Hi,
I've got the following problem.
I'm currently migrating to an Exchange 2007 server. Whenever one of my Outlook 2007 clients connect to their mailbox on the Exchange 2007 server he gets the following message:
"Name on the Security Certificate is Invalid or Does Not Match the Name on the Certificate".
I've done some searching and I found the following article:
http://www.sembee.co.uk/ar
In this article they recommend creating a new website with new virtual directories and assign it to a second IP-adress which you assign to your Exchange server. On this new website you can assign a certificate with the correct name and route your internal clients to it.
Now the following problem occurs: My Exchange 2007 server is also a domain controller. And you know what they say! Don't use a multihomed domain controller in your domain, because this means trouble!
So, does anybody have any idea how I can make my Outlook 2007 clients connect to their Exchange 2007 mailboxes without breaking down my Outlook web access and Mobile Access clients?
Kind regards,
Aico
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Well,
I disagree with Sembee because you can use the following cmdlet to change the internal SCP and external SCP using the following cmdlet:
Set-WebServicesVirtualDire
we used commercial Certificates and internal O12 and xternal O12 and IE users were able to connect with noe warning
if you are worry about the autodiscovery service only you can use the following cmdlet:
Set-ClientAccessServer -Identity <ClientAccessServerIdParam
If you are using the same URL inside and outside then it is fine.
However the problem is that Outlook 2007 tries to connect to https://servername/
where servername is the real name of the server. You then get the error.
The blog posting was heavily researched and discussed with some of my other MVP peers. If your domain uses .local then the solution I have outlined is the only way I have found to get round all the issues with SSL, as I have not found anyone who will issue a certificate with a subject alternative name that contains a .local domain name.
Simon.
I know that this issue raised and i discussed it also with some MS consultants and MVP as well, and this drags us to the point, how O12 client locate the service point it is from AD?.
i will refer to the autodiscovery architecture in the following link:
http://msdn2.microsoft.com
So if i updated the SCP in the AD to the external name and used properly managed split DNS infrastructure then i will be able to solve the problem because internal clients will be able to connect to the auto-discovery SCP using the external FQDN and will use the certificate bound to IIS (which contains external FQDN which users connect to it).
i used instructions and concepts explained in the following links:
·How to Configure the Availability Service for Network Load Balanced Computers
http://technet.microsoft.c
·Deployment Considerations for the Autodiscover Service
http://technet.microsoft.c
unless you want to use 2 certificates (1 for internal names and 1 for external names)
i used this configuration in my test and production environment and works great under Microsoft supervision unless there is something missing and i can't see it so i will kindly ask from you to explain it further from me.
Regards...
Thank you very much for all your input. Due to some time limitations I've chosen to follow Sembee's article (great article by the way!), despite of the fact that Exchange is running on a DC.
I've configured a second IP-address on the NIC and created the second website as described in your article and everything seems to be working fine uptill now. Even after a few reboots. Let's hope it stays that way.
Sembee, thank you for helping. The points will come your way!
Ok, guys. I did some more research and found that the following article solved all my problems, without having to assign a second IP-address or create a second website:
http://technet.microsoft.c
It discusses how to assign multiple Host Names to 1 certificate. It works like a charm!
We almost had it working this way, except we ran into the problem that the server would keep re-registering itself to our DNS. This server was a DC, not the PDC, but we have 4 DC in our org.
Anyways, it would keep registering the second IP address into dns. So we would have 2 entries in our DNS for the same IP address. And when Outlook 2007 would query the name of the server, it would randomly get one of the 2 IPs. If it got the wrong one, we got an SSL error as the second IP has a certificate with a different name than the host.
So now we're going the real way and getting a SAN certificate.
you present some smarts solutions here.
I got the same problem and i found this solution more easy to apply:
First you create a new DNS zone in your DNS server using the address configured in your commercial certificate, lets say: mail.supermail.com
Then you create a Host (A) type to point to your mail server´s IP : mail.supermail.com 192.168.0.5
Then you just change the following values thru the Exchange shell console:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceIntern
Set-WebServicesVirtualDire
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.supermail.com
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedme
*please note that you must change: "CAS_Server_Name" to your exchange server name and mail.supermail.com with the correct address.
I hope this helps.
Rimba's solution looks pretty straight forward and matches MS's KB on the matter. My one big question, though, is how will these changes affect Outlook clients that are currently pointing to the netbios name? Will they automatically adjust or will each Outlook client have to be touched? While the cert pop-up is annoying, it's not nearly as bad as a few hundred people without Outlook access would be.
Thanks,
Gabe
I found this worked great.
http://support.microsoft.c
Business Accounts
Answer for Membership
by: SembeePosted on 2007-03-05 at 07:30:38ID: 18654866
That is my article.
You are aware that it is not best practises to run Exchange on a domain controller? It should be run on a member server.
The method I have outlined is not dual homing. It is a second IP address on the server. Dual homing a DC is where there are two network cards connected to two different subnets. Running two IP addresses on the same domain controller when they are connected to the same LAN is not a problem, I have been doing it for years.
Simon.