Exchange 2007 SSL
		
	We have an exchange server 2007 that has bad SSL cert information.  We have a hosted web server that hosts a web application at a 3rd party host and that server has a certificate
*.publicdomain.com. 
Our Exchange server is hosted on our local server and is not at all connected to the public hosted web server and has domain
pdc.localdomain.local and has a public MX record of mail.localdomain.net.  The problem is that when our Outlook clients try to connect we get a certificate mismatch warning because the cert is for
autodiscover.localdomain.net and when viewing the details is issued for/by
*.publicdomain.com which is our public hosted web server. 
Somehow the SSL cert we purchased was installed locally by the previous admin and is causing a mismatch with our Exchange server locally and publicly.  How can this purchased SSL cert be removed from our local server so we can operate normally?		
				September 10th, 2011 4:30am
			You need to change your webservices URL from the default autodiscover.localdomain.net to autodiscover.publicdomain.com.
Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site"
http://support.microsoft.com/kb/940726
Also since you're using a wildcard cert you need to do the fix afterwards.
Wildcard Certificate Causes Client Connectivity Issues for Outlook Anywhere
http://technet.microsoft.com/en-us/library/cc535023(EXCHG.80).aspxJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com		
				Free Windows Admin Tool Kit Click here and download it now
					September 10th, 2011 4:39am
			I don't want to use the public cert, I want to use the local self signed cert.  The hosting company doesn't handle our Exchange server.		
				September 10th, 2011 5:06am
			Then just use the self signed cert instead of the public cert. The self signed cert should still exist unless it was deleted. You can run get-exchangecertificate |fl and see if you see the default self signed cert and if the date is still valid. If so just
 bind the self signed cert using enable-exchangecertificate command. Also keep in mind if you don't use a public cert your users will get cert warnings when using OWA and outlook anywhere will not work.
How to renew a self signed certificate in Exchange Server 2007
http://msexchangegeek.com/2009/04/24/how-to-renew-a-self-signed-certificate-in-exchange-server-2007/
 
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com		
				Free Windows Admin Tool Kit Click here and download it now
					September 10th, 2011 5:11am
			How do I use the self signed instead?  I have re created the self signed certificate and it is the only one that shows up when running the get exchangecertificate and only the default is listed.  Somehow it keeps referring to the public cert.
I am aware about the public cert not working for outlook anywhere, the problem is that that public cert is for a completely separate domain.		
				September 10th, 2011 5:14am
			What does autodiscover.publicdomain.com resolve to? Is that defined?		
				Free Windows Admin Tool Kit Click here and download it now
					September 10th, 2011 5:17am
			When you do get-exchangecertificate |fl get the thumbprint of the self signed cert. Then run
Enable-ExchangeCertificate – Thumbprint “E0BB201793DC74D0F94F3275E6AA53BA75907565” –Services IIS, SMTP, POP, IMAP (whatever services you need)
Bounce IIS after.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com		
				September 10th, 2011 5:17am
			I don't want to use the public cert, I want to use the local self signed cert.  The hosting company doesn't handle our Exchange server.
Do you have external clients connecting to your Exchange Server? If so, using the self-signed cert is a bad idea.		
				Free Windows Admin Tool Kit Click here and download it now
					September 10th, 2011 5:50am
			I don't think you understand - think of it as 2 completely different organizations		
				September 10th, 2011 5:51am
			What I don't understand is, how and/or where is that public cert located on this private domain?  How can I remove it from this local private domain?		
				Free Windows Admin Tool Kit Click here and download it now
					September 10th, 2011 5:52am
			Is this win2003? Launch iismgr,start menu, run type inetmgr. Websites, Default website, properties, directory security, view certificate.
 James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com		
				September 10th, 2011 5:56am
			I've done that but it doesn't show the public certificate anywhere yet the public shows when any client tries to connect.		
				Free Windows Admin Tool Kit Click here and download it now
					September 10th, 2011 6:10am
			Is this SBS server?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com		
				September 10th, 2011 6:14am
			No, Windows 2003 Std, Exchange 2007		
				Free Windows Admin Tool Kit Click here and download it now
					September 10th, 2011 6:21am
			Hi,
I assume that your users has a primary smtpaddress with @localdomain.net ??
I agree with AndyD that using a SelfSigned Cert is really a bad idea.
If you don´t want to use a 3rd party certificate, that´s fine, but you really need a certificat the Clients will trust.
Issue a certificate with the names needed from a local Certificate Authority if you have one.
Can you run the following commands and post the output?
Get-WebServicesVirtualDirectory | fl Name,*url* Get-ExchangeCertificate | fl 
 
 
 Martina Miskovic		
				September 10th, 2011 8:36am
			This is not a question of what kind of certificate is better, obviously using a self signed cert is not ideal.  The problem is that somehow there is a cert for a domain that has nothing to do with this domain installed on and being used by this server
 and I can't find where to get rid of it.  Think of it this way:  This organization is
www.abc.net yet there is a certificate for *.notmydomain.com installed here.
When I run Get-ExchangeCertificate | fl, it only shows a self signed certificate for
www.abc.net but somehow in the details on cert error on the Outlook client it shows that its a cert for
www.abc.net issued by *.notmydomain.com therefore causing a mismatch.		
				Free Windows Admin Tool Kit Click here and download it now
					September 10th, 2011 5:07pm
			Check the Certificate store MMC and see if its listed there under.
Are the Outlook clients actually accessing an external Cert?
Run Test E-mail AutoConfiguration 
http://www.addictivetips.com/microsoft-office/outlook-2010-test-email-auto-configuration/
and check the URLS Outlook is contacting. Are all of them local and valid?		
				September 10th, 2011 5:21pm
			On Sat, 10 Sep 2011 14:21:07 +0000, AndyD_ wrote:
 
>Check the Certificate store MMC and see if its listed there under. 
 
And be sure to check the Local Machine's certificate store!
 
Another place to look might be on an ISA server or load-balancer or
SSL offloading device. Many of those have certificates installed on
them, too.
 
---
Rich Matheisen
MCSE+I, Exchange MVP
 --- Rich Matheisen MCSE+I, Exchange MVP		
				Free Windows Admin Tool Kit Click here and download it now
					September 10th, 2011 7:24pm
			Hello,
 
If you have to use the “*.publicdomain.com.” wild card certificate for OWA and your Outlook clients, then you need to do the following changes to avoid
 certificate mismatch warnings:
 
1. Change the autodiscover SCP to
https://autodiscover.publicdomain.com/autodiscover/autodiscover.xml
2. Point the autodiscover.publicdomain.com to the CAS server.
3. Change the EWS, OAB, UM internal url to:
 
EWS:
https://autodiscover.publicdomain.com/EWS/exchange.asmx
OAB:
https://autodiscover.publicdomain.com/OAB
UM:
https://autodiscover.publicdomain.com/EWS/UMlegacy2007/asmx
 
Set-UMVirtualDirectory
http://technet.microsoft.com/en-us/library/bb124335(EXCHG.80).aspx
 
Set-WebServicesVirtualDirectory
http://technet.microsoft.com/en-us/library/aa997233(EXCHG.80).aspx
 
Set-OABVirtualDirectory
http://technet.microsoft.com/en-us/library/bb124707(EXCHG.80).aspx
 
Thanks,
Simon		
				September 14th, 2011 11:10am
			Okay, I've checked and I don't get the mismatch when Outlook is used/installed on the Exchange server itself, only on the client workstations.  It however doesn't matter if they are domain machines or workgroup computers that connect and get the mismatch. 
 I setup a new clean machine that never was joined to the domain and when I connect with Outlook, I still get the mismatch message.
There are no certificates on either of our servers when I searched for the public cert in the MMC for both the current user and the local computer.		
				Free Windows Admin Tool Kit Click here and download it now
					September 20th, 2011 6:41pm
			 Other recent topics
			Other recent topics
		

