Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exchange certificate issue - internal domain name != external


  • Please log in to reply
5 replies to this topic

#1 bastille

bastille

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 29 June 2016 - 05:48 AM

So I have a situation where I have taken over a network support project where the internal domain name is set to server.somedomain.com

The exchange server's full computer name is hence companymail.server.somedomain.com

 

Now the problem is the company does not own somedomain.com. So when trying to issue an SSL certificate to the Exchange server, godaddy tries to verify ownership of somedomain.com, which obviously cant be done. I have tried to issue the certificate instead to the domain they do own, as outlook.ourdomain.com

but then outlook and mobile mail clients get the annoying certificate warning every time Outlook is opened or mobile devices are set up that the name on the certificate does not match the server name.

 

I believe there is a workaround for this so that autodiscover can use outlook.ourdomain.com and get the autodiscover info. Both of those are working. But when it gets the server info from autodiscover it gets the server.somedomain.com info and were back to square one. I either end up not being able to connect to the server externally because of the unowned domain or I get the annoying certificate errors pops when the users connect. Any idea how to properly bandaid this? Changing the domain and server name from what I have read is not worth the headache. Thanks.


Edited by bastille, 29 June 2016 - 05:50 AM.


BC AdBot (Login to Remove)

 


#2 androbourne

androbourne

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 29 June 2016 - 09:28 AM

Well, the internal domain name shouldn't matter. This is why you are able to still apply SSL certs to exchange when the internal domain is a .local (2 years ago they stopped allowing .locals to be registered for certs).

 

But this is also why split dns horizon is a thing.

 

What I would recommend you do, is purchase an external domain you want to use, purchase the SSL cert in that new domain name. Then in DNS create another zone for the .com (and edit both DNS zones so they can resolve to each other) and install the exchange cert like normally.

 

You will also need to update the Exchange virtual directories to reflect the new domain name.



#3 bastille

bastille
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 29 June 2016 - 10:36 AM

OK so we have most of that done. There is an external domain which is a live website and OWA and all that good stuff. Email is working fine on it. The only matter is the issue of the annoyance of the certificate warning. Some users have 3 different emails on 3 different domains so they are getting 3 pop ups every time they open outlook because of the cert not matching.

 

There is a zone for each external domain as well. So I guess what I need to know is the part about pointing the zones to the internal as you said. Exactly how is that accomplished? I thought it would be by way of a SRV record in internal DNS but that didn't seem to work or I didn't enter the parameters correctly?

 

The other thought I had was that it's something in the autodiscover xml? Because autodiscover works and is able to grab the internal server name then auto configure outlook to use HTTP through the outlook.ourdomain.com in connection. Is editing the autodiscover xml file manually a thing?


Edited by bastille, 29 June 2016 - 10:38 AM.


#4 JohnnyJammer

JohnnyJammer

  • Members
  • 1,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:03:24 PM

Posted 30 June 2016 - 06:48 PM

Couldn't you use a SPN for this like split dns?



#5 androbourne

androbourne

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 05 December 2017 - 09:53 AM

OK so we have most of that done. There is an external domain which is a live website and OWA and all that good stuff. Email is working fine on it. The only matter is the issue of the annoyance of the certificate warning. Some users have 3 different emails on 3 different domains so they are getting 3 pop ups every time they open outlook because of the cert not matching.

 

There is a zone for each external domain as well. So I guess what I need to know is the part about pointing the zones to the internal as you said. Exactly how is that accomplished? I thought it would be by way of a SRV record in internal DNS but that didn't seem to work or I didn't enter the parameters correctly?

 

The other thought I had was that it's something in the autodiscover xml? Because autodiscover works and is able to grab the internal server name then auto configure outlook to use HTTP through the outlook.ourdomain.com in connection. Is editing the autodiscover xml file manually a thing?

Did you configure Exchange virtual directories?

Normally I would recommend you make external and internal virtual directories the same and make sure you have a DNS zone for the .com

i.e.

 

Internal: xyzdomain.com/ecp

 

External: xyzdomain.com/ecp

 

Do the same for all directories. As for autodiscover. You will need to use exchange commands in order to properly set both internal and external autodiscover entries. You can google how to set external and internal autodiscover for exchange for the command. But here is some comments on the subject.

 

https://social.technet.microsoft.com/Forums/office/en-US/11e43dc4-3a20-4bfe-a2c7-4d7f2daf59a0/setting-autodiscover-internalurl-and-externalurl?forum=exchangesvrclients



#6 MasterNe0

MasterNe0

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:01:24 AM

Posted 22 December 2017 - 02:20 PM

You can do two things here as I ran into this:

1 - set all your autodiscovery to external name (like mail.domain.com) and certificate to just use a external name only (cheaper too) - this one works using the converting from local to com domain when they were stopping the selling of SSL certificates with .local. My domain still sees itself as MAIL.DOMAIN.LOCAL but my SSL just has MAIL.DOMAIN.COM and I am using a single SSL certificate. This one a cheap option as well for godaddy SSL certificate options since i just needed MAIL.DOMAIN.COM only.

OR

2 - use a wildcard SSL certificate. it covers both as long as the internal external name has DOMAIN.COM in it. This one works for a client that has mail.domain and SERVERNAME.domain. This one quite expensive thought as it around $300 from godaddy for 1 year.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users