Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: wbs316 on August 08, 2013, 12:30:15 AM
-
I have been trying to configure a couple of Windows XP workstations running Outlook 2007 with SME V8. I found the detail at http://wiki.contribs.org/Email_-_Setting_up_E-mail_clients_for_SME_8.0 which helped but as much as the email sends and receives OK when the Certificate Information window is displayed the option "Install Certificate" is not present. The fully qualified server name is correct. Is there something else I need to do or have I missed something?
-
If you're running Windows 7/8 try running Outlook as administrator.
Nicola
-
Hi,
I usually open https://your_server_name in IE
then accept untrusted certificate
On red label with certificate error click right mouse button --> details --> install certificate
Then manually choose where certificate should be stored (main trusted root certificate)
Btw name of container where to store certificate might slight differend. Name I post above is straight translation from my native language
-
Thank you both for your input. I did also notice that I could produce the certificate window with the "Install Certificate" option via Internet Explorer but unfortunately this gets a little messy when you get to Internet Explorer 10.
At the client where I was trying to install this system they had various versions of Internet Explorer on the PC's and laptops and I found in some instances in Internet Explorer 10 the PC may produce a message at the bottom of the screen "Intranet settings are turned off by default" and if I clicked on the option "Turn on Intranet settings" I could produce the window with the "Install Certificate" option. But this Intranet settings message did not appear on all Internet Explorer 10 PC's so it got a bit hard and I think I will need to somehow import the certificate to each PC or laptop via a file.
I also noticed (and the documentation at http://wiki.contribs.org/Email_-_Setting_up_E-mail_clients_for_SME_8.0 also mentioned it) that the certificate has an expiry date in my instance of July 2014. I'm not surely going to have to visit all of the users again in 12 months time to effect this again!
I also noticed on one Windows XP PC which can successfully access the server manager of a version 6 SME system via Internet Explorer that when I try to access the server manager of the version 8 system Internet Explorer responds with "The page cannot be displayed" suggesting that there is some sort of DNS error but the same PC can browse the iBays OK. I did try logging on to the PC via a couple of other user names and got the same result. So getting the certificate on this PC via Internet Explorer also didn't work.
Is there any way around this email configuration issue to perhaps make it a more simple task like it has been with version 6 for instance?
-
Thank you both for your input. I did also notice that I could produce the certificate window with the "Install Certificate" option via Internet Explorer but unfortunately this gets a little messy when you get to Internet Explorer 10.
At the client where I was trying to install this system they had various versions of Internet Explorer on the PC's and laptops and I found in some instances in Internet Explorer 10 the PC may produce a message at the bottom of the screen "Intranet settings are turned off by default" and if I clicked on the option "Turn on Intranet settings" I could produce the window with the "Install Certificate" option. But this Intranet settings message did not appear on all Internet Explorer 10 PC's so it got a bit hard and I think I will need to somehow import the certificate to each PC or laptop via a file.
I also noticed (and the documentation at http://wiki.contribs.org/Email_-_Setting_up_E-mail_clients_for_SME_8.0 also mentioned it) that the certificate has an expiry date in my instance of July 2014. I'm not surely going to have to visit all of the users again in 12 months time to effect this again!
I also noticed on one Windows XP PC which can successfully access the server manager of a version 6 SME system via Internet Explorer that when I try to access the server manager of the version 8 system Internet Explorer responds with "The page cannot be displayed" suggesting that there is some sort of DNS error but the same PC can browse the iBays OK. I did try logging on to the PC via a couple of other user names and got the same result. So getting the certificate on this PC via Internet Explorer also didn't work.
Is there any way around this email configuration issue to perhaps make it a more simple task like it has been with version 6 for instance?
May I suggest you open a bug at Bugzilla, this should be investigated fully and documented. Please summarize your experience and remedial action taken so far, also provide a link to this topic.
Thanks.
-
wbs316
I also noticed (and the documentation at http://wiki.contribs.org/Email_-_Setting_up_E-mail_clients_for_SME_8.0 also mentioned it) that the certificate has an expiry date in my instance of July 2014. I'm not surely going to have to visit all of the users again in 12 months time to effect this again!
You can set a longer validity time (eg 5 years) for your sme server self signed certificate, see
http://wiki.contribs.org/Certificates_Concepts#Expiration_time_of_the_self_signed_certificate
This will create a new certificate so users will need to reinstall that the first time they access using https.
-
This will create a new certificate so users will need to reinstall that the first time they access using https.
So will a few other changes made to the server and it is real pain because all the email certs need to be re-done.
-
p-jones
Life is not free of pain !
-
p-jones
Life is not free of pain !
Obviously, nor particularly practical, with maybe 100 or more clients and maybe a few hundred miles as well.....
-
p-jones
Just create one set of written instructions, email it to your 100 users & let them install the new certificate. No driving needed.
-
You can set a longer validity time (eg 5 years) for your sme server self signed certificate, [...]
I would even suggest setting it to 10 years or even longer so that the certificate expires long after the pc/laptop itself is replaced by a new one (unless others on this forum securitywise disagree with this?). When replacing the laptop (say after 6 years) you can install the certificate while you're configuring the new laptop/pc.
And regarding the users' manual (as janet suggests): for those users who don't RTFM you can always use a utility such as teamviewer (www.teamviewer.com) to take over their desktop and install the certificate for them. You can put a client module of Teamviewer on your intranet/website where users can download it and execute it (no admin rights needed!). On your computer it is advisable to install teamviewer on a virtual Windows machine (e.g. Virtualbox). Thus you can reset the environment every time teamviewer starts complaining that you've been using it too many times. It's been a while since I last used it but IIRC the program will (if used too frequently) disconnect after only a few minutes, which is annoying.
-
I was hoping I could still make a reply to this topic that I started back around 4 months ago as I have just got back to doing some testing again with the certificates!
I managed to run the process to have the certificate expire in 5 years instead of 12 months. I also mentioned that the client I was working with had various flavours of IE and the certificate presented differently on various PC's and I thought of exporting the installed certificate from one of the PC's using certmgr.msc and then installing on any of the other PC's also using certmgr.msc
This process works OK but I am quite surprised in that when I go to the server manager using IE I continue to get the certificate error despite the fact that the certificate is installed. This als happens on one of the XP laptops that allows me to install the certificate via the "Certificate Error" tab in IE.
I did presume that once the certificate was installed that this message would not be received accessing the server manager via IE.
-
wbs316
Is the URL you are using to access the mail server, the same as the URL you enter when accessing https://yourserverURL in IE, & are these URLs the same as the actual certificate ?
Typically the self signed/generated certificate from sme server is in the name of servername.yourdomain.com
If you access mail servers using https://yourdomain.com you will still get an error, so you should access it using https://servername.yourdomain.com
Alternatively there is a db setting you can use to change the server common name, so the certificate matches the main domain name, then everything can use https://yourdomain.com supposedly then without errors.
You may also have to remove old certificates from your browser & reinstall them, in stubborn cases.
-
In this particular instance I was referring to the instance of accessing the server manager via IE https://servername/server-manager. IE indicates a certificate error with details issued to "servername.domainname.com.au", issued by "servername.domainname.com.au", valid from 1/12/2013 to 1/12/2018.
If I then take the option to install this I expected that when I returned to the address https://servername/server-manager that the certificate error would not appear.
-
I should add that access to the link https://servername.domainname.com.au/webmail does not produce the certificate error after I import the certificate from a file using certmgr.msc so I gather this should hopefully overcome the issue with Outlook.
-
wbs316
https://servername
&
https://servername.domainname.com.au
are not the same !
If you want to avoid self signed certificate errors, you have to use the URL that matches the certificate installed in your browser.
Your second recent post demonstrates that.
If you do not want to maintain hundreds of workstation browsers & install/upgrade your self signed certificate whenever it changes (due to domain name reconfiguration on the server etc), then the answer is to buy a commercial certificate & install that on your sme server. They are relatively cheap these days.
The commercial cettificate provider will be included in root certificates issued to web browsers, & as long as users update their browsers periodically, then your certificate provider will be included in the root certificate, thus they will not receive errors.