Outlook 2007 Certificate Error?

Published: 19th September 2008
Views: N/A

When importing a new certificate into Exchange 2007, you might encounter a


certificate error in Outlook 2007. I have included a screenshot of the error I


encountered today:







When you choose the View Certificate button, it brings up another window that


shows you what certificate is in error. In this case, the certificate name is "mail.shudnow.net."







So the million dollar question? Why the error?



Well, when we install a new certificate, there are a few tasks we want to do.


Obviously, we install the certificate for a purpose. This purpose is till allow


us to use Exchange services securely. So how do we enable Exchange to use these


services? If you are planning to do a very simple configuration and do not care


about external Autodiscover access, you do not need to use a Unified


Communication Certificate. You can read more about these certificates in one of


my other articles here.







So let's say we have a simple regular common certificate. A certificate with a


Common Name (CN) of mail.shudnow.net We install this certificate onto our


Exchange box with its' private key. In our case we were migrating so we did not


have to request a certificate via IIS. We just exported it with its' private key


and imported onto the new box. We then assigned this certificate to IIS. Now I


went to the Exchange Management Shell and enabled Exchange services to use this


certificate. In order to do this, you must run the following commands:







Get-ExchangeCertificate



Thumbprint Services Subject



---- --- ---



BCF9F2C3D245E2588AB5895C37D8D914503D162E9 SIP.W CN=mail.shudnow.net.com







What I did was go ahead and enable all new services to use every available


service by using the following command:







Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP -Thumbprint


BCF9F2C3D245E2588AB5895C37D8D914503D162E9







The next step would be to ensure the AutodiscoverInternalURI is pointed to the


CAS that will be your primary CAS for Autodiscover servicing.







Get-ClientAccessServer -Identity CASServer | FL







AutoDiscoverServiceInternalUri : https://casnetbiosname/Autodiscover/Autodiscover.xml







See the issue here? We are not using a UC certificate that contains the names,


"casnetbiosname, casnetbiosname.shudnow.net, mail.shudnow.net, and


autodiscover.shudnow.net" Since the Autodiscover directory in IIS will be


requring SSL encryption, the url specified in the AutoDiscoverServiceInternalURI


must match what is specified in your certificate. You must also ensure there is


a DNS record that allows mail.shudnow.net to resolve to your CAS. We should


re-configure the AutoDiscoverServiceInternalURI by using the following command:







Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri


https://mail.shudnow.net/Autodiscover/Autodiscover.xml







We now need to go configure all the InternalURLs for each web distributed


service. If you are going to be utilizing the Autodiscover service from the


outside or for non-domain joined clients, you may want to configure an -ExternalURL


in addition to your -InternalURL.







Here is the reason why we were receiving the certificate errors. Your


InternalURLs most likely are not using mail.shudnow.net. Your InternalURLs are


most likely pointed to something such as https://casnetbiosname/ServiceURL which


will fail since this is not the CN of your simple certificate.







You can run the following commands to fix your internalURLs so your Outlook 2007


client can successfully take advantage of your web distribution services.







Set-WebServicesVirtualDirectory -Identity "CASServerEWS (Default Web Site)" -InternalURL


https://mail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true







Set-OABVirtualDirectory -Identity "CASServerOAB (Default Web Site)" -InternalURL


https://mail.shudnow.net/OAB







Note: You must ensure that you enable SSL on the OAB directory in IIS which is


not on by default. The same goes for Basic Authentication on the OAB directory.


The above command will only enable SSL, but will not ensure 128-bit SSL is


required.







Enable-OutlookAnywhere -Server CASServer -ExternalHostname "mail.shudnow.net" -ExternalAuthenticationMethod


"Basic"-SSLOffloading:$False







Note: The above Enable-OutlookAnywhere command works on RTM. For SP1, substitute


-ExternalAuthenticationMethod with -ClientAuthenticationMethod.







Set-ActiveSyncVirtualDirectory -Identity "CASServerMicrosoft-Server-ActiveSync


(Default Web Site)" -ExternalURL https://mail.shudnow.net/Microsoft-Server-Activesync







Set-UMVirtualDirectory -Identity "CASServerUnifiedMessaging (Default Web Site)"


-InternalURL https://mail.shudnow.net/UnifiedMessaging/Service.asmx -BasicAuthentication:$true







Microsoft offers a wide range of


MCP certifications that cover the


spectrum of professions within the IT industry. You decide which certification


is appropriate and most benefits your career choices. There are lots of solution


provider site, but I recommend


www.testkingdom.com
they have the new generation of exams preparation tool


and material. click here for find out more






Report this article Ask About This Article


Loading...
More to Explore