Internal Certificate Error (Network Steve Forum)

Internal Certificate Error

Hi Everyone,

Recently our Exchange Certificate expired and I renewed it with our 3rd Party SSL provider. What my problem is, when I renewed the certificate I could no longer have internal names on it and only use external domain names eg *.kilmore.vic.edu.au, mail.kilmore.vic.edu.au etc. The old cert had mail.kilmore.local and all was fine. Now I have installed the new certificate that no longer holds the mail.kilmore.local all my internal clients are receiving

"Security Alert"

"mail.kilmore.local"

"Information you exchange with this site....."

How can I fix this?

August 2nd, 2015 8:11pm

You need to have split DNS so that external names *.au is resolved to internal IP in your internal network.

Change the following items on the hostname part with the public names,

AutoDiscoverServiceInternalUri of all CAS
DNS record (A or SRV or both) for autodiscover service
InternalUrl and ExternalUrl of all OAB, EWS virtual directory
Outlook Anywhere internal and external hostname

Alternatively, you can setup your own CA to issue cert with .local names, provided all your Outlook are running on managed client.

Free Windows Admin Tool Kit Click here and download it now

August 2nd, 2015 11:04pm

Hi,

I suggest you can deploy split-brain DNS and use the same URLs internally and externally.

We use split-DNS to host internal DNS zone for mail.kilmore.vic.edu.au. Then we can change all VD, autodiscover and etc to mail.kilmore.vic.edu.au.

Here's an similar thread about your question, for your reference:

https://social.technet.microsoft.com/Forums/office/en-US/80055b41-9bb4-4f33-9693-41a16230b243/reconfigure-exchange-2010-to-use-the-fqdn?forum=exchangesvrunifiedmessaging

Regards,

David

Edited by David Wang_Microsoft contingent staff 2 hours 19 minutes ago

August 3rd, 2015 1:11am

You need to have split DNS so that external names *.au is resolved to internal IP in your internal network.

Change the following items on the hostname part with the public names,

AutoDiscoverServiceInternalUri of all CAS
DNS record (A or SRV or both) for autodiscover service
InternalUrl and ExternalUrl of all OAB, EWS virtual directory
Outlook Anywhere internal and external hostname

Alternatively, you can setup your own CA to issue cert with .local names, provided all your Outlook are running on managed client.

Proposed as answer by David Wang_Microsoft contingent staff 4 hours 47 minutes ago

Free Windows Admin Tool Kit Click here and download it now

August 3rd, 2015 3:03am

Hi,

I suggest you can deploy split-brain DNS and use the same URLs internally and externally.

We use split-DNS to host internal DNS zone for mail.kilmore.vic.edu.au. Then we can change all VD, autodiscover and etc to mail.kilmore.vic.edu.au.

Here's an similar thread about your question, for your reference:

https://social.technet.microsoft.com/Forums/office/en-US/80055b41-9bb4-4f33-9693-41a16230b243/reconfigure-exchange-2010-to-use-the-fqdn?forum=exchangesvrunifiedmessaging

Regards,

David

Edited by David Wang_Microsoft contingent staff Monday, August 03, 2015 5:12 AM
Proposed as answer by David Wang_Microsoft contingent staff 4 hours 47 minutes ago

August 3rd, 2015 5:10am

Thank You both for your reply

Li Zhen & David Wang

I checked DNS (as I already have a split DNS) and made sure all the hostnames resolved to an internal IP and made sure that 'autodiscover had a CNAME set to the public name.

I then set all internal URL's to point to the public one.

Using the Exchange Management Console I went to

EMC > Server Configuration > Client Access > Outlook Web App Tab > OWA > Properties

And changed the internalURLS and repeated for the Exchange Control Panel, Exchange ActiveSync and Offline Address Book.

Opened IIS on the exchange server and clicked Application Pools

Right clicked on MSExchangeAutodiscoverAppPool and clicked Recycle.

Then for want of repeating the same tasks opened Exchange Management Shell and ran these commands to make sure everything had the internal URL set to the public one.

Set-ClientAccessServer -Identity mail -AutodiscoverServiceInternalUri https://mail.kilmore.vic.edu.au/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "mail\EWS (Default Web Site)" -InternalUrl https://mail.kilmore.vic.edu.au/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "mail\oab (Default Web Site)" -InternalUrl https://mail.kilmore.vic.edu.au/oab

Set-ActiveSyncVirtualDirectory -Identity mail\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl https://mail.kilmore.vic.edu.au/Microsoft-Server-ActiveSync

Set-OWAVirtualDirectory -Identity "mail\owa (Default Web Site)" -InternalUrl https://mail.kilmore.vic.edu.au/owa

Set-ECPVirtualDirectory -Identity "mail\ecp (Default Web Site)" -InternalUrl https://mail.kilmore.vic.edu.au/ecp

And Recycle the MSExchangeAutodiscoverAppPool again.

Restarted the client computer and outlook and NO Certificate Issue!

I did not change Outlook Anywhere as external outlook clients have had no issues.

Thanks for pointing me in the right direction.

Marked as answer by TKIS Admin 4 hours 58 minutes ago

Free Windows Admin Tool Kit Click here and download it now

August 3rd, 2015 10:28pm

This topic is archived. No further replies will be accepted.