outlook client gives security alert after setting up EX2010 owa on server

Status
Not open for further replies.
M

McCue

Outlook would connect without a problem to the mail server before I installed OWA and moved it from EX2003. I also enabled Outlook Anywhere only on this server.

I installed CAS on ex2010cas.home.domain.com and the external certificate for webmail.domain.com and no additional certificate on mailbox.home.domain.com. Now Outlook is giving me 2 security alerts when connecting from an internal domain member computer - whether or not I connect by rpc over http or regular rpc.

The first alert is to the CAS server where it says the root is trusted but the server name is not the same (which is correct).
The 2nd one to the Mailbox server where it says the server is fine but the root is not trusted (self-signed - also correct).

support.microsoft.com/kb/2006728 seems to say I need to purchase outside certificates for the actual fqdn for both the

ex2010cas.home.domain.com and Mailbox.home.domain.com or create an internal certificate server and hand out my own certificates.

1. Did I make a configuration change that caused this problem and can I change it back?
2. Is this KB the only solution?

BTW: OWA works fine.
thank you for your help
Mac
 
B

Brian Day MCITP [MVP]

Did you configure the autodiscover and EWS URLs for the CAS server yet to match 'webmail'? It might just be Outlook (What version is it?) trying to perform one of those actions and since the certificate is for "webmail" and Outlook is probably still hitting the hostname of the CAS server, you'll get prompted.Brian Day, Overall Exchange & AD Geek
MCSA 2000/2003, CCNA
MCTS: Microsoft Exchange Server 2010 Configuration
LMNOP
 
X

Xiu Zhang

M

McCue

Hi Brian,
I did not specifically set up autodiscover as I only had the single server name certificate, but I will review the options there.

Outlook 2003 starts to load, then gives the error "Cannot start microsoft office outlook. Unable to open the Outlook window. The set of folders could not be opened." Then it closes.

Outlook 2007 and Outlook 2010 give more information; both open, but display the security alerts mentioned above and allow full mailbox usage even if I select "No" to the question "Do you want to proceed?".

Yes, the certificate is for webmail and the prompt shows the hostname of the CAS server.

thanks
Mac
 
M

McCue



Xiu,

Below are the output from the two commands you requested.
Mac

get-outlookanywhere|fl

RunspaceId : 0131f987-3696-493f-****-************
ServerName : ex2010cas
SSLOffloading : False
ExternalHostname : webmail.domain.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods : {Basic}
MetabasePath : IIS://ex2010cas.home.domain.com/W3SVC/1/ROOT/Rpc
Path : C:\Windows\System32\RpcProxy
Server : ex2010cas
AdminDisplayName :

ExchangeVersion : 0.10 (14.0.100.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=ex2010cas,CN=Servers,CN=Exchange Administrati
ve Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company,CN=Microsoft Ex
change,CN=Services,CN=Configuration,DC=domain,DC=com
Identity : ex2010cas\Rpc (Default Web Site)
Guid : f5e4fde8-4d61-4e67-****-************
ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged : 12/17/2009 2:06:10 PM
WhenCreated : 12/17/2009 2:06:10 PM
WhenChangedUTC : 12/17/2009 10:06:10 PM
WhenCreatedUTC : 12/17/2009 10:06:10 PM
OrganizationId :

OriginatingServer : dc1.home.domain.com
IsValid : True

get-outlookprovider|fl
RunspaceId : 0131f987-3696-493f-****-************
CertPrincipalName :

Server :

TTL : 1
OutlookProviderFlags : None
AdminDisplayName :

ExchangeVersion : 0.1 (8.0.535.0)
Name : EXCH
DistinguishedName : CN=EXCH,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=Company,CN=Microsoft Exchange
,CN=Services,CN=Configuration,DC=domain,DC=com
Identity : EXCH
Guid : f754f3ce-f1a8-4c33-****-************
ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass : {top, msExchAutoDiscoverConfig}
WhenChanged : 8/20/2009 4:52:18 PM
WhenCreated : 8/20/2009 4:52:16 PM
WhenChangedUTC : 8/20/2009 11:52:18 PM
WhenCreatedUTC : 8/20/2009 11:52:16 PM
OrganizationId :

OriginatingServer : dc1.home.domain.com
IsValid : True

RunspaceId : 0131f987-3696-493f-****-************
CertPrincipalName :

Server :

TTL : 1
OutlookProviderFlags : None
AdminDisplayName :

ExchangeVersion : 0.1 (8.0.535.0)
Name : EXPR
DistinguishedName : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=Company,CN=Microsoft Exchange
,CN=Services,CN=Configuration,DC=domain,DC=com
Identity : EXPR
Guid : 744e0c2c-d251-44a2-****-************
ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass : {top, msExchAutoDiscoverConfig}
WhenChanged : 8/20/2009 4:52:18 PM
WhenCreated : 8/20/2009 4:52:16 PM
WhenChangedUTC : 8/20/2009 11:52:18 PM
WhenCreatedUTC : 8/20/2009 11:52:16 PM
OrganizationId :

OriginatingServer : dc1.home.domain.com
IsValid : True

RunspaceId : 0131f987-3696-493f-****-************
CertPrincipalName :

Server :

TTL : 1
OutlookProviderFlags : None
AdminDisplayName :

ExchangeVersion : 0.1 (8.0.535.0)
Name : WEB
DistinguishedName : CN=WEB,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=Company,CN=Microsoft Exchange,
CN=Services,CN=Configuration,DC=domain,DC=com
Identity : WEB
Guid : 54200004-3613-446a-****-************
ObjectCategory : domain.com/Configuration/Schema/ms-Exch-Auto-Discover-Config
ObjectClass : {top, msExchAutoDiscoverConfig}
WhenChanged : 8/20/2009 4:52:18 PM
WhenCreated : 8/20/2009 4:52:16 PM
WhenChangedUTC : 8/20/2009 11:52:18 PM
WhenCreatedUTC : 8/20/2009 11:52:16 PM
OrganizationId :

OriginatingServer : dc1.home.domain.com
IsValid : True
 
X

Xiu Zhang

Hi,

Please check the article below:

Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site"

http://support.microsoft.com/kb/940726

If we only have certificate for externalhost name,then I think we need to configure the internaluri for EWS,OOF etc.

Regards,
Xiu
 
M

McCue

Hi Xiu,
This article is exactly my issue and it looks like modifying my CAS servers(2) will solve it. From what I have read, it seems like purchasing a SANS UUC Certificate will also solve it and would be a better practice.

I have 2 CAS servers, one for OWA clients (currently has the single externalhost name certificate) and the other with the mailbox function for internal Outlook clients.

It looks like I purchase and install the SAN Certificate for these names:
webmail.domain.com
autodiscover.domain.com
ex2010cas.home.domain.com

then add the autodiscover.domain.com host to my DNS server.

On my 2nd cas/mbx server (Mailbox.home.domain.com) do I also need a SSL Certificate and if so, do I need a SAN Certificate?

Lastly, instead of purchasing a 2nd certificate, can I add Mailbox.home.domain.com to the first SAN Certificate above and share it with both CAS servers?

I'm sorry for all the questions, but do appreciate your time.
Best Regards,
Mac
 
D

DirWig



Thanks, this was helpful for me.

I was beginning to deploy Exchange 2010 and had a lingering certificate error from only some Outlook client (they seemed to be mostly 2007 clients).

Similar to McCue I had applied our *.domain.com cert to the CAS and the clients were getting the "does not match" warning.
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
J Outlook 2010 Outlook/Win7 Client logging Event ID 36887 Using Outlook 0
L Outlook Office 365 client: won't remember my setting File, not to collapse ribbon Using Outlook 2
P Outlook 2016 Client and 365 - Groups Folder Using Outlook 3
F "Move to" O365 feature to Outlook client via VBA Outlook VBA and Custom Forms 4
A How to get rid of "sending on behalf of" when sending from Outlook 2016 client Using Outlook 12
R Outlook 2016 - How to change password in MS Exchange email client Using Outlook 0
R Making Outlook default client in share charm Using Outlook 4
L Synching Office 365 contacts to Iphone MS Outlook client Using Outlook 5
B Exchange 2010 / Outlook 20070 "client error in synchronization log" Exchange Server Administration 1
T Calendar Entry in Outlook Client but will not sync Exchange Server Administration 1
P Outlook 2013 client not showing newly added Contacts but... Using Outlook 5
Z Outlook 2010 client to Exchange ,,,,search not working proparly Exchange Server Administration 0
J Outlook client not redrawing completely upon restore Using Outlook 0
R Ingest contact PST from exchange 2007 thru client's Outlook via PRF Exchange Server Administration 2
M Outlook client macro to web access Using Outlook 1
T Make Default Outlook 2010 Client Mail Using Outlook 1
S HTML Contents of an email Jumbled in Outlook 2010 Client Using Outlook 5
B Sent Items Not Displaying in Outlook 2010 Client Using Outlook 2
R Shared Inbox Outlook 2010 - one client cannot access Exchange Server Administration 1
J Deactivate MS Outlook 2007 prompt to make it the default email client Using Outlook 1
S Outlook 2010 Mailtips not working for 1 client Exchange Server Administration 2
O No SSL-IMAP connection Outlook <-> Exchange 2010 after latest client updates? Using Outlook 3
P Outlook 2007 Crashes Opening Scheduling Assistant On Some Client PC's Using Outlook 2
W Audit Outlook client Rules Using Outlook 2
B junk email folder properties synchronization tab missing ..outlook 2007 client Using Outlook 3
B Re-add a client Outlook back to Exchange. Using Outlook 4
S outlook not working for a new client Exchange Server Administration 2
R Outlook client giving undeliverable message Using Outlook 2
B Adding a client Outlook to Exchange Using Outlook 2
N Outlook Anywhere Not Updating Local Cached Password After Reset - Client Stays Disconnected Using Outlook 2
B error code 0x800CCC80 in Outlook 'None of the authentication methods supported by this client are su Using Outlook 3
S Synchronization issue - CRM - Outlook client - Smartphone Using Outlook 1
M Outlook Client 2003 shared Calendar Using Outlook 4
T Outlook 2010 32bit, Office Communicator 2007 R2 32bit client and Office Communicator 2007 Server cau Using Outlook 1
C Outlook 2010-could not perform function; default mail client not properly installed-when trying to a Using Outlook 1
D Outlook 2010 Client crashes on new message, reply, forward, send as attachment Using Outlook 3
I I get a COM class error when i open Outlook after un-installing Trend Micro client Using Outlook 4
M Password protecting Outlook Client Using Outlook 2
K Outlook 2010 on Exchange - 'Sent Items' box always empty on client, but populated in OWA Using Outlook 5
D Outlook 2010 Client - "unable to connect to retrieve additional data" for some Distribution lists Exchange Server Administration 7
M Outlook RSS Client mishandles headlines Using Outlook 6
S Error while trying for Configuring OUT Of Office from outlook client Exchange Server Administration 4
H Outlook 2007 Client (w/ Connector) randomly stops working with Hotmail Using Outlook 4
B Exchange MAPI Client and CDO using RPC over HTTP / Outlook Anywhere Using Outlook 2
D 2003 Outlook client corrupt Using Outlook 6
S Outlook 2010 / OCS 2007 R2 / SharePoint 2010 - Contacts for OC client from SharePoint External list Using Outlook 1
D Mac Client Entourage/Outlook 2011 Using Outlook 2
C Microsoft Outlook mail client Using Outlook 1
S Opening Additional Mailboxes with Outlook 2003 Client (Exchange 2010) Exchange Server Administration 3
S Configure outlook client after migrate mailbox from exchange 2003 to 2010 Exchange Server Administration 3
Similar threads


















































Top