Exchange OWA Certificate Question
Hello All
I just have a question regarding exchange owa certificate which is about to expire. (owa.domain.com, autodiscover.domain.com, mail.domain.com )
I have
Site one
Mailbox 2013 Server1
CAS 2013 Server1
Edge 2013
Site 2
Mailbox 2013 Server2
Cas 2013 Server2
Edge 2007
Exchange high availability configured. On ECP I am seeing my OWA certificate about to expire on both CAS on the same day(same cert)
I would like to create a new certificate, not renew as I have some old domains to remove from the cert.
My question is, when I create the the new request from ECP - Cas Server1, send to the CA and then install the, how will this reflect for the certificate that is expired on CAS server2?
Thanks
Hi nricki,
Agree with Hinte, you can export the new certificate which was created in CAS1 server and then import it to CAS2 server.
The following article for your reference:
How to Export/Import an SSL Certificate to Multiple Exchange 2013 Servers
Best regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Niko Cheng
TechNet Community Support
Similar Messages
-
Can't install exchange OWA certificate?
I have a 3GS on 3.1 and have tried to email myself our OWA certificate to my gmail account. When I try to open the attachment I get a message that says "Invalid Profile Profile format not recognized" If I go to the Gmail site and view it that way Safari tries to open it a new window and I get a similar message. I see lots of people have easily got the cert installed on the phone without problem and haven't really found anyone that can't even get the attachment to open. Much appreciated in advance.
Message was edited by: klutch14uHow are you exporting the certificate? Also, you should be sending yourself (exporting) the root certificate that signed your OWA cert, not the server cert itself - unless this server is also the cert-issuing server.
The easiest way I have found to do it is to open OWA in IE. Click on the lock to view certificate. Click on certification path, double click on the top level certificate (it should not be Verisign, Thawte, or any other already installed CA), View certificate, details, copy to file. Follow the wizard to create the export. I believe the DER binary works fine.
Let us know how you make out. -
Exchange 2013 Certificate Question
Hi,
I have an Exchange 2013 and AD servers running on server 2008 R2. When you go to create an outlook account you are prompted that a certificate for mydomain.com.au has expired. When you click to view this certificate, it is referring to "www.mydomain.com.au".
Once you accept the message it goes away, the outlook account sets up OK and the message does not show again unless you set up another account.
The internal domain name is internal.mydomain.com.au. The Exchange server has a valid purchased SSL certificate that applies to autodiscover.mydomain.com.au, mail.mydomain.com.au, mydomain.com.au and the exchange servers internal name until 2015. The "www."
cert and website for this domain is separate to the internal servers and mail. The cert for the website has indeed expired but my question is even though it is the same domain why would this internal exchange server be querying the www. certificate when creating
an outlook account.
Bit of a tricky question hope I have explained it OK.
Thanks RobbieHi Robbie,
Your certificate expired issue may occur when using the Autodiscover service and Outlook Anywhere service. Please follow these steps to have a check:
1. verify the FQDN that the client users to access the resource from Outlook:
a. Start Microsoft Outlook.
b. Click File > Account Settings, click Account Settings.
c. Click the E-mail tab, click the Exchange account, and then click Change.
d. Click More Settings, and then click the Connection tab.
e. “Connect to Microsoft Exchange using HTTP” should be checked, then click Exchange Proxy Settings.
f. Note the FQDN that is listed in the Only connect to proxy servers that have this principal name in their certificate box. For example, mail.contoso.com.
2. Run the following command in Exchange to determine the value for the CertPrincipalName attribute for EXPR name:
Get-OutlookProvider
For example, the command returns the following:
msstd:server1.contoso.com
3. Modify the CertPrincipalName attribute to match the FQDN that Outlook uses to access the resource:
Set-OutlookProvider EXPR -CertPrincipalName:"msstd:<FQDN the certificate is issued to>"
For the Autodiscover service checking, please open outlook - press CTRL key - right click on the Outlook icon from right bottom corner taskbar - Test Email AutoConfiguration. Put your email address - uncheck use guessmart and secure guessmart authentication
- click Test to check your Autodiscover service. If possible, please post the Results tab here for more troubleshooting.
Thanks,
Winnie Liang
TechNet Community Support -
How to export an exchange 2007 owa certificate from production to lab environment
I'm setting up an Exchange 2007 Lab but I have a trouble regarding exchange's certificate
Note: My lab environment is not conected to internet
I've followed the next link but it doesn't work
https://www.digicert.com/ssl-support/pfx-import-export-exchange-2007.htm
Once I finished all the steps if I run the next powershell command get-excahangecertificate I see that my exchange certificate has the status as unknown
I'm not sure if the problem is related with the server is not conected to internet, so exchange is not be able to check the status of the certificate.
I've tried to turn off the Check for publisher’s certificate revocation option on the server
To do this, follow these steps.
Start Internet Explorer.
On the Tools menu, click Internet Options.
Click the Advanced tab, and then locate the Security section.
Click to clear the Check for publisher’s certificate revocation check box, and then click OK.
After the update rollup installation is complete, turn on the Check for publisher’s certificate revocation option.
But it still not working
Could anyone help me?
Thanks in advanceHi Pardo,
According to your description, I understand that the exchange certificate cannot work and display unknown status after import it.
If I misunderstand your concern, please do not hesitate to let me know.
Depending on the results of “Get-ExchangeCertificate | FL”, please pay attention to following points:
1. RootCAType: Registry
“An internal, private PKI root CA that has been manually installed in the certificate store.”
2. Status: Unknown
“This status generally indicates that the status of the certificate cannot be verified because the certificate revocation list (CRL) is unavailable or this server cannot connect to it.”
The reason why it failed is that internal Exchange server cannot connect to CRL. As you mentioned, exchange can’t be able to check the status of the certificate.
More information about Certificate Use in Exchange Server 2007, please refer to
Certificate Fields and Configuring Access to the Certificate Revocation List
section in below link:
http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx
However, we can renew a certicate from local CA:
http://technet.microsoft.com/en-us/library/bb310781(v=exchg.80).aspx
Best Regards,
Allen Wang -
Changing Exchange OWA URL, and MX record
Hi all,
We are planning to change our Exchange OWA URL from "https://webmail.saigon.com" to "https://webmail.city.saigon.com"
My question is Do I need to do anything to the MX record? The Exchange server name and IP remain the same. Only the URL get changed for the internal, and external.
ThanksHi Brichardi,
Thank you for your question.
If we want to change Exchange OWA URL from https://webmail.saigon.com into https://webmail.city.saigon.com for internal and external, we must modify the following items:
1. MX record
We could ask to our ISP for help.
2. Exchange certificates
We could remove the old exchange certificate and resign a new certificate for Exchange server.
3. Re-configure virtual directory URL (OWA,OAB,ECP.EWS,ActiveSync,Autodiscover)
We could refer to the following link:
https://technet.microsoft.com/en-us/library/ff629372(v=exchg.141).aspx
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Jim Xu
TechNet Community Support -
Exchange (OWA) access with Nokia Messaging
Thank you for enabling corporate mail (Exchange / OWA) is now working under Nokia Messaging.
I summarize a few items that could be improved:
1 In order to install this, you first need to log into the service with an online web account and only then can you install your corporate account. You can later delete the online web account. This is awkward.
2 Within Nokia Messaging I cannot set the email address I wish to show when I send someone an email. I use in my corporate email an alias which is slightly different from the main domain: for example if my corporate email address would be [email protected], then my alias would be [email protected]
3 Within Nokia Messaging I cannot set the reply_to address
4 Within Nokia Messaging I cannot accept calendar invitations.
5 MFE used to work fine with the 3G Portal (WAP based) access point and this saved me from using the 3G/Internet connection (payable). However, Nokia Messaging does not work on the 3G Portal access point and has to be set to 3G/Internet. This means that using Nokia Messaging will cost me more than MFE.
Message Edited by rrrr123456 on 05-Mar-2009 01:01 PMCan you please tell us how did you configure OWA on Nokia messaging, because as from Nokia support team , OWA is not supported in Nokia messaging !
Please advice.
Thanks
Haikal -
User http access after OWA certificate expired
we are facing problem with owa certificate, we need enduser to access OWA using http not https
AhmedHi Ahmed,
Please use following article to simplify the OWA URL.
Simplify the Outlook Web App URL
https://technet.microsoft.com/en-us/library/aa998359(v=exchg.150).aspx
Thanks
Mavis Huang
TechNet Community Support -
Hi!
I have a problem. My exchange server at work doesn't support IMAP or POP connections, so I'm stuck with OWA. Now with Mail, I can connect to an exchange server using OWA, but why do I have to put an 'incoming mail server in'? I am just thinking that it's pretty useless since you need an IMAP server anyways.
Is there something that I'm missing? Is there possibly anything else that exists out there (besides Evolution) that can handle Exchange/OWA?
Thanks!I'm not 100% positive, but I believe the OWA spot in the Mail config is for Address Book syncing. As far as using Mail to connect to Exchange though, you need IMAP turned on. Your other alternatives are Entourage, and as you already mentioned, Evolution.
-
Server essentials 2012 uses wrong certificate for Exchange OWA
I have two servers (Essentials 2012 and Exchange 2013) behind a firewall. port 443 is routed to essentials.
I have set up arrconfig following TechNet jj200172 (in fact I followed this link closely for the entire setup).
Our client has a single external static ip & two certificates (godaddy) . I’ll call them arr.help.ca and mail.help.ca
On the lan, I has split dns so that Outlook trying to reach "http mail.help.ca" gets the local ip. In fact all is working fine on the Lan.
From the WAN "https arr.help.ca" present the essentials web page, with desktop and shared folders working fine, but...
From the Wan "https mail.help.ca/owa" presents the owa logon page, but also the browser warning that the cert is incorrect.
The problem is the cert presented is arr.help.ca, not mail.help.ca
The cert chain is fine (i.e. the godadddy intermediate cert is trusted),
both certs are not expired,
the cert subjects are correct.
Any idea's on how to troubleshoot this?Hi Rick,
Did you use the
Microsoft Remote Connectivity Analyzer Tool to check if there has any connectivity issue firstly? Meanwhile, please refer to following Robert’s article and check if can help you.
On
Premises Exchange Integration Windows Server 2012 Essentials
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
SSL client certificate problem with exchange owa
Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
I cannot get through this dialog because it seems I do not have the required certificate.
What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
I do not understand what mobileme has to do with this exchange server at all.
What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
Can anybody point in the right direction please ?
For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
I cannot get through this dialog because it seems I do not have the required certificate.
What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
I do not understand what mobileme has to do with this exchange server at all.
What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
Can anybody point in the right direction please ?
For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
Another strange bit, when setting up the exchange server inside mail.app, it works perfectly... -
Treo 800w / Exchange / invalid certificate
Cannot get e-mail nor sync contacts, etc. using ActiveSync. Get "security certificate on this server is not valid" Support code 80072f06.
There are two issues:
1. The certificate is my SBS2003 self-issued certificate & works fine with Outlook Web Access, etc.
2. Six weeks ago, the local Sprint store somehow configured this so it worked without any problem and without installing the certificate.
I install the certificate using the native Windows Mobile 6.1 cert installer, but it does not work. I have tried editing the phone's registry using a variety of registry-editing tools to bypss cert-checking, but each attempt to edit the reg is met with "Access denied".
Already deleted Exchange account & ActiveSync partnership & recreated - to no avail.
Stuck.
Post relates to: Treo 800w (Sprint)
This question was solved.
View Solution.Actually, you nailed it a couple of posts back. I finally deleted & recreated the cert, and it worked. Here was the problem: the SBS cert-creation wizard suggests this format for the server name:
ServerName.Subdomain.Domain.com (FQDN of the server)
However, from outside, the path is just Subdomain.Domain.com (no server name - the server name is relevant only inside the LAN).
There were two red herrings here.
1. The cert worked just fine with the server name in there for OWA.
2. Someone at the Sprint store had gotten this working without the cert for a period of about three weeks. They did something six weeks ago that got it working without even having the cert installed; when that quit working, even they could not remember what they had done. I know there is a registry hack that can tell the Treo to bypass cert-checking, but neither of the mobile registry-editing tools I tried to do that would work - both gave me Access denied errors.
All's well that ends well, though, I guess. Now I know to not take the SBS wizard's word for it on the path.
Thank you very much. We appreciate the help.
Post relates to: Treo 800w (Sprint) -
Exchange 2013 Certificates for Hybrid Deployment Clarification
I have an Exchange 2013 servers (CAS and Mailbox on separate server) which I wanted to setup for Hybrid deployment. I already have a certificate acquired from 3rd party with 3 names (mail, autodiscover and owa). the certificate was installed in the
CAS server. As per the hybrid deployment documentation I need also to install a certificate in the mailbox server, questions:
1. Can I use the same certificate for installation in the mailbox server?
2. Can I also use the same certificate in the Hybrid Configuration wizard for the "certificate to use with securing the hybrid mail transport"?
3. Do I need to include the primary smtp domain (xxxxx.com) in the certificate since current configuration points to the mail.xxx.com as the certificate common name?Hi,
Here are my answers you can refer to:
1. It depends.
The certificate used for hybrid secure mail transport must be installed on all on-premises Exchange 2013 Mailbox and Client Access servers.
If you're configuring a hybrid deployment in an organization that has Exchange servers deployed in multiple Active Directory forests, you must use a separate third-party CA certificate for each Active Directory forest.
2. Yes. But we recommend that you use a dedicated third-party certificate for any optional AD FS server, another certificate for the Exchange services for your hybrid deployment, and if needed, another certificate on your Exchange servers for other needed
services or features.
3. Yes. Here are the minimum suggested FQDNs that should be included on certificates: domain.com, autodiscover.domain.com, edge.domain.com
For more information, you can refer to the following article:
http://technet.microsoft.com/en-us/library/hh563848(v=exchg.150).aspx
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
Exchange Mail Certificate Expired
Since our certificate expired this past weekend no one outside the firewall can connect to the Exchange server via Outlook or OWA.
Our IT Director created a new certificate on the Exchange Server, but users trying to get mail on mobile phones or from home computers cannot connect to the exchange server. What could be the cause? Does the new certificate have to be installed
on each client computer? Reason I ask is that we have people all over the country.Hi,
Before we go further, I'd like to confirm if the certificate is self-signed certificate or internal CA certificate.
If yes, I'd like to say, to confirm users trust the certificate, we need to install the certificate on everu clients.
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
Exchange OWA 2010 is not showing events on calendar correctly.
I have Exchange 2010 setup on 2 servers running Windows 2008 R2 Standard. Some users' OWA accounts, (mine included) are working just fine. Other users, are showing just a blank gray box on the calendar. Even if there are
multiple events that day, there is just one blank gray box. You can read the event in the reading pane on the side but you cannot edit it, or delete it. Clicking on the box brings up the create new event pop-up box instead. If I click
on the monthly view, all the events are garbled up in the upper left hand corner of the calendar. I am up to date on all of my security updates and this issue is intermittent between users. Some users work fine, others don't.
I've tried Firefox, IE 11, and Google Chrome on the same computer and the same thing happens in all 3 where my account works just fine and this particular user's account does not. I might also mention that our company uses a
portal where users log into one form and are then rerouted to a page with several apps, OWA being one of them. If I login to OWA using the default website address (it uses forms based authentication) everything works fine for every user.
This problem only occurs on certain users when using the single sign on through the portal. Any help would be appreciated! Thanks in advance!
Hi ,
Thank you for your question.
By my understanding, if we logon OWA using default website address without any problems, it mean OWA on Exchange is fine. We could contact application developer for solution.
If there are any questions regarding this issue, please be free to let me know.
Best Regard,
Jim
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Jim Xu
TechNet Community Support -
Accepted domains in Exchange SAN certificate
Hi All,
I am having few queries please clarify me .
In my environment ,i having the accepted domains list like below
xyz.com
abc.com
All the users in my organisation is having the primary smtp address as [email protected] and secondary smtp address as [email protected]
In my san certificate i am not having any of the above mentioned accepted domains.
Do i need to have all the accepted domains on the SAN certificate or else only primary smtp address domain suffix is enough ?
In case if don't have any of my accepted domains suffixes in SAN certificate what will happen ? Because why i am asking is i am not getting any certificate related errors ?
As an additional info , we are using the single namespace for exchange services like owa ,activesync ,pop/imap and outlook anywhere (both internal & external ) and that name is available in my SAN certificate.
Autodiscover namespace is also included in my SAN certificate .
Thanks S.NithyanandhamHi Imkottees,
Thanks a lot for your immediate response.
But still i am having some queries please explain me what you are trying to explain on this below line ?
"But you need this for all Primary domains used in your environment"
Regards
S.Nithyanandham
Thanks S.Nithyanandham
Maybe you are looking for
-
Can't add java script to Adobe 7.0 PDF document
Hi, ran into a small problem using Adobe Pro 7.0. Created a interactive form in Adobe Designer 7.0. Want to add Java script to run when a user selects certain fields on the forms. However, when I try and use the advanced editing tools to gain access
-
Mail in iOS 7 is automatically being removed from inbox - how to turn that off?
I am running iOS 7.1 on an iPad Air. My mail inbox used to retain all downloaded emails until I chose to delete them - however, recently something has changed such that emails are only being retained in my inbox for about 2 weeks. I have not modifie
-
I have ios 8.1 on my iphone 5s and I cannot connect to my bluetooth in my 2013 honda accord
I have ios 8.1 on my 5s Iphone but cannot connect to Bluetooth on my 2013 Honda accord
-
Disable the Close Key on Yoga 13
I am looking for a way to disable the Close button (where F4 button is located) while still keeping the functionality of the FN keys. The Close button is incredibly annoying (not even really sure why it is needed) as whenever I go to increase sound u
-
Multiple Channels not recognized
I'm generating a VI to read two inputs from two channels. I've created two DAQ Aquisition blocks. One is set to channel 0, the other to 2. But when I run the program, the second channel (which should remain 2) get reset back to 0, and I endup reading