Exchange 2007 Outlook Anywhere SSL Error
I was using a wildcard certificate for my hub/cas servers, however a few employees had old phones and they were not compatible with wildcard certs. I changed the cert to be owa.domain.com and installed it on the server for the IIS services. If you go to https://owa.domain.com the cert shows as working correctly, however I'm getting a cert error when using Outlook anywhere autodiscover. If I switched the cert back to the wildcard cert there is no warning. The intermediaries for both the certs are the same. When using Outlook Anywhere to connect it gives a warning about the certificate, if you then view the cert it shows "the issuer of the certificate could not be found". This strikes me as odd because if you use https://owa.domain.com and view the certificate path you can see the root, intermediary, and cert. Any ideas?
October 20th, 2009 7:52am
do you have a SAN on your certificate for autodiscover.domain.com? autodiscover requires this to be there for it to work ,which is why it seems it worked when you had the wildcard cert.
Free Windows Admin Tool Kit Click here and download it now
October 20th, 2009 11:54am
I don't have a SAN cert, but is there a way to configure theautodiscoverserviceto use the certs name instead? I could get a cert for autodiscover.domain.com and then have it auto redirect there, but that's such a hack job.
October 21st, 2009 6:28am
take a look at this. http://support.microsoft.com/kb/940881you would need to create an autodiscover SRV record to use the same cert as mentioned in that KB.
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2009 8:36am
I created the srv record in the external zone as sugged in that KB and set the record to point to the name of my external URL owa.domain.com. I made sure that the outlook client was patched and two things happened:1. I still was prompted that the SSL issuer was invalid for the autodiscover.domain.com 2. It asked me to allow the redirection on the client to the website https://owa.domain.com/Autodiscover/Autodiscover.xmlBleh.It looks like this, "Security Alert" and it puts the autodiscover.domain.com at the top and has 2 green checks and a red x and the error shows 'The name on the security certificate is invalid or does not match the name of the site" do you wish to proceed? If you look at the view certificate option it shows the cert for owa.domain.com and if you view the certificate path you see there is no source or intermediary, instead it shows the owa.domain.com ssl and the certificate status is "The issuer of this certificate could not be found".
October 21st, 2009 11:44pm