We help IT Professionals succeed at work.

The name on the security certificate is invalid or does not match the name of the site

ger2111
ger2111 used Ask the Experts™
on
Hi ,
I recently renewed our Thwate certificate for OWA. We use ISA 2004 and Exchange 2007, installed the new cert in the personal store on both ISA and IIS(Exchange) servers. Now when I load the email application, Outlook, 200,03/07, all clients are seeing a security alert.
The name on the security certificate is invalid or does not match the name of the site.
exchange server is called mailserver, cert refers to webmail.mydomain.com .
The following is shown in the exchange shell
CB7E52C6C845B1893C21848656FE91E4CDA1CD07  IP.W.      CN=webmail.mydomain.com..
EF8259C29DE61E59B8D38BA144C43ED2FD96E6F8  .....      CN=www.thawte.com, OU=I..
79AC2AFE0B5D4819124815C2012FC5FE514E7F0E  .....      CN=mailserver
C3FA1BABA0BDFA04600A8260A718F0609603E0DE  .....      CN=mailserver

Webmail and OMA is up and running, I want to get rid of this security alert for clients,
Any suggestions appreciated,
Thanks,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Mino DCSolution Consultant

Commented:
add the certificate, through the Certificates console -> Computer certificate, to the Trusted Root Certification Authorities.

If you solve, you can do the same via GPO.
TechnoChatWintel Administrator / Cloud Computing

Commented:
We are also having the same problem few days back, after renewing the exchange certificate. Reason is mismatching the NetBios name of the server with FQDN, So we recreate the certificate with FQDN and problem resolved.

Reason(Source MS):
-------------------------
By default, the URL that is stored in these objects references the NetBIOS name of the server. For example, a URL that resembles the following URL is stored:
https://NetBIOS_name.contoso.com/autodiscover/autodiscover.xml

This may differ from the host name that is used in the FQDN of the replacement certificate. For example, the replacement certificate may have an FQDN that resembles the following FQDN:
mail.contoso.com

Here is the article from Microsoft for details:
http://support.microsoft.com/kb/940726

Thanks
Saugata
 

Author

Commented:
Hi,
Thanks for the quick reply, had a look at the MS article and this looks like it will fix the issues we are seeing without impacting on OWA or OMA. Can you guide me through the correct syntax to be used with in the exchange shell .
The article suggests
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

Our mailserver is called mailserver and weebmail url is https://webmail.mydomain.com/owa - do I substitute these in the above command and if so where -
Also
Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
and
command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx 

Thanks, appreciate the 'hand holding'
Wintel Administrator / Cloud Computing
Commented:
Hope following guide will help you out..

http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/

Thanks
Saugata
TechnoChatWintel Administrator / Cloud Computing

Commented:
You can also follow the following article for configuration part, you will get everything with screen shot.

http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html

Thanks
Saugata

Author

Commented:
Hi I have followed article http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/
 At this stage  We should re-configure the AutoDiscoverServiceInternalURI by using the following command:

Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml

I wnter the correct syntax and am prompted
cmdlet Set-ClientAccessServer at command pipeline position 1
Supply values for the following parameters:
Identity:


What do I do here????
Thanks,
Ger.
Mino DCSolution Consultant

Commented:
Mino DCSolution Consultant

Commented:
You must enter after the-identity, the name of the CAS server in quotes "CASServer"
TechnoChatWintel Administrator / Cloud Computing

Commented:
Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml

Replace CASServer with the NETBIOS/HOSTNAME name of that server,
Eg, if your server HOSTNAME = SHUDNMBX02 then do this,

Set-ClientAccessServer -Identity SHUDNMBX02 -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml

Author

Commented:
typo on my part - everything working now - have to award fll points to MinoDC - excellant article . One question - CB7E52C6C845B1893C21848656FE91E4CDA1CD07  IP.W.      CN=webmail.mydomain.com..
IPand W are the associated services, having followed the article IPWand S are now associated services - should I remove SMTP service? and if so - how?

Author

Commented:
the article i followed was posted by TechnoChat: appologies for any confusion. Points awarded accordingly.