Outlook 2007 security alert - Exchange 2010 CAS + SAN certificate
in [Microsoft Exchange]
|
From: RAM on 29 Apr 2010 14:55 Just installed my Exchange 2010 CAS servers and applied our new certificate with 3 Subject Alternative Names (mail.domain.com, autodiscover.domain.com, legacy.domain.com). This certificate was applied on Monday. Now I have 2 users (possibly more, but have only heard from these 2) that report getting a Security Alert when opening Outlook 2007: ------------------------------- CAS01.corp.domin.com Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate: (green check) The security certificate is from a trusted certifying authority. (green check) The security certificate date is valid. (red X) The name on the security certificate is invalid or does not match the name of the site. Do you want to proceed? [Yes] [No] [view certificate] ------------------------------- Clicking Yes gives same alert from CAS02 server. Tried installing the certificate, to no avail. Tried applying Outlook 2007 hotfix (KB968858) which is supposed to let Outlook 2007 recognize SAN certificates; no good. Tried applying SP2 for Office 2007; no good. (applying the above hotfix after SP2 was installed gives "the update is already installed"). I found a KB article (940726) that seems to describe this perfectly, but I hesitate to modify the URLs for the appropriate Exchange 2010 components when this is only happening with 2 (reported) users. Why wouldn't EVERYONE with Outlook 2007 have this problem if the cause is some mis-named URLs on the servers? Can anyone explain why this is happening (to only 2 users) and what I need to do to get rid of their Security Alerts? Thanks in advance. -RAM
From: Ed Crowley [MVP] on 30 Apr 2010 14:21 Your certificate doesn't have the server names as SANs. Check all the internal (and external if necessary) virtual directory settings like in Get-OABVirtualDirectory, Get-WebServicesVirtualDirectory, Get-AutodiscoverVirtualDirectory, Get-ActiveSyncVirtualDirectory and Get-ClientAccessServer (AutodiscoverServiceInternalUri property) and verify that all are set to the URL hostnames and not the server hostnames and that should fix it. Or you could add the DNS and NetBIOS names as SANs. Or you could do both. Obviously adding the hostnames as SANs is easier if you're using an internal certificate and you don't have to pay for the additional names. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." .. "RAM" <rmilbrand(a)gfnet.com> wrote in message news:cc1a982d-9768-473a-ba8e-3c89339dbf3b(a)o15g2000vbb.googlegroups.com... > Just installed my Exchange 2010 CAS servers and applied our new > certificate with 3 Subject Alternative Names (mail.domain.com, > autodiscover.domain.com, legacy.domain.com). This certificate was > applied on Monday. > > Now I have 2 users (possibly more, but have only heard from these 2) > that report getting a Security Alert when opening Outlook 2007: > ------------------------------- > CAS01.corp.domin.com > > Information you exchange with this site cannot be viewed or changed by > others. However, there is a problem with the site's security > certificate: > > (green check) The security certificate is from a trusted certifying > authority. > (green check) The security certificate date is valid. > (red X) The name on the security certificate is invalid > or does not match the name of the site. > > Do you want to proceed? [Yes] [No] [view certificate] > ------------------------------- > > Clicking Yes gives same alert from CAS02 server. > > Tried installing the certificate, to no avail. > > Tried applying Outlook 2007 hotfix (KB968858) which is supposed to let > Outlook 2007 recognize SAN certificates; no good. > > Tried applying SP2 for Office 2007; no good. (applying the above > hotfix after SP2 was installed gives "the update is already > installed"). > > I found a KB article (940726) that seems to describe this perfectly, > but I hesitate to modify the URLs for the appropriate Exchange 2010 > components when this is only happening with 2 (reported) users. Why > wouldn't EVERYONE with Outlook 2007 have this problem if the cause is > some mis-named URLs on the servers? > > Can anyone explain why this is happening (to only 2 users) and what I > need to do to get rid of their Security Alerts? > > Thanks in advance. > > -RAM
From: RAM on 3 May 2010 11:04 Ok - that's pretty much what the KB article said. So we'll go ahead and change the URLs in Exchange/AD. Thanks. I just don't understand why only a few users are seeing the security alert and not ALL of us. Any idea explanation for that? -RAM
|
Pages: 1 Prev: Event ID: 2006 Null Data Next: NDR: consider this message to be spam |