No announcement yet.

Correct SSL cert for Outlook Anywhere

  • Filter
  • Time
  • Show
Clear All
new posts

  • Correct SSL cert for Outlook Anywhere

    I have Exchange 2003 running on Server 2003 standard. Up until now all the clients were XP Pro/Outlook 2003. Several remote clients were connecting via RPC/HTTP and I've been using a self-signed cert with no problems.

    Now I have 2 clients who are using Outlook 2007 and I cannot for the life of me get it to connect. I've tried every MS KB article and piece of information I could find, all to no avail. The only thing I haven't done yet is try using a purchased certificate - which, it seems, is pretty much mandatory for Outlook Anywhere to work.

    My question is - which certificate do I need to purchase? I already use GoDaddy for some other things - but is their standard SSL certificate ($31.67 CAD/year) the correct one? Or do I need something specific?

    Sembee refers to SAN/UC certificates..but GoDaddy doesn't say anything about it.
    Sorry if I am asking a stupid question - really don't have much experience with SSL stuff. I've tried searching, but all I find is a plethora of information as to how to use the certificate...but I'm want to be sure which one I need to buy in the first place.

  • #2
    Re: Correct SSL cert for Outlook Anywhere

    I'm well aware that the general consensus of the forum is against me, but I've always used self-signed certs for Outlook Anywhere and just about everything else. We've got it working in the office with a similar setup to yours: Exchange 2003 with Outlook 2007 clients, everything is published externally via ISA Server.

    Before spending money I'd try it internally using an Outlook 2007 client and try to get it to connect via RPC over HTTPS rather than MAPI. Daniel's guides for troubleshooting RPC over HTTPS are also well worth looking at if you haven't already, they're in the knowledge base on the main Petri site.

    Are the clients domain members, could they connect previously and do they have the root CA in the machine's store of trusted Root CAs are the first questions that spring to mind though.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    Cruachan's Blog


    • #3
      Re: Correct SSL cert for Outlook Anywhere

      Self signed will work fine, if you are prepared for the extra management of distributing the certificate.

      Commercial certificates are so cheap, it is often more economical to just buy one and be done with it.

      In any case, you should be able to use Outlook Anywhere with either. As stated, I'd look towards fixing the issue first and then deciding if you wish to use a commercial certificate.

      One key thing if that you can access OWA with the URL and not get any certificate warnings. If you get warnings, Outlook Anywhere (RPC over HTTPS) will most likely not work.



      • #4
        Re: Correct SSL cert for Outlook Anywhere

        I got mine here (working with OWA/Activesync):

        $69 for 5 years.


        • #5
          Re: Correct SSL cert for Outlook Anywhere

          Outlook Anywhere is the Exchange 2007 term for RPC over HTTPS. Therefore you will see SAN/UC certificates referred to with that name because Exchange 2007 requires them.

          On Exchange 2003 a standard SSL certificate will be fine.
          While you can get it to work on self signed certificate, personally I don't think it is worth the hassle when a trusted certificate costs $30/year from GoDaddy.

          When I first did RPC over HTTPS I tried to use a self generated certificate - and tried to get it to work for hours. Put a commercial certificate on I had it working in an hour. I can now do it in less than 30 minutes.

          Outlook 2007 is no different to Outlook 2003 in its requirements. It is fully backwards compatible with Exchange 2003 for this feature. Where you can get problems is with autodiscover trying to do its thing, which is not supported on Exchange 2003. You need to ensure that does not resolve to anywhere.

          Simon Butler
          Exchange MVP

          More Exchange Content:
          Exchange Resources List:
          In the UK? Hire me:

          Sembee is a registered trademark, used here with permission.


          • #6
            Re: Correct SSL cert for Outlook Anywhere

            Originally posted by cruachan View Post
            Are the clients domain members, could they connect previously and do they have the root CA in the machine's store of trusted Root CAs are the first questions that spring to mind though.
            The clients I am trying to connect are domain users but not using domain computers. I have sporadically been able to get it to work internally (with domain user logon on non-domain computer) but I'm trying to get these 2 remote clients to set up the Outlook connection from a remote location.

            I'm going to try get it set up tomorrow internally, then take the laptop home and see if it still connects externally. If so - then perhaps I can force the clients to wait until the annual Christmas party when I can get their laptops and set them up internally. It's worthwhile to note that the laptops connect to OWA without errors. Also, on my test laptop (internal scenario) I have the certificate in the computer's Trusted Root store (not user Trusted Root store), and still, if I create a new profile, set up Outlook, and try set up the RPC/HTTP paramters before resolving the name, it refuses to work.

            What buggers me is that even if I have them connect via VPN, they still cannot connect (always get the message "Outlook must be cannot be resolved"...etc) when trying to connect to the mailbox. I would have thought that via VPN they would have had no problem resolving the server name.

            If all else fails, I will try the GoDaddy route. Thanks to all for the feedback.


            • #7
              Re: Correct SSL cert for Outlook Anywhere

              Update: I connected a test mailbox internally (without setting up RPC/HTTP) in cached mode. Then I set up RPC/HTTP with the same settings as my Outlook 2003 clients. When I go back into Outlook, I continually get prompted for my password, and no matter how I enter the username (with the correct password), it won't authenticate. Choosing NTLM or Basic as authentication doesn't make a difference. The correct certificate is installed in the machine's Trusted Root store. I'm using a non-domain computer with a domain user account. Conencting with VPN doesn't help either.

              Is there any fix?

              *I realize this is now the same topic as this thread: If a mod wants to move/merge this one, please do so...


              • #8
                Re: Correct SSL cert for Outlook Anywhere

                I'm confused, cos I have SBS 2003 with Outlook 2007 at home, and Exchange 2003 with Outlook 2007 in the Office. Both work fine with RPC over HTTPS. I've also got a non-member machine in the office for remote support that has Outlook Anywhere working on 2007.

                Settings as I recall are username in the form domain\username and authentication set to Basic.

                Have you checked this MS KB referenced in the other thread? Also for testing on the LAN only you can try using the internal rather thn external FQDN of the server to see if that makes any difference (Shouldn't!). Daniel's article from the KB is written for Outlook 2003, but the steps to troubleshoot the issue are pretty much the same for 2007.
                BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                Cruachan's Blog


                • #9
                  Re: Correct SSL cert for Outlook Anywhere

                  Believe me, I've tried that and every other MS KB I came accross that would remotely apply to this case. Internal and external FQDNs are the same, so no chance of confusion.

                  However, it is now least, internally. In this thread someone posted this solution:

                  I have also experienced this issue with Office 2007 & Exchance 2003. The solution for me involved the Microsoft Article 913843 but required another DWORD to be added under the same RPC sub key (in the registry):

                  HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\O utlook\RPC\

                  DWORD Value DefConnectOpts with a value of 0 (as per the Microsoft Article) PLUS:
                  DWORD Value EnableRPCtunnel with a value of 1

                  Hope this helps...
                  I added the EnableRPCtunnel key and BAM! Connected. It is interesting to note that it connects fine for me with NTLM authentication (many others have said only basic authentication works for them), and also, in the Outlook Anywhere settings, I have to leave "Only connect to proxy servers..." unchecked - if it's checked, I will get continuously prompted for my password, and it won't authenticate.

                  Now to take the test laptop home and try it's to a successful test...