Hello

Some of the clients are not joined to domain and are on workgroup pc.

Whenever they access exchange server 2013 OWA in browser, they get certificate error.

They can login to their account without any issue but i want to get rid of SSL certificate error on their browser.

Clients which are on domain, they do not get SSL certificate error. But workgroup pc always get.

Also, in same organization i have different domain controller with different domain.

For e.g exchange server is installed on domain2.local netowork.

While some many clients are on domain1.local. I do not want to join them to domain1.local network.

Clients on domain1.local netowrk also get same SSL certificate error while accessing their mailbox via browser (OWA).

How can i resolve SSL certificate error for both workgroup clients and other domain clients (all are in same LAN)

Whats the certificate error exactly?

Ensure the certs are trusted by all the clients. 

Its not error, i would say warning. Same as everyone gets for invalid SSL for https.

How would i make client to trust certificate. Those are workgroup or on different domain but on same LAN.

On Firefox:

192.168.2.56 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The certificate is only valid for the following names: s-mail.mydomain.local, 192.168.2.56, AutoDiscover.mydomain.local, AutoDiscover.realdomain.com, AutoDiscover.realdomain2.com, s-mail, mydomain.local, realdomain.com, realdomain2.com (Error code: sec_error_unknown_issuer)

On Chrome it says "

This server could not prove that it is 192.168.2.56; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

NET::ERR_CERT_AUTHORITY_INVALID

Users(clients) can ignore this warning  and can log in to their mailbox, But i want to solve certificate error.

• Edited by sanketgroup 14 hours 53 minutes ago

Its not error, i would say warning. Same as everyone gets for invalid SSL for https.

How would i make client to trust certificate. Those are workgroup or on different domain but on same LAN.

On Firefox:

192.168.2.56 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The certificate is only valid for the following names: s-mail.mydomain.local, 192.168.2.56, AutoDiscover.mydomain.local, AutoDiscover.realdomain.com, AutoDiscover.realdomain2.com, s-mail, mydomain.local, realdomain.com, realdomain2.com (Error code: sec_error_unknown_issuer)

On Chrome it says "

This server could not prove that it is 192.168.2.56; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

NET::ERR_CERT_AUTHORITY_INVALID

Users(clients) can ignore this warning  and can log in to their mailbox, But i want to solve certificate error.

If using internal CA certs or self-signed, then you would need to distribute the certificates ( and their chains) to each client somehow. ( Shared drive, email, link, download and install directly from the OWA page etc...)

If using 3rd party certs, most clients would already trust them.

Yes, i am using internal CA certs.

For distribution, how can i download that certificate.

Have two servers

dc1.mydomain.local    (domain controller for mydomain.local) (192.168.2.50)

mail1.mydoimain.local  (exchange server installed) (192.168.2.51)

i went to http://192.168.2.50/certsrv  (to dc1, i typed ip because client cannot resolve by name dc1)

and it asked me for password, i entered administrator username and password of dc1.

I clicked on "Download a CA certificate, certificate chain, or CRL"

then "    Download CA certificate chain "

Saved that certificate. On client pc  I went to MMC and under "Trusted Root Certification Authorities", I imported this certificate.

But yet on same pc when i go to https://192.168.2.51/owa , it gives me same error for invalid security certificate.

Pls let me know if i am doing anything wrong here. Am i downloading certificate from right  place? am i importing right certificate to client pc?

The issue now (atleast from your description) is that you are not accessing the website using a name that is on the certificate.  try https://mail1.domain.local/owa and see if you get a cert error.

Since you can't put an IP on the cert (atleast to my knoweldge) the message you are getting is expected

cannot use https://mail1.domain.local/owa  because workgroup client does not find such host by name.

Client cannot resolve mail1.mydomain.local

so i am using ip instead of name

cannot use https://mail1.domain.local/owa  because workgroup client does not find such host by name.

Client cannot resolve mail1.mydomain.local

so i am using ip instead of name

Then you need to add it to the workgroups DNS so they can resolve or each PC in the workgroup needs an entry for it in their local hosts file. 

Thanx a lot Andy.

perfect. wooooohh..

I got solved.

One more last thing which i said in first question also:

this worked well for workgroup clients.

How can i solve this same for clients which are on same LAN but on different domain and dc.

Do i need to install same certificate on that other dc also? with same procedure ?

e.g : on domain controller of other domain  and go to mmc and then import

Pls let me know.

thanx a lot

Thanx a lot Andy.

perfect. wooooohh..

I got solved.

One more last thing which i said in first question also:

this worked well for workgroup clients.

How can i solve this same for clients which are on same LAN but on different domain and dc.

Do i need to install same certificate on that other dc also? with same procedure ?

e.g : on domain controller of other domain  and go to mmc and then import

Pls let me know.

thanx a lot

Yea, for them I would mimic what you did for these users. Of course, this could all be avoided with DNS and 3rd party certs  :)

okay, so installing same certificate on dc1 would resolve this issue to all clients connect to this 2nd domain. And i do not have to install certs on each pc since they are connected to this 2nd domain and 2nd domain has certs for 1st domain (exchange server domain). No need for Group policy.

Just add certs on 2nd DC  via mmc and entries in DNS server of 2nd domain.

correct me if i am wrong.

>>>>

3rd party, i understand but would be expensive and since this is just beginning, i would try for few more weeks and then could buy 3rd party certs.

How can i resolve it via dns? or it is DNS and 3rd party are together?

• Proposed as answer by David Wang_Microsoft contingent staff 1 hour 4 minutes ago

okay, so installing same certificate on dc1 would resolve this issue to all clients connect to this 2nd domain. And i do not have to install certs on each pc since they are connected to this 2nd domain and 2nd domain has certs for 1st domain (exchange server domain). No need for Group policy.

Just add certs on 2nd DC  via mmc and entries in DNS server of 2nd domain.

correct me if i am wrong.

>>>>

3rd party, i understand but would be expensive and since this is just beginning, i would try for few more weeks and then could buy 3rd party certs.

How can i resolve it via dns? or it is DNS and 3rd party are together?

Ok, I will take your word for it that a GPO isnt needed. Bottom Line: The certs need to be trsuted and however you make that happen is what needs to be done.

For the DNS issue, I was referring strictly to the part where you said the workstations could not resolve the FQDN of the Exchange Servers. 

Certs are not very expensive actually. Especially compared to the admin costs of having to push untrusted  certs out to clients. When looked that way, 3rd party certs are a bargain! 

Its not error, i would say warning. Same as everyone gets for invalid SSL for https.

How would i make client to trust certificate. Those are workgroup or on different domain but on same LAN.

On Firefox:

192.168.2.56 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The certificate is only valid for the following names: s-mail.mydomain.local, 192.168.2.56, AutoDiscover.mydomain.local, AutoDiscover.realdomain.com, AutoDiscover.realdomain2.com, s-mail, mydomain.local, realdomain.com, realdomain2.com (Error code: sec_error_unknown_issuer)

On Chrome it says "

This server could not prove that it is 192.168.2.56; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

NET::ERR_CERT_AUTHORITY_INVALID

Users(clients) can ignore this warning  and can log in to their mailbox, But i want to solve certificate error.

• Edited by sanketgroup Monday, June 01, 2015 4:33 PM

okay, so installing same certificate on dc1 would resolve this issue to all clients connect to this 2nd domain. And i do not have to install certs on each pc since they are connected to this 2nd domain and 2nd domain has certs for 1st domain (exchange server domain). No need for Group policy.

Just add certs on 2nd DC  via mmc and entries in DNS server of 2nd domain.

correct me if i am wrong.

>>>>

3rd party, i understand but would be expensive and since this is just beginning, i would try for few more weeks and then could buy 3rd party certs.

How can i resolve it via dns? or it is DNS and 3rd party are together?

• Proposed as answer by David Wang_Microsoft contingent staff Tuesday, June 02, 2015 6:22 AM

One issue remain open.

I did installed security certificate on dc of domain2 (from mmc).

Added "domain1 dns" as secondary DNS zone on domain2 dc

All clients behind this domain2 can resolve FQDN of all clients of domain1.

Means clients of domain2.local  to can resolve mail1.domain1.local

but still all clients on domain2 get certificate error. Do all clients on domain2 need to install certificate?

why domain2 clients are not able to trust certificate issued by domain1 and installed only on domain2 dc.

Let me know if i am missing anything.

Thanx