SBS08 + Exchange07 showing wrong certificate for Outlook clients

phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
Helping out an associate who manages an SBS08 box running Exchange 07. Recently their GoDaddy SSL cert for Exchange expired and they missed the renewal period so they had to create a new cert. A new one has been created and imported into SBS with the instructions found here.


Problem now is that whenever Outlook 2010 users open Outlook, not only are they prompted to enter their credentials, they are also shown a certificate warning for autodiscover.company.com with a completely different certificate than the new GoDaddy one that has been imported. In addition, autodiscover.company.com is not one of the SAN entries in the certificate. However, autodiscover is a host record on their local dns (also the SBS box) which points to the SBS IP.


I checked IIS and noticed that the Default Website as well as SBS Web Applications both have a binding for port 443 but the Default Website is stopped. When I look at the 443 binding for the SBS Web Applications site it shows the new GoDaddy certificate.


Questions:


1. Why are users getting prompted for credentials when they open Outlook?


2. Why is the invalid autodiscover.company.com popping up with users open Outlook?


3. How can I make sure that the new GoDaddy cert is being applied to Exchange?


I usually only deal with self-signed certs so any help is appreciated.

Comments

  • ClaymooreClaymoore Member Posts: 1,637
    1. This is Outlook's way of generating a certificate error. Outlook doesn't like the certificate so it won't automatically pass the credentials to autodiscover, and prompts for credentials instead.

    2. Autodiscover.company.com needs to be in the SAN. Autodiscover is a required service name for Exchange. You could use another name internally, but external connections will try autodiscover.company.com as part of the Autodiscover process.

    3. You will need to enable the new certificate for use with Exchange through the management shell.
    How to Manually Install Certificates in SBS 2008 - The Windows Server Essentials and Small Business Server Blog - Site Home - TechNet Blogs
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Thanks Claymoore. More questions for you if you don't mind.

    1. Does a host record for autodiscover need to be created on the internal lan or will the AD scp be enough?
    2. Do they need a 3rd party cert or can they just use self-signed?
    3. I believe their SBS is jacked up because when they try to run the 'Add a trusted certificate' wizard it says 'Cannot find a domain name on your server'. I assume it's because the IAM wizard was never ran?
  • ClaymooreClaymoore Member Posts: 1,637
    1. Create an internal record. The autodiscover process has an order of operations and it can fall back to the host record if SCP lookup fails or is not supported by the client.
    2. Third party. Even with an internal PKI you would have difficulty with mobile devices. Self-signed would create issues for every client.
    3. I don't know SBS. I use Exchange to manage the Exchange certificates.
Sign In or Register to comment.