ger2111
asked on
The name on the security certificate is invalid or does not match the name of the site
Hi ,
I recently renewed our Thwate certificate for OWA. We use ISA 2004 and Exchange 2007, installed the new cert in the personal store on both ISA and IIS(Exchange) servers. Now when I load the email application, Outlook, 200,03/07, all clients are seeing a security alert.
The name on the security certificate is invalid or does not match the name of the site.
exchange server is called mailserver, cert refers to webmail.mydomain.com .
The following is shown in the exchange shell
CB7E52C6C845B1893C21848656 FE91E4CDA1 CD07 IP.W. CN=webmail.mydomain.com..
EF8259C29DE61E59B8D38BA144 C43ED2FD96 E6F8 ..... CN=www.thawte.com, OU=I..
79AC2AFE0B5D4819124815C201 2FC5FE514E 7F0E ..... CN=mailserver
C3FA1BABA0BDFA04600A8260A7 18F0609603 E0DE ..... CN=mailserver
Webmail and OMA is up and running, I want to get rid of this security alert for clients,
Any suggestions appreciated,
Thanks,
I recently renewed our Thwate certificate for OWA. We use ISA 2004 and Exchange 2007, installed the new cert in the personal store on both ISA and IIS(Exchange) servers. Now when I load the email application, Outlook, 200,03/07, all clients are seeing a security alert.
The name on the security certificate is invalid or does not match the name of the site.
exchange server is called mailserver, cert refers to webmail.mydomain.com .
The following is shown in the exchange shell
CB7E52C6C845B1893C21848656
EF8259C29DE61E59B8D38BA144
79AC2AFE0B5D4819124815C201
C3FA1BABA0BDFA04600A8260A7
Webmail and OMA is up and running, I want to get rid of this security alert for clients,
Any suggestions appreciated,
Thanks,
We are also having the same problem few days back, after renewing the exchange certificate. Reason is mismatching the NetBios name of the server with FQDN, So we recreate the certificate with FQDN and problem resolved.
Reason(Source MS):
-------------------------
By default, the URL that is stored in these objects references the NetBIOS name of the server. For example, a URL that resembles the following URL is stored:
https://NetBIOS_name.contoso.com/autodiscover/autodiscover.xml
This may differ from the host name that is used in the FQDN of the replacement certificate. For example, the replacement certificate may have an FQDN that resembles the following FQDN:
mail.contoso.com
Here is the article from Microsoft for details:
http://support.microsoft.com/kb/940726
Thanks
Saugata
Reason(Source MS):
-------------------------
By default, the URL that is stored in these objects references the NetBIOS name of the server. For example, a URL that resembles the following URL is stored:
https://NetBIOS_name.contoso.com/autodiscover/autodiscover.xml
This may differ from the host name that is used in the FQDN of the replacement certificate. For example, the replacement certificate may have an FQDN that resembles the following FQDN:
mail.contoso.com
Here is the article from Microsoft for details:
http://support.microsoft.com/kb/940726
Thanks
Saugata
you can see below links to check the certificates configuration and fix it.
https://www.experts-exchange.com/questions/26299866/Lose-all-ability-to-access-OWA-and-Blackberry-access-with-new-SSL-certificate.html?sfQueryTermInfo=1+10+30+certif+firojkhan
https://www.experts-exchange.com/questions/26299866/Lose-all-ability-to-access-OWA-and-Blackberry-access-with-new-SSL-certificate.html?sfQueryTermInfo=1+10+30+certif+firojkhan
ASKER
Hi,
Thanks for the quick reply, had a look at the MS article and this looks like it will fix the issues we are seeing without impacting on OWA or OMA. Can you guide me through the correct syntax to be used with in the exchange shell .
The article suggests
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceIntern alUri https://mail.contoso.com/autodiscover/autodiscover.xml
Our mailserver is called mailserver and weebmail url is https://webmail.mydomain.com/owa - do I substitute these in the above command and if so where -
Also
Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
and
command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedme ssaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
Thanks, appreciate the 'hand holding'
Thanks for the quick reply, had a look at the MS article and this looks like it will fix the issues we are seeing without impacting on OWA or OMA. Can you guide me through the correct syntax to be used with in the exchange shell .
The article suggests
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceIntern
Our mailserver is called mailserver and weebmail url is https://webmail.mydomain.com/owa - do I substitute these in the above command and if so where -
Also
Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
and
command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedme
Thanks, appreciate the 'hand holding'
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can also follow the following article for configuration part, you will get everything with screen shot.
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
Thanks
Saugata
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
Thanks
Saugata
ASKER
Hi I have followed article http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/
At this stage We should re-configure the AutoDiscoverServiceInterna lURI by using the following command:
Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceIntern alUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml
I wnter the correct syntax and am prompted
cmdlet Set-ClientAccessServer at command pipeline position 1
Supply values for the following parameters:
Identity:
What do I do here????
Thanks,
Ger.
At this stage We should re-configure the AutoDiscoverServiceInterna
Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceIntern
I wnter the correct syntax and am prompted
cmdlet Set-ClientAccessServer at command pipeline position 1
Supply values for the following parameters:
Identity:
What do I do here????
Thanks,
Ger.
You must enter after the-identity, the name of the CAS server in quotes "CASServer"
Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceIntern alUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml
Replace CASServer with the NETBIOS/HOSTNAME name of that server,
Eg, if your server HOSTNAME = SHUDNMBX02 then do this,
Set-ClientAccessServer -Identity SHUDNMBX02 -AutoDiscoverServiceIntern alUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml
Replace CASServer with the NETBIOS/HOSTNAME name of that server,
Eg, if your server HOSTNAME = SHUDNMBX02 then do this,
Set-ClientAccessServer -Identity SHUDNMBX02 -AutoDiscoverServiceIntern
ASKER
typo on my part - everything working now - have to award fll points to MinoDC - excellant article . One question - CB7E52C6C845B1893C21848656 FE91E4CDA1 CD07 IP.W. CN=webmail.mydomain.com..
IPand W are the associated services, having followed the article IPWand S are now associated services - should I remove SMTP service? and if so - how?
IPand W are the associated services, having followed the article IPWand S are now associated services - should I remove SMTP service? and if so - how?
ASKER
the article i followed was posted by TechnoChat: appologies for any confusion. Points awarded accordingly.
If you solve, you can do the same via GPO.