Exchange Certificate Security Alert

by Vince
in Blog
Hits: 2653

It seems lately we've been doing a number of Exchange migrations and we're seeing the dreaded "Security Alert".  In a nutshell, the server has an internal name which does not match the external name to which the certificate was assigned.  When the Outlook client is remote to the server, everything works as it should.  But when the Outlook client is internal, the user receives the following error:

 

Certificate Warning

There are several ways to solve this problem and I think a UCC certificate is one approach but I prefer the option with zero expense.

This is a little trickier than my typical post and I want to spell out what I'm trying to accomplish.

My internal server name is:  Microsoft

Internally, the Fully Qualified Domain Name (FQDN) for my server is:  Microsoft.HateMe.local

Externally, the FQDN for my server with matching certificate is:  Microsoft.HatesMe.com

With elevated privileges, launch the Exchange Management Shell.

With the following commands, we are changing the identity from the mismatched internal name to the matched external name.  In the forth command, we are enabling Outlook Anywhere which may or may not already be enabled.  It won't hurt anything if it's enabled.  In one instance, I seem to recall seeing a prompt regarding SSL Offloading, select or enter No.  It should finish and allow you to move to the final command.

Set-ClientAccessServer -Identity "Microsoft" –AutodiscoverServiceInternalURI https://Microsoft.HatesMe.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "Microsoft\EWS (Default Web Site)" –InternalUrl  https://Microsoft.HatesMe.com/EWS/Exchange.asmx
 
Set-OABVirtualDirectory -Identity “Microsoft\OAB (Default Web Site)” -InternalURL https://Microsoft.HatesMe.com/OAB

Enable-OutlookAnywhere -Server Microsoft -ExternalHostname “Microsoft.HatesMe.com” -ClientAuthenticationMethod “NTLM”

Set-ActiveSyncVirtualDirectory -Identity “Microsoft\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://Microsoft.HatesMe.com/Microsoft-Server-Activesync

This is definitely one of the more sophisticated tasks I've written and you definitely want to test this out in a controlled environment prior to executing it on your production server.

An SSL certificate is cheap and you can easily setup on a test machine.  I've double checked my work but it comes with no warranty -- you've been warned.  ;)