<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Exchange 2013: Fix for an Invalid certificate and related issues

Published on
7,570 Points
470 Views
1 Endorsement
Last Modified:
MAS
Exchange Server, Windows Server, Active Directory, Virtualization Expert.
This article will help to fix the below errors for MS Exchange Server 2013
I. Certificate error "name on the security certificate is invalid or does not match the name of the site"
II. Out of Office not working
III. Make Internal URLs and External URLs the same.
IV. Address book download issue.

Most administrators don't check the complete URLs that Exchange uses for serving MAPI clients or they miss URLs required to set and add certificate names after installing Exchange Server. Below are fixes for those errors.


Note: Replace "exchange.online" with your domain name in all the examples below.

1. First make sure you have a Forward lookup zone for your domain in your internal DNS server, e.g. Exchange.online (like mine in the screenshot).



2. Then create the below A records in the newly created zone that point to the exchange CAS/HUB server IP or load balancer IP if you have one (as in the screenshot):
     a) autodiscover.exchange.online
     b) mail.exchange.online (common name)





3. Then make sure you have all the required names added as SANs in your SSL Certificate. The below names should be present for a single domain exchange:
     a) mail.exchange.online (common name)
     b) autodiscover.exchange.online


The following command will list your SANs/names in the certificate: 

Get-ExchangeCertificate | fl Issuer,CertificateDomains



3.1 If you have multiple domains you have to add below SANs to your SSL Certificate:
     a) mail.exchange.online (common name1)
     b) autodiscover.exchange.online
     c) mail.exchange2.online (common name2)
     d) autodiscover.exchange2.online


OR


3.2 You can have one common name and one autodiscover name in the certificate and redirect all the common names to commonname.exchange.online and redirect all autodiscover to autodiscover.exchange.online.com as below:
     a) mail.exchange.online (common name1) ----> A record points to Exchange server IP
     b) autodiscover.exchange.onilne ------> A record points to Exchange server IP
     c) mail.exchange2.online (common name2)  ------> CNAME points to mail.domain1.com
     d) autodiscover.exchange2.online ------> CNAME points to autodiscover.domain1.com


4. Make sure IIS is enabled and the third party certificate installed.
Type "Get-ExchangeCertificate" in Exchange Management Shell to see if IIS is enabled.


Exchange 2013 Shell
Before services enabled


Use the command shown below to enable the services. You can change the services according to your requirement. but IIS is mandatory.

Enable-ExchangeCertificate -Services IMAP, IIS, SMTP -thumbprint 896B74B25F7EBF330C93E56DA2A76CFC6A7


After services enabled


Exchange 2013 EAC
You can assign and enable service certificates in Exchange 2013 from the EAC. Below are the steps with screenshots showing how to enable and assign services:

 a) Click on the imported third party certificate and click the "Edit" button



b) Click on Services


c) Select SMTP and IIS.  If you're also using POP and IMAP, select them as well.


You can read this TechNet article for more information on how to assign services to certificates in Exchange 2013.


5. Enter the below command in Exchange Management Shell to see if the Autodicover URLs are set.

Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri

If you see the default URLs set by exchange installation (as above) use the below command to set it to the same as external. 

Set-ClientAccessServer -Identity server1 -AutoDiscoverServiceInternalUri "https://mail.exchange.online/autodiscover/autodiscover.xml"

You should see the following after running the command.



6. Enter the below command in Exchange Management Shell and see if the offline address book URLs are set. 

Get-OabVirtualDirectory |  fl Server,Identity,internalurl,externalurl

If you see the default URLs set by exchange installation (as above) use the below command to set it to the same as external.

Set-OabVirtualDirectory -Identity "server1\oab (default web site)" -InternalUrl "https://mail.exchange.online/oab" -ExternalUrl "https://mail.exchange.online/oab"

You should see the following after running the command.


a) In Exchange 2013 OAB URLs can be set from the EAC. Click on "OAB (Default Web site)" and click the "Edit"  button.


b) Enter the external and internal URLs with the same value (i.e. external name) and click "Save".




7. Enter the below command in Exchange Management Shell to see if the Exchange Web Services' URLs are set.

Get-WebServicesVirtualDirectory | fl Server,Identity,internalurl,externalurl

If you see the default URLs set by the Exchange installation (as above), use the below command to set it to the same as the external.   

set-WebservicesVirtualDirectory -Identity "server1\EWS (default web site)" -InternalUrl "https://mail.exchange.online/EWS/Exchange.asmx"  -ExternalUrl "mail.exchange.online/EWS/Exchange.asmx"

You should see the following result:

a) In Exchange 2013, the EWS URLs can be set from the EAC.  Click on "EWS (Default Web site)" and click the "Edit"  button.



II. Enter the external and internal URLs with the same value (i.e. external name) and click "Save".




8. On a client workstation; Check to see that the Out of Office URL is correct in a client's Outlook.

Press Ctrl and right-click on the Outlook icon located in your system tray, then select "Test E-mail AutoConfiguration".


Enter the email address and password for the mailbox you have opened. Since we are not using POP3 or IMAP, there is no reason to leave the Guessmart checkboxes checked.




After clicking Test, look for the the URL used to configure OOF (as indicated below)

Now you should have all your errors cleared.


To clear certificate error in Exchange2007. Please check follow this.

To clear certificate error in Exchange2010. Please check follow this.




1
Comment
Author:MAS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 8

Expert Comment

by:Senior IT System Engineer
This is a very helpful post, thanks for sharing this great article.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Join & Write a Comment

how to add IIS SMTP to handle application/Scanner relays into office 365.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month