Have you updated the ISA Listener to use the new certificate? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David McSpadden Sent: Wednesday, October 29, 2014 2:57 PM To: '[email protected]' Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2
Being a little more than dense right now. Have added the new SHA2 cert to all Exchange servers, witness and TMG. Have completed my Exchange request then exported to all Exchange servers, witness and TMG. When I https://mail.imcu.com/exchange I see the new cert. When I test connectivity I see the old cert still. Do I need to recycle the TMG? -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Wednesday, October 29, 2014 11:31 AM To: '[email protected]' Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2 We use Digicert and none of the mobile device users noticed. My issues were all with desktop and laptop users. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David McSpadden Sent: Wednesday, October 29, 2014 10:07 AM To: '[email protected]' Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2 Not wanting to Hijack so I will keep this within the context of the subject. I am going to import my new GoDaddy SSL SAN cert (Keyed with new SHA) tonight. Will this require my users that use iPhone to do anything special on their phones? Power cycle them? Delete and re add mail account? Physically add a new cert once the cert is in place? Thanks for your input. As always. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Wednesday, October 22, 2014 4:43 PM To: [email protected] Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2 Did that already - and double-checked. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Knoch, James W Sent: Wednesday, October 22, 2014 2:56 PM To: [email protected] Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2 Make sure to check with your certificate provider and see if there was an intermediate certificate that needs to be installed as well on the servers. They are usually different than the previous ones if they were required before. If it is a Digicert certificate, they provide a utility that will help check for it and install any missing intermediates. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Maglinger, Paul Sent: Wednesday, October 22, 2014 12:49 PM To: New Exchange List ([email protected]) Subject: [Exchange] Certificate prompt after upgrading cert to SHA2 Hoping for some help to understand what is going on here. Rekeyed my SHA1 certs to SHA2 and imported them into my certificate store. They showed up in Exchange and I assigned IMAP, POP, IIS and SMTP to it. So much for that. Exchange 2010 SP2 UR8 - 2 sites, flat domain. Each site has 2 CAS/HUB, 2 MB, and 1 CAS/HUB/MB. The 2 CAS/HUB servers are configured as a CAA. What I'm seeing is that SOME users that are opening Outlook 2010 in site A are getting a certificate error "The name of the security certificate is invalid or does not match the name of the site" from the CAS/HUB/MB server (ROMAIL3) in site A. All things working correctly they shouldn't even see that server. The CAS/HUB servers have 2 NICs - one of which on each is set up with Windows Load Balancing for the CAA (designated as LB in the name). DNS is set up as the attached diagram shows. The LB IP addresses are not in DNS. When the problem started showing up the event logs on HQMAIL1 were getting 2601, 2604, and 2501 errors every 15 minutes - all having to do with the MSEXCHANGEADTOPOLOGY service: 2501 - The site monitor API was unable to verify the site name for this Exchange computer - Call=DsctxGetContext Error code=8007077f. Make sure that Exchange server is correctly registered on the DNS server. 2604 - When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object HQMAIL1 - Error code=8007077f. The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions. 2601 - When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=1A9E54D37856378B478743286FF00932782,CN=Microsoft Exchange,CN=Services,CN=Configuration,...> - Error code=8007077f. The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions. I checked DNS and the entries for HQMAIL1 and HQMAIL2 were missing. I re-added them and pushed out the changes. I then rebooted HQMAIL1 and the error went away in the event log - but on rebooting Outlook I still got the certificate pop-up. I left to get supper and figured I'd work from home using VPN. Coming in that way my Outlook didn't throw the cert error. Going through things on HQMAIL1 I found that if I pinged HQMAIL1 by name from itself it returned with a 123.100.200.31 instead of what DNS should have returned as 123.100.200.1. Searching I found that I could change the priority of the NICs, which I did and it started pinging correctly from itself. I rebooted HQMAIL1 to clear up any lingering effects of the NIC priority and started getting the 2501, 2604, and 2601 errors again. They occurred until I restarted the MS Exchange AD Topology service (which restarted a boat-load of others) and then it cleared up. I'm still hearing from some users, not all, about getting the certificate pop-up. I'm not getting it myself currently. I'm not understanding where or why people are getting pointed to ROMAIL3. Hopefully this makes sense to you guys. -Paul This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email. This e-mail and any files transmitted with it are property of Indiana Members Credit Union, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this email is strictly prohibited. Please consider the environment before printing this email.
