In some cases, your system may display an error code indicating an owa 2010 certificate error. There are several possible causes for this problem.
Fault is the intranet call settings and the local / self-signed / internal CA certificate.
Follow the leadSee the individual instructions below to ensure that split DNs are configured and that your Exchange Web Server settings are in line with best practice.
Make sure your OutlookAnywhere, Autodiscover and Split DNS settings are correct. OutlookAnywhere and Split DNS have been found to be essential to the future of Exchange, and to be configured to function properly whether you are running Exchange 36 months, 2010, or 2013. For Exchange in 2013, OutlookAnywhere is a requirement, and split DNS is the best practice. If you’re definitely using Exchange 2007 or 2010, but don’t have OutlookAnywhere, leave this checkbox checked, OutlookAnywhere, and follow my guide. Follows
You are still using NTLM with Basic authentication because Basic authentication sends the username and password in clear text, but NTLM is also used for Windows authentication. In Exchange 2013, you also have the last supported option called Negotiate. If you follow the instructions we will install the ClientAuthenticationMethod(internal and therefore external if on Exchange 2013) so that NTLM and IISAuthenticationMethods are installed on Basic, NTLM (and Basic, NTLM, Negotiate for Exchange 2013). Please also click here SSLOffloading.
Since DNS is the most important component on any network, make sure you have shared DNS configured before doing anything else. To ensure that split DNS is productive, check the relationship with the owa URL and the Autodiscover URL (for example, mail.domain.com and autodiscover.domain.com). Both should respond to the internal IP address of your Exchange server from the internal computer (for example 192.168.1.55). Then check the linkage to the OWA URL and AutoDiscover from an external source (for example, .mail.domain.com and autodiscover.domain.com). At the same time, you must answer from the outside to your external IP address of the mail server (for example, 184.108.40.206). To make sure split DNS is being used correctly:
They must match the internal IP address of your email device (for example, 192.168.1.55).
They should resolve to your external IP address of your mail webserver (e.g. 220.127.116.11).
To fix exact external entries (autodiscover probablyis one of the most important, which does not exist and which needs to be created), create an A record on the label servers of your domain for autodiscover.domain .com and point to the external IP of your mail server (for example 18.104.22.168).
To fix internal microfiche, the easiest way is to create a DNS zone (Active Directory integrated) for mail.domain.com (assuming this is your OWA url), then an A -Create record and a blank dot on your the internal IP address for your message (e.g. Server. 192.168.1.55). Then just create another Active Directory Integrated (DNS) zone – for autodiscover.domain.com and create a clean A record that successfully points to the internal IP address of any mail server (for example, 192.168.1.55).
Now that the split DNS has been confirmed, the next step is to check the virtual directories as well as the Autodiscover URI of the Client Access server and fix them accordingly. All internal and external URLs must start with the hostname mail.domain.com (assuming mail.domain.com is now the OWA URL of your choice).
If any of these PowerShell exchange commands fail, don’t worryLook, some of them are for deploying everything from Exchange 2013 to 2007. Run user commands and store them in your own text file as a backup of the current one. You have configuration settings for when you need to refer to exactly what came a little earlier.
Now that you’ve made a specific backup of the above output, authorize the steps to restore your environment. Change ExternalClientAuthenticationMethod (ClientAuthenticationMethod in Exchange 2010) to NTLM and enable SSLOffloading. If they are available in Exchange 2013 with Outlook for all 2013 and later clients, I would suggest setting ExternalClientAuthenticationMethod, InternalClientAuthenticationMethod, and IISAuthenticationMethods to negotiate, usually with NTLM client compatibility for Outlook 2010 and Outlook 2007.
Set all VirtualDirectories to this OWA hostname, except AutodiscoverVirtualDirectory, which is left blank for InternalURL and ExternalURL.
Another very handy thing is to make OWA available by redirecting http to https, which unfortunately your users don’t have to do to avoid typing https. The easiest and best way I have found is usually to changeSet the default website error pages and set a 403 error to redirect you to https://mail.domain.com/owa. You will need to reapply this after every cumulative update (CU) you run, as the CUs reset these settings to their defaults.
- Open IIS
- Go to the default website on the left.
- Double click the right mouse button on the error pages.
- Double click the 403 status code.
- Change the response action to “Reply with new 302 redirect” and enter the absolute URL: https://mail.domain.com/owa. a
- Click OK and exit IIS.Safe.
- Make sure your firewall is forwarding traffic to port 80, which will become your mail server. Your
- in the browser, so to speak, to mail.domain.com and press Enter. It should find it and redirect the user to the OWA login.
If you don’t have a suitable additional party certificate yet, I suggest you take the plunge for $ 29.88
NameCheap has PositiveSSL multi-domain certificates which primarily include 3 hostnames.
You need both mminimum 2 – url mail.domain.com (owa and certificate subject) and autodiscover.domain.com (subject alternative name – or SAN). The wildcard certificate is configured, but the SAN certificate is by far the best course of action because if the actual wildcard certificate is compromised, each name is copied often, but if the SAN certificate is compromised, only some of the specified hostnames can be used to be saved …
The time it takes to diagnose if you are trying to use a self-signed tool or an internal certification authority tool (if applicable) … will cost your business more time than just investing in the certificate and link to use that I gave you above. Oh and I don’t get any commission or anything from this link – this is the last direct link to the SSL certificate you need.
You can also use the Microsoft TestConnectivity website to test Exchange (Autodiscover plus connectivity) to troubleshoot these issues.
Get OutlookProvider | thisGet-OutlookAnywhere | thisGet-ClientAccessServer | thisGet-ActiveSyncVirtualDirectory | thisGet-AutodiscoverVirtualDirectory | thisGet-EcpVirtualDirectory | thisGet-OabVirtualDirectory | thisGet-OwaVirtualDirectory | thisGet-PowerShellVirtualDirectory | | thisGet-WebServicesVirtualDirectory flGet-SendConnector | Where the object is $ _. Enabled -eq $ true | this
Set-OutlookAnywhere -Identity "SERVER Rpc (default website)" -SSLOffloading $ true -ClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic, NTLM
Set-OutlookAnywhere -Identity "SERVER Rpc (default website)" -SSLOffloading $ true -ExternalClientAuthenticationMethod NTLM -InternalClientAuthenticationMethod NTLM -IISAuthenticationMethods Basic, NTLM, Negotiate
Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd: (stakeholder certificate name)Set-OutlookProvider of -Identity EXPR -CertPrincipalName msstd: (subject name certificate)Set-OutlookProvider of -Identity WEB -CertPrincipalName msstd: (certificate subject name)
Set-ClientAccessServer -Identity "SERVER" -AutoDiscoverServiceInternalUri "https: //OWAHOSTNAME/Autodiscover/Autodiscover.xml"
Set-ActiveSyncVirtualDirectory -Identity "SERVER Microsoft-Server-ActiveSync (standard website)" -ActiveSyncServer "https: // OWAHOSTNAME / Microsoft-Server-ActiveSync" -InternalUrl "https: // OWAHOSTNAME / Microsoft-Server - ActiveSync "" -ExternalUrl "https: // OWAHOSTNAME / Microsoft-Server-ActiveSync"Set-EcpVirtualDirectory -Identity "SERVER ecp (default website -InternalUrl)" "https: // OWAHOSTNAME / ecp" -ExternalUrl "https: // OWAHOSTNAME / ecp"Set-OabVirtualDirectory-Identity "SERVER OAB (default website -InternalUrl)" "https: // OWAHOSTNAME / OAB" -ExternalUrl "https: // OWAHOSTNAME / OAB" -RequireSSL $ trueSet-OwaVirtualDirectory -Identity "SERVER owa (Standardweb -InternalUrl-Site)" "https: // OWAHOSTNAME / owa" -ExternalUrl "https: // OWAHOSTNAME / owa"Set-PowerShellVirtualDirectory -Identity "SERVER PowerShell (Standardwebsite -InternalUrl-Site)" "https: // OWAHOSTNAME / powershell" -ExternalUrl "https: // OWAHOSTNAME / powershell"Set-WebServicesVirtualDirectory -Identity "SERVER EWS (Standardwebsite -InternalUrl)" "https: //OWAHOSTNAME/ews/exchange.asmx" -ExternalUrl "https: //OWAHOSTNAME/ews/exchange.x" -InternalNLBBypassUrl $ null
Get-SendConnector | $ _ where-object.Enabled -eq Set-SendConnector -Fqdn OWAHOSTNAME
This error is caused by almost any incompatibility of enabling SSL and the correct port number in your account. Open Account Settings in Outlook to go to the Advanced tab. If you need more help reopening your account settings, see our custom access to account settings in Outlook 2010.
Because the Outlook security certificate error is visual, click View Certificate.Select the Issued by name option and check if the name in the certificate is very similar to the name of the mail server.If they don’t match, expand them further and then restart Outlook.
Open Start and select Programs> Microsoft Exchange 2010> Exchange Management Console.Click Database Management.Just click “Renew Exchange Certificate …” on the right.Click Browse and select a large folder to manually save the CSR record for example. your_domain_cer.Click, you can do it.