010 connect to exchange 2007 without any errors. To me It proves that the issue is with exchange 2010 CAS servers that will prompt the end-user, no matter they are using outlook 2007 or 2010, that they need to install a certificate, either from an internal CA or a public CA.

    Cheers,

    WBO
     
  12. Brian Desmond -MVP-

    Brian Desmond -MVP-

    Guest
    Yeah, the article clarifies the whole thing, the MS outlook team decided that from now on we have to either setup an internal CA or buy a SAN certificate from a trusted, public CA.

    Thanks for your help, now we know we need to include a CA Design into our projects to avoid this warning pop-up, as it is really frustrating.

    So go to www.digicert.com and buy a SAN cert - they're like $300 or something. I've done alot of these projects as a consultant and I've *never* includd any sort of PKI deployment in the project. That's a significant project in-it-self.Active Directory, 4th Edition - www.briandesmond.com/ad4/
     
  13. Allen Song

    Allen Song

    Guest
    Hi,

    You should create internal CA or buy third party certificate to rectify the issue.

    Thanks

    Allen
     
  14. mhRabie

    mhRabie

    Guest
    Hi,

    You can export the certificate " .cer" file, and configure a group policy to trust the Root Certification Authority, and then apply group policy to the clients:

    1. From the " Security Alert" window Click " View Certificate" , then go to " Details" tab, and copy the .cer file

    2. Import the .cer file to the group policy object " Computer Configuration\Policies\Windows Setting\Public Key Policies\Trusted Root Certification Authorities"

    Regrads

    Mohammad Rabie
     

Share This Page