Solved

Server Ceritifacte error on exchange 2007 after installing a new certificate

Posted on 2009-07-13
21
367 Views
Last Modified: 2012-05-07
I have recently installed a purchased external certificate to ebcrypt pushmail to handheld devices.  The good news is that part of the confiuration is working.  But now when i start oiutlook 2007 i get a server certificate error i click yes to allow the use of the certificate it has found, then outlook starts ok.  i think this is because i have only asociated the external certificate to the iis site??

also when try to access the out of office assistant i get the out of office assistant cannot be displayed, the server is unavailable.  i think this may be associated with the certificate also.

Thanks in advance for any assistance.
0
Comment
Question by:ianrusty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
  • 5
  • +1
21 Comments
 
LVL 8

Accepted Solution

by:
Npatang earned 250 total points
ID: 24840012
Its because you got the new cert.
You need to mke sure that SCP value value should match with teh certficate URL and should be resolcable via internal DNS.
Check the article http://support.microsoft.com/kb/940726
0
 
LVL 20

Assisted Solution

by:EndureKona
EndureKona earned 250 total points
ID: 24840468
This is due to your new cert having a different FQDN from your virtual directories:

Run these cmdlets for the fix:

Set-ClientAccessServer -Identity EXCHANGESERVERNAME -AutoDiscoverServiceInternalUri https://exchange.ourcompany.com/Autodiscover/Autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "EXCHANGESERVERNAME\EWS (Default Web Site)" -InternalURL https://exchange.ourcompany.com/EWS/Exchange.asmx -BasicAuthentication:$true

Set-OABVirtualDirectory -Identity "EXCHANGESERVERNAME\OAB (Default Web Site)" -InternalURL https://exchange.ourcompany.com/OAB

Set-ActiveSyncVirtualDirectory -Identity "EXCHANGESERVERNAME\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL https://exchange.ourcompany.com/Microsoft-Server-Activesync 

0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24840488
EXCHANGESERVERNAME = as you guess your Exchange 2007 server CAS

And exchange.ourcompany.com = what the public cert is keyed at

more resources:

http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 
LVL 8

Expert Comment

by:Npatang
ID: 24840532
Engurekona the same has been mentioned in the above given article
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24840716
He is correct...I didn't look at his answer first.    Sorry about that I have to run this cmdlet about once a week.
0
 
LVL 12

Expert Comment

by:Saakar
ID: 24842880
The name of the security certificate is invalid or does not match the name of the site
Is this is the same error that you are getting when Opening Outlook or is this something else??
Please post the Exact error.
0
 

Author Comment

by:ianrusty
ID: 24847511
All,

thanks allot for all your assistance, i'll be continueing with this issue later today.  SAAKAR_RAO: yes its when opening outlook, but i also then get an error trying to access out of office assistant, i get it is unavailable.  At the moment unsure wether it is related.  As for server names etc externally we use HTTPS://pushmail.globaltextiles.co.uk for mobile connectivity to exchange, internally the exchange server is on an sbs 2008 server with all roles on the 1 box, with an fqdn of gt2008server.gtdomain.local.  Now in iis to get the externally sources certificate to work i had to go into iis binding and select the purchased certificate etc as in the IIS certificate binding config screen shot attached.  Before i did this although the certficate was installed, it seemed to get ignored and could get access externally using it.  Again thanks to you all for your much apreciated assistance.
Global.bmp
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24847676
Awesome at least it wroked for you..
0
 

Author Comment

by:ianrusty
ID: 24859932
Hello, could you please look over the eddited lines below to make sure i have the syntax correct for our setup, again the full fqdn server name is gt2008server.gtdomain.local, and the external link that gets used is https://pushmail.globaltextiles.co.uk 

thanks

Set-ClientAccessServer -Identity gt2008server.gtdomain.local -AutoDiscoverServiceInternalUri https://exchange.gt2008server.gtdomain.local/Autodiscover/Autodiscover.xml <internal server address>

Set-WebServicesVirtualDirectory -Identity "gt2008server.gtdomain.local\EWS (Default Web Site)" -InternalURL https://exchange.gt2008server.gtdomain.local/EWS/Exchange.asmx -BasicAuthentication:$true <again internal address>

Set-OABVirtualDirectory -Identity "gt2008server.gtdomain.local\OAB (Default Web Site)" -InternalURL https://exchange.gt2008server.gtdomain.local/OAB <internal address>

Set-ActiveSyncVirtualDirectory -Identity "EXCHANGESERVERNAME\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL https://pushmail.globaltextiles.com/Microsoft-Server-Activesync <external address>
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24859951
Change these:  For -Identity "gt2008server.gtdomain.local\EWS

to -Identity gt2008server\EWS
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24859987
If your certificate enabled on IIS is pushmail.globaltextiles.com then you should use:

Set-ClientAccessServer -Identity gt2008server -AutoDiscoverServiceInternalUri https://pushmail.globaltextiles.com/Autodiscover/Autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "gt2008server\EWS (Default Web Site)" -InternalURL https://pushmail.globaltextiles.com/EWS/Exchange.asmx -BasicAuthentication:$true

Set-OABVirtualDirectory -Identity "gt2008server\OAB (Default Web Site)" -InternalURL https://pushmail.globaltextiles.com/OAB

Set-ActiveSyncVirtualDirectory -Identity "gt2008server\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL https://pushmail.globaltextiles.com/Microsoft-Server-Activesync 

0
 
LVL 8

Expert Comment

by:Npatang
ID: 24860016
your certficate is issued to pushmail.globaltextiles.co.uk/  so this url needs to published and also mkake sure that you be able to resolve this url internally

Set-ClientAccessServer -Identity gt2008server.gtdomain.local -AutoDiscoverServiceInternalUri https://pushmail.globaltextiles.co.uk/Autodiscover/Autodiscover.xml <internal server address>

Set-WebServicesVirtualDirectory -Identity "gt2008server.gtdomain.local\EWS (Default Web Site)" -InternalURL https://pushmail.globaltextiles.co.uk/EWS/Exchange.asmx -BasicAuthentication:$true <again internal address>

Set-OABVirtualDirectory -Identity "gt2008server.gtdomain.local\OAB (Default Web Site)" -InternalURL https://pushmail.globaltextiles.co.uk/OAB <internal address>

Set-ActiveSyncVirtualDirectory -Identity "EXCHANGESERVERNAME\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalURL https://pushmail.globaltextiles.com/Microsoft-Server-Activesync <external address>
0
 

Author Comment

by:ianrusty
ID: 24860662
ok thanks for clearing that for me.  iguess ill need to make some dns changes also then
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24860675
yes you have to . you need to make sure that the external uRL should resolve to internal IP of CAS server
0
 

Author Comment

by:ianrusty
ID: 24860965
ok, again many thanks for everybodys input, i have configure another dns zone for the pushmail.globaltextiles.co.uk to resolve to the internal ip address of the sbs server, then added the lines as advised above.  I'll be speaking to the users in the morning, so i'll update then... fingers crossed!!
0
 

Author Comment

by:ianrusty
ID: 24867992
Ok that has got rid of the initial certificate error on startup of outlook, thanks to you all!!

When i try to open the out of office assistant i get the error

"Your out of office settings cannot be displayed, because the server is currently unavailable"
I have run the get0autodiscovervirtualdirectory, and found that there is no internal url, i have then ran the set-autodiscover command again and still no internal url (please see screen shot)

any ideas?
global02.jpg
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24868503
Try:

remove-autodiscovervirtualdirectory "Autodiscover (Default Web Site)"

then

New-Autodiscovervirtualdirectory

then

Set-ClientAccessServer -Identity GT2008SERVER -AutoDiscoverServiceInternalUri https://FQDNOFCERTHERE/Autodiscover/Autodiscover.xml
0
 

Author Comment

by:ianrusty
ID: 24870170
hi, thanks for the reply, ran throught hose commands, they all got accespted ok with no errors, but still gives me no internalUrl
0
 
LVL 20

Expert Comment

by:EndureKona
ID: 24870211
Did this resolve your OOF error?
0
 

Author Comment

by:ianrusty
ID: 24876540
hello, no it still give server not available for the out of offfice assistant
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question