Friday, June 08, 2012

Outlook 2010 Certificate Error After Migration

I recently did a migration from Exchange 2003 to Exchange 2010.  The new environment uses a CAS/HT server and a mailbox only server.  Everything went great until the first user opened up Outlook 2010 and there was the dreaded SECURITY ALERT stating that the certificate is invalid or does not match the name of the site.

Here's the fix for that little issue.

Assuming you have already installed the UCC certificate on the Exchange server you will need to enable the cert.  You can run the following command to enable the certificate.

Enable-ExchangeCertificate -Thumbprint 59 5e a4 7c f0 4e 66 da 3d 6b 29 95 f7 c4 b1 72 ca 0f 82 -Services "SMTP, IIS"

Note: The thumbprint needs to match the certificate you installed.  You can use either the GET-CERTIFICATE command or use the MMC, select the certificate, click on details, and then click on thumbprint.

For each CAS server that is installed a Service Connection Point (SCP) record is created for the autodiscover service for internal clients.

When i go into Outlook i get the following error:

image

This happens because the connection is using the NetBIOS name of mbx1 which does not match the name on the certificate. If you run Get-ClientAccessServer -Identity mbx1 | FL you would see that the AutoDiscoverServiceInternalUri says https://MBX1/Autodiscover/Autodiscover.xml and this does not match the certificate.  If you also check the other services and you will get the same results for OAB, EWS, Outlook Anywhere (OA) and Exchange Active Sync (EAS).  The fix is to update all theses internal URL links to match the name on the cert.
  • Set-ClientAccessServer -Identity "mbx1" –AutodiscoverServiceInternalURI https://nlb.nwtraders.msft/autodiscover/autodiscover.xml


  • Set-WebServicesVirtualDirectory -Identity "mbx1\EWS (Default Web Site)" –InternalUrl  https://nlb.nwtraders.msft/EWS/Exchange.asmx

  • Set-OABVirtualDirectory -Identity “mbx1\OAB (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/OAB

  • Enable-OutlookAnywhere -Server mbx1 -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”

  • Set-ActiveSyncVirtualDirectory -Identity “mbx1\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/Microsoft-Server-Activesync

Note: If you do decide to enable OA externally it is important to note that the external host name value configured for Outlook Anywhere must match the Certificate Principal Name (CPN) on the certificate used by clients and must match the end point property in the client.

In order for Subject Alternate Name (SAN) certificates to be used for clients to connect to the OA service, where the CPN does not match the msstd value configured in the Outlook client profile (but the URL is listed in the SAN part of the certificate), certain conditions need to be met, these are listed below:-
  • Outlook 2007 or higher
  • Vista SP1

After this is completed once you open Outlook 2010 you will no longer get the certificate error.
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)