Announcement

Collapse
No announcement yet.

Exchange 2010 Certificates on Outlook Anywhere

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2010 Certificates on Outlook Anywhere

    Hi,

    I'm wondering if anyone can help me here... and I'm sorry that this is the first post... and wanting help straight away!

    I have built a windows 2008 R2 DC and an Windows 2008 R2 Exchange 2010

    I'm having a real problem with creating a Certificate to enable outlook anywhere to work.

    I have installed Certification Authority to it can sign my certificate off with the web enrollment being install as well.

    This is what I do, please feel free to say wrong order..etc..

    In exchange 2010 in the console, I goto server configuration and in the middle window below, comes up exchange certificates. So I right click and goto new exchange certificate, and make sure in the wizard on exchange configuration "client access server" outlook anywhere is ticked with the external host name.
    On the certificate domains I click the external domain as the comman name. I finish the wizard off and I get a REQ file which I save on my desktop.

    then this is where I may go wrong...

    I goto http: localhost \ certserv (on the same machine) goto request a certificate, then advanced, then create and submit a request to CA, then click on

    Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

    I open up notepad open the REQ file that I created in exchange wizard and paste the contents into the saved request.

    and press submit, after a few seconds this comes back and says all successful please download your cer file, which I do onto the desktop.

    From here I install the cer file into trusted root certifications authorities, install the cer file that I've created and import it.

    Then I go back to exchange 2010 then complete the certificate from the first paragraph and import the cer that I've created.

    All then is goto the clients machines and import the cer file and configure outlook in anytime mode... and comes up saying

    There is a problem with the proxy server's security cerificate. the secuirty certificate is not from a trusted certifying authority. Outlook is unable to connect to the proxy server .. then the domain (Error Code 18 )

    And thats it - I'm really confused as I thought I had cracked it.

    Can someone see what I'm doing wrong. Again I'm really sorry to post this on my first post! Just hoping someone can say that step needs to be done first...

    Many thanks in advance.

    Lil


    (I've tired google many times, but nto sure which one is correct for my problem)
    Last edited by lil8386; 2nd November 2010, 15:41. Reason: spelling

  • #2
    Re: Exchange 2010 Certificates on Outlook Anytime

    You need to install the root certificate on the clients, not the server certificate, as the client PCs must trust the Authority that issued the certificate in order to trust the server certificate.

    Open up an MMC, add the Certificates Snap-In for Local Computer, right click on Trusted Root Certification Authorities and choose import then browse to the exported root certificate. You should then see it in the list of Trusted Root CAs.

    If all your clients are Domain Members I'd strongly recommend doing this through Group Policy Auto-Enrollment.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Exchange 2010 Certificates on Outlook Anytime

      many thanks for your reply - but this doesn't work - still comes up with an error?

      Is there a step step thing like for exchange 2010 windows 2008 r2 for certificates, because I believe its an user error and lack of understanding!!

      Anyone got anymore ideas? is what I'm doing right below?
      Last edited by lil8386; 2nd November 2010, 16:01. Reason: spelling again

      Comment


      • #4
        Re: Exchange 2010 Certificates on Outlook Anytime

        The other thing I don't understand is...

        why do you need a 3rd party person to get involved when producing a certificate?

        cant we use the certificate authority in windows 2008 R2 to accept the new certificate... I'm really sorry if these are thick questions - however just trying to get my head around it.

        Thanks

        Comment


        • #5
          Re: Exchange 2010 Certificates on Outlook Anytime

          Guys, I not automatically bumping this message - just keep giving updates....


          I've managed to sucessfully create a certificate which works over OWA on internet explorer and comes up with the padlock.

          However still on outlook 2010 its comes up with Check whether outlook is available not a certificate error now...

          Is there something special I have to do in exchange 2010 to enable this!

          sorry to go on its driving me around the bend!!!

          Comment


          • #6
            Re: Exchange 2010 Certificates on Outlook Anywhere

            Why are you even bothering to try and use an internal CA?
            Internal CAs are simply not worth the hassle unless you have complete control over every client that is connecting to the server. That basically means no OWA access.

            When you can get a trusted SSL certificate for US$80/year, trying to generate your own is simply a waste of time that achieves nothing but a loss of hair and confused users.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: Exchange 2010 Certificates on Outlook Anywhere

              Thanks for the feedback - I do have complete control over all clients.

              I've got the internal CA to work in the end although it was due to my lack of knowledge concerning certificates. a few quiet hours as sorted it...

              thanks for the suggestions,.

              Comment


              • #8
                Re: Exchange 2010 Certificates on Outlook Anywhere

                Hello Everyone!!!

                Lil can you please tell me what did you do??? cause i am also not very good in certificates... i did to creat certificate request... but what about submiting the request... i'll be really glad if you will help with step by step guidence...

                Thanks...

                Comment


                • #9
                  Re: Exchange 2010 Certificates on Outlook Anywhere

                  I would love to help however I can't get the damn thing working again..

                  What I have found out it a very important is if you are configure exchange 2010 with certificates you must put a entry in youe external DNS system. i.e. autodiscover.yourdomain.com / .co.uk

                  Otherwise out of office doesn't work, and other things that come up.

                  Comment


                  • #10
                    Re: Exchange 2010 Certificates on Outlook Anywhere

                    Exchange 2010 has all the tools you need to generate your own self signed cert without buggering about with CAs or anything like that.

                    Use the Exchange Shell:

                    [PS] C:\Windows\system32>help New-ExchangeCertificate

                    NAME
                    New-ExchangeCertificate

                    SYNOPSIS
                    Use the New-ExchangeCertificate cmdlet to create a self-signed certificate, renew an existing self-signed certifica
                    te, or generate a new certificate request for obtaining a certificate from a certification authority (CA).
                    There are many variables that you must consider when configuring certificates for Secure Sockets Layer (SSL) and Tr
                    ansport Layer Security (TLS). You must understand how these variables may affect your overall configuration. For mo
                    re information and before you continue, see Understanding TLS Certificates.
                    [PS] C:\Windows\system32>help Enable-ExchangeCertificate

                    NAME
                    Enable-ExchangeCertificate

                    SYNOPSIS
                    Use the Enable-ExchangeCertificate cmdlet to enable an existing certificate in the local certificate store for Exch
                    ange services such as Internet Information Services (IIS), SMTP, POP, IMAP, and Unified Messaging (UM).
                    There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure So
                    ckets Layer (SSL) services. You must understand how these factors may affect your overall configuration. Before you
                    continue, read Understanding TLS Certificates.
                    Don't use the Enable-ExchangeCertificate cmdlet to enable a wildcard certificate for POP and IMAP services. To enab
                    le a wildcard certificate, you must use the Set-ImapSettings or Set-PopSettings cmdlets with the fully qualified do
                    main name (FQDN) of the service.
                    Don't use the Enable-ExchangeCertificate cmdlet to enable a certificate for federation. Certificates used for feder
                    ation trusts are managed by using the New-FederationTrust and Set-FederationTrust cmdlets.

                    Comment


                    • #11
                      Re: Exchange 2010 Certificates on Outlook Anywhere

                      The self signed certificate that Exchange can generate is not supported for use with Exchange ActiveSync or Outlook Anywhere. It also means users get security prompts which is a very bad idea. It significantly complicates the deployment of remote devices, having to install the certificate everywhere, and is generally a waste of time deploying.

                      The Autodiscover DNS record externally is key, because that is how Exchange works. You either have to use autodiscover.example.com or SRV records. In many cases the DNS host name with a SAN/UC certificate is the best option.

                      Simon.
                      --
                      Simon Butler
                      Exchange MVP

                      Blog: http://blog.sembee.co.uk/
                      More Exchange Content: http://exchange.sembee.info/
                      Exchange Resources List: http://exbpa.com/
                      In the UK? Hire me: http://www.sembee.co.uk/

                      Sembee is a registered trademark, used here with permission.

                      Comment


                      • #12
                        Re: Exchange 2010 Certificates on Outlook Anywhere

                        Originally posted by Sembee View Post
                        The self signed certificate that Exchange can generate is not supported for use with Exchange ActiveSync or Outlook Anywhere. It also means users get security prompts which is a very bad idea. It significantly complicates the deployment of remote devices, having to install the certificate everywhere, and is generally a waste of time deploying.
                        Well we have a number of servers using the cert for both activesync and OWA..

                        It does depend on the number of users though as you say for installing the cert. Blackberries and iPhones don't actually need the cert installing though - only MS phones

                        Comment


                        • #13
                          Re: Exchange 2010 Certificates on Outlook Anywhere

                          Originally posted by beddo View Post
                          Well we have a number of servers using the cert for both activesync and OWA..

                          It does depend on the number of users though as you say for installing the cert. Blackberries and iPhones don't actually need the cert installing though - only MS phones
                          The fact that you are using them for that purpose is immaterial.
                          Microsoft have stated the self signed certificate is not supported for that purpose. Therefore while you can get it to work, if you call for support on the issue then Microsoft will tell you that you are using a configuration that isn't supported.

                          Personally I don't see the point - as you have to install the certificate on every device, then install the replacement when it expires. It doesn't take long for a $80 certificate from GoDaddy to be a much better option than spending the time on getting self signed certificates to work.

                          Simon.
                          --
                          Simon Butler
                          Exchange MVP

                          Blog: http://blog.sembee.co.uk/
                          More Exchange Content: http://exchange.sembee.info/
                          Exchange Resources List: http://exbpa.com/
                          In the UK? Hire me: http://www.sembee.co.uk/

                          Sembee is a registered trademark, used here with permission.

                          Comment


                          • #14
                            Re: Exchange 2010 Certificates on Outlook Anywhere

                            Sometimes the point isn't the technical side of things. We have quite a large support base and I think only two clients have elected to buy any form of cert when asked. They just don't understand why they need to spend money when it already works.

                            I didn't know that Microsoft don't officially support it, especially seen as SBS comes set up that way out of the box.

                            Comment


                            • #15
                              Re: Exchange 2010 Certificates on Outlook Anywhere

                              It wouldn't be the first time that the SBS product is "allowed" to do something that isn't supported or expected with the full product.

                              The issue of the self signed certificate is covered here:
                              http://technet.microsoft.com/en-us/l...EXCHG.80).aspx
                              While that is for Exchange 2007, I am not aware that it has changed with Exchange 2010.

                              Ironically it is the SBS users where it the self signed certificate issue comes up. The end users want their "free" certificate to work, but it actually creates more work. It doesn't take many devices to make it a headache.

                              I also don't like telling anyone to ignore SSL warnings, even if it is on just one site, as users shouldn't get used to ignoring those warnings.

                              I have one client who eventually woke up to the fact and has deployed the certificates to their clients and seen a much higher end user satisfaction (as things just work) and reduction in support costs. It also looks more professional.

                              One IT support company I know of has just one certificate and has it deployed on all of their clients. It is a wild card certificate. A nice way of keeping clients locked to you, although when the certificate expires it can create a headache.

                              Simon.
                              --
                              Simon Butler
                              Exchange MVP

                              Blog: http://blog.sembee.co.uk/
                              More Exchange Content: http://exchange.sembee.info/
                              Exchange Resources List: http://exbpa.com/
                              In the UK? Hire me: http://www.sembee.co.uk/

                              Sembee is a registered trademark, used here with permission.

                              Comment

                              Working...
                              X