Pig_Trough
asked on
Exchange 2010 Cert issue
Hello IT friends,
I recently renewed an SSL certificate from thawte.com for our webmail server (cert was for webmail.domainname.com). Outlook web access and exchange 2010 reside on the same server. I followed the steps at thawte.com for renewing and the support fellow from thawte said everything looks good on their end for webmail. Now the problem is all of my local staff NOT using webmail, but using outlook to connect to Exchange locally, are getting error messages stating "the name on the security certificate is invalid or does not match the name of the site"
The part i scratched off was referring to the xxxxx.local address NOT the webmail.domainname.org that i renewed the cert for. I renewed this cert 2 years back and do not recall having these issues. If there is any more info I need to send let me know. Thanks.
I recently renewed an SSL certificate from thawte.com for our webmail server (cert was for webmail.domainname.com). Outlook web access and exchange 2010 reside on the same server. I followed the steps at thawte.com for renewing and the support fellow from thawte said everything looks good on their end for webmail. Now the problem is all of my local staff NOT using webmail, but using outlook to connect to Exchange locally, are getting error messages stating "the name on the security certificate is invalid or does not match the name of the site"
The part i scratched off was referring to the xxxxx.local address NOT the webmail.domainname.org that i renewed the cert for. I renewed this cert 2 years back and do not recall having these issues. If there is any more info I need to send let me know. Thanks.
Miguel Angel Perez Muñoz
Outlook uses same cert that OWA. I suggest you uses on this case split dns to resolve your problem. Simply creates on your internal dns public zone and creates public records with internal IP address: http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/using-pinpoint-dns-zones-exchange-2010.html
ASKER
This is an excellent article in which I will try the suggested items. One question though first, do you think I could set this up during business hours without making email unavailable while I am working on it?
I think that yes, you can setup first DNS settings and then change CAS config.
Here is the solution to convert from .local to FQDN for Exchange 2010. I literally just performed this process last night..
Use your own internal Exchange Server name in place of CAS1 in the below commands:
Set-ClientAccessServer -Identity CAS1 –AutodiscoverServiceIntern
Set-WebServicesVirtualDire
Set-OABVirtualDirectory -Identity “CAS1oab (Default Web Site)” –InternalUrl https://webmail.mycompany.com/oab
Set-UMVirtualDirectory -Identity “CAS1unifiedmessaging (Default Web Site)” - InternalUrl https://webmail.mycompany.com/unifiedmessaging/service.asmx
When done running these commands, restart IIS -OR- recycle the MSExchangeAutodiscoverAppP
Do this off-hours as it will interrupt service briefly.
Use your own internal Exchange Server name in place of CAS1 in the below commands:
Set-ClientAccessServer -Identity CAS1 –AutodiscoverServiceIntern
Set-WebServicesVirtualDire
Set-OABVirtualDirectory -Identity “CAS1oab (Default Web Site)” –InternalUrl https://webmail.mycompany.com/oab
Set-UMVirtualDirectory -Identity “CAS1unifiedmessaging (Default Web Site)” - InternalUrl https://webmail.mycompany.com/unifiedmessaging/service.asmx
When done running these commands, restart IIS -OR- recycle the MSExchangeAutodiscoverAppP
Do this off-hours as it will interrupt service briefly.
ASKER
@Machienet Thank you sir. Did you need to do anything with Split DNS or PinPoint DNS as mentioned in the above article? Assume my local name for the mail server is "mail", on the lines where it says -Identity "CAS1oab" or "CAS1unifiedmessaging" will i need to type "mailoab" and "Mailunifiedmessaging" or simply just "mail". Thanks again man.
No, I avoided split dns like the plaque - maint. nightmare in my opinion
No PinPoint dns either.. Never even heard about that until this post actually.
yes, your are correct. Assuming the internal name is 'mail', you would type 'mailoab'.
let us know how it goes!
No PinPoint dns either.. Never even heard about that until this post actually.
yes, your are correct. Assuming the internal name is 'mail', you would type 'mailoab'.
let us know how it goes!
ASKER
OK I am trying the above and i type:
Set-WebServicesVirtualDire
i keep getting operation cannot be performed because it cannot find the object. How would i look up the current identity?
Set-WebServicesVirtualDire
i keep getting operation cannot be performed because it cannot find the object. How would i look up the current identity?
get-webservicesvirtualdire
In the list of displayed info you will see 'Identity'. This is the identity and you may have a \between CAS servername and EWS.
[servername]\EWS (Deafult Web Site)
If that is the case you may need to use the \ in the command too.
Set-WebServicesVirtualDire
In the list of displayed info you will see 'Identity'. This is the identity and you may have a \between CAS servername and EWS.
[servername]\EWS (Deafult Web Site)
If that is the case you may need to use the \ in the command too.
Set-WebServicesVirtualDire
ASKER
It was, right after i typed that comment i found an article with the \ in it and it worked! I have not seen the Outlook error message pop up yet, so allow me the end of the day and I will close this out. Much thanks man!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the quick responses!