Toycomm.co.nz

Thread Rating:
  • 212 Vote(s) - 3.09 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Exchange 2013 and Digital Certificates
#1
Let’s start off with a few basic things to note about Outlook and Exchange. I have had the misfortune of finding out the hard way so lucky for you, now you know the secrets.

The semi-good news first
1) Outlook 2003 can connect to Exchange 2013 using POP or IMAP
2) Outlook 2013 can connect to Exchange 2003 using POP or IMAP
3) This is only semi-good news because as you know, both POP and IMAP have their shortcomings

Now for the bad news
1) Outlook 2003 cannot connect to Exchange 2013 using SMTP
2) Outlook 2013 cannot connect to Exchange 2003 using SMTP
3) The solution? Upgrade your Outlook client or upgrade your Exchange server (or ideally both)

Exchange 2013 works very well with Outlook 2007, 2010, and 2013 - providing you are using a signed digital certificate from a trusted 3rd party Certification Authority and providing your internal domain name matches your external domain name on your certificate (I’ll make another post about that on the forum later). However, if you choose to use the self-signed digital certificate, you will find a few extra steps are involved to get your Outlook clients to talk to your Exchange server.

Here is a quick pointer on certificates and Exchange:
1) If you use Exchange with the self-signed digital certificate, nothing special needs to be done on the Exchange server out of the box but you do need to play around about with Outlook to get it to connect
2) Using Exchange with a signed digital certificate is around the other way where you do nothing special with Outlook, but you do need to play around (quite a bit actually) with Exchange to get the certificate installed and working
3) The exception to number 1 above is if you are running Outlook on Windows XP, that is a situation that requires you to make some minor adjustments to the Exchange server, as will be explained further on

Setting up Outlook 2007/2010/2013 based on the following configuration:
- Connecting to Exchange Server 2013 using OutlookAnywhere
- Using the self-signed digital certificate
- Using Windows 7 or 8 on the client PC

1) Install the self-signed digital certificate
a. Open OWA on the PC using Internet Explorer
b. Click on the red “Certificate error” button on the top right of the browser
c. In the drop down window, click on View certificates
d. In the pop-up window, click on the Install Certificate button
e. Click on Next
f. Click on the Place all certificates in the following store radio button
g. Click on Browse
h. Select the Trusted Root Certification Authorities and click on OK
i. Click on Next and click on Finish
j. Click on Yes on the next pop-up window
k. Click on OK twice

2) Open Outlook 2007
a. Click Next multiple times and Outlook will AutoDiscover the Exchange server settings

Setting up Outlook 2007/2010 based on the following configuration:
- Connecting to Exchange Server 2013 using OutlookAnywhere
- Using the self-signed digital certificate
- Using Windows XP on the client PC

When setting up Outlook 2007 on Windows XP you will find that when you open Outlook it will constantly prompt you to enter a username and password. Not matter what you type in, it will constantly reject the credentials you give it.

1) Make sure Office 2007 is fully patched with Service Pack 3 and all applicable Office updates

2) Install the self-signed digital certificate
a. Open OWA on the PC using Internet Explorer
b. Click on the red “Certificate error” button on the top right of the browser
c. In the drop down window, click on View certificates
d. In the pop-up window, click on the Install Certificate button
e. Click on Next
f. Click on the Place all certificates in the following store radio button
g. Click on Browse
h. Select the Trusted Root Certification Authorities and click on OK
i. Click on Next and click on Finish
j. Click on Yes on the next pop-up window
k. Click on OK twice

3) Open the Exchange Management Shell and perform the following commands

Set-OutlookAnywhere -Identity: "servername\rpc (Default Web Site)" -InternalClientAuthenticationMethod Negotitate
Set-OutlookAnywhere -Identity "servername\rpc (Default Web Site)" -IISAuthenticationMethods Basic,NTLM,Negotitate

Note: Replace “servername” with the name of the server hosting Exchange

After the above changes, open a command prompt with administrative privileges and enter the command below :

IISReset

4) Open the Registry Editor on the XP computer and perform the following

Go to HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover

Add the following 6 DWORD’s below. The Value data for each DWORD will be 1. The Base for each DWORD will be Hexadecimal

ExcludeScpLookup
ExcludeHttpRedirect
ExcludeHttpsAutoDiscoverDomain
ExcludeHttpsRootDomain
PreferLocalXML
ExcludeSrvRecord

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

Double-click lmcompatibilitylevel
In the Value data box, type a value of 3
Quit Registry Editor
Restart the computer

5) Open Outlook 2007
1. Select the tick box that says Manually configure server settings or additional server types
2. Click Next
3. Select the Microsoft Exchange radio button and click on Next
4. Type in the name or IP address of the server running Exchange
5. At your discretion, select or deselect the Cached Mode option
6. Type in the user’s login name and click on the Check name button
7. Once both the server name username are underlined, click on the More settings button
8. In the pop up window, select the Connection tab
9. Select the tick box at the bottom and click on the Exchange Proxy Settings button
10. In the URL field, type in the FQDN of the exchange server
11. Check the tick box that says Use SSL, but do not check the tick box below it
12. Click on OK, Next and Finish
13. With any luck, Outlook should open and start download your email

I have found that some users have had to go a step further and make changes to the name of the digital certificate. However I think those changes only apply if you are using a signed 3rd party certificate.

Open Exchange Management Shell and run the following commands

Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:mail.domain.com
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:mail.domain.com

Replace "mail.domain.com" with name of your public domain name (usually your MX record). This needs to match what is on your digital certificate.

Then open a command prompt with administrative privileges and enter the command below:

IISReset

If your signed digital certificate is using a wildcard, use the commands below instead of the ones above (you will still need to run IISReset afterwards):

Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:*.domain.com
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com

Replace "mail.domain.com" with the domain name that is listed on your digital certificate

A note about the above commands:
EXCH is for internal users
EXPR is for external users

A note on using POP with Exchange 2013

Microsoft Exchange 2013 uses TLS encryption by default. When you connect a POP account in Outlook to your Exchange server, you will likely get a prompt that will persistently ask you to enter a username and password. To fix that, open the Exchange Management Shell and enter the following command:

Set-PopSettings -LoginType PlainTextLogin
Reply
#2
I can personally vouch for http://certificatesforexchange.com/ for cheap SSL certs. US$60 for a UCC cert (this is what you need for exchange to make the funky stuff like autodiscover work nicely) - the website isn't the best to navigate but haven't suffered any problems and service is quick.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)

Computersense.co.nz