Correcting SBS2011 Exchange and Outlook certificate names / connectivity

I’ve recently setup an SBS2011 (Small Business Server 2011) server at a company and all went fairly well, especially considering it was a migration from SBS2003!

Other than issues on the old server with failing File Replication Services (FRS) preventing the initial migration attempt, requiring a reinstall of the new server to retry, and some corrupt messages in the old exchange store the biggest headache I came across was how to change where Outlook looks for settings and what certificate the server provides.

After a few seconds of a client computer loading Outlook they would be presented with a certificate warning like so:
certwarning

Everything would still work fine if they click yes or no.. possibly might affect in-outlook away message functionality but I didn’t test.

When investigating the certificate I found that it was issued to the Common Name (CN) “Sites” and not the name of the server (for example SB2011.mycompany.local or office.mycompany.com). Comparing the setup to a previous trial run I had performed in a virtual environment the “Sites” the certificate should have contained Subject Alternative Names (SAN) in the “Sites” certificate.

Image

I could find no documentation on how you would correct this other than a few articles on how to use a paid (not self signed, free) certificate. There doesn’t seem to be much documentation on what you should do if you wanted to change the URL in use by outlook either, I’d initially set it up similar to below but in fact wanted to use office.thecompany.com.
Image

Here is how I solved it.

Log in as an admin level user and run the “Windows SBS Console”. If you have not already done so.. run the “Connect to the internet” step, if you don’t run through this step then you won’t be able to run the next wizard. It is a wise idea to have physical access to the server as I have found that the server loses network connectivity while running the “Connect to the internet” wizard!

ImageWhere to find the initial wizard if required ^

You now want to run the Setup your Internet Address wizard.I chose to manage the domain myself. Then on the next page selected Advanced and typed in “office”, then ok. Then typed in the company’s external domain.
I.e. it was now “office.mycompanydomain.com”.
Image
On both occasions at least one of the three steps failed or had warnings. However Outlook should now use the new web access site.

In my test setup, the certificate was also corrected and updated to contain the new domain! On the live setup it didn’t. The Network –> Connectivity –> “Fix my network” function would detect the SSL certificate was wrong but fail to repair it.
I repaired it manually by going into IIS configuration.
Image

Adding a “domain” certificate:
ImageImage

Then going to the “Default Web Site” and clicking on Bindings on the far right hand side.Edit any of the port 443 bindings to use your newly generated certificate and off you go.

Image

If you encounter errors in the SBS setup wizards then take a look at the most recently updated log files in:
C:\Program Files\Windows Small Business Server\Logs

Hope this helps someone!
Other resources:
http://technet.microsoft.com/en-us/library/dd351057%28v=exchg.141%29.aspx#emc

http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0-bfed-4143-9eea-f521167d287c&ID=68

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s