• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 856
  • Last Modified:

Outlook 2007 The name of the security certificate is invalid or does not match the name of the site

I have found the article for this @   http://support.microsoft.com/kb/940726/en-us
I don't use the exchange management shell that much.
Is there a different way to do this?
In View Certificate I have:
Issued to:  MYSERVER.domain.local
Issued by: domain-MYSERVER-CA

I have just finished installing service pack 1 for exchange 2007 and Exchange 2007 Update Rollout 9.
thanks a lot
aa
0
Greaume
Asked:
Greaume
  • 24
  • 23
  • +3
1 Solution
 
Shabarinath RamadasanInfrastructure ArchitectCommented:
What I feel is the CAS security certificate should be on the name of the CAS address published. Not based on the server name.

Eg: outlook.mydomain.com

Good luck
Shaba
0
 
drilusCommented:
Your certificate has expired. That is why you are getting the error message. You can either issue yourself a new certificate or you could get one from GoDaddy on the cheap.

Here is an article on renewing your self signed certificate:
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html

If you want a 3rd party:
https://www.godaddy.com/ssl/ssl-certificates.aspx

Here is a tutorial for setting up a 3rd party certificate:
http://knowthenetwork.com/blog/2008/09/how-to-install-3rd-party-trusted-certificates-to-exchange-2007/
0
 
RoboMunchCommented:
That cert is your local computer cert. You'll need to import one to the Exchange server using Import-ExchangeCertificate.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
GreaumeAuthor Commented:
how can I tell if the certificate has expired?
Plus this was working just fine until the service pack 1 update
0
 
sunnyc7Commented:
run this from exch shell

get-exchangecertificate | fl

copy paste the output here
0
 
GreaumeAuthor Commented:
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=SERVERNAME.domain.local
NotAfter           : 03/12/2012 12:00:00 AM
NotBefore          : 04/12/2009 12:00:00 AM
PublicKeySize      : 1024
RootCAType         : None
SerialNumber       : 0FA99168655D05BC4DAF62F106A5D34F
Services           : IMAP, POP, IIS
Status             : Valid
Subject            : CN=SERVERNAME.domain.local
Thumbprint         : 92CAED80A1F05704F22D49A99C59E3463AF2B575

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2010 5:44:59 PM
NotBefore          : 13/10/2009 5:44:59 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6112E677000000000003
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=SERVERNAME.domain.local
Thumbprint         : 2E501D0BCA10275DC3D5A3B2303E929E2290EDA1

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2011 5:34:28 PM
NotBefore          : 13/10/2009 5:34:28 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 610943C3000000000002
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 26F476F3CDC40650A103A28021C0FA48A6F70D3C

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {domain-SERVERNAME-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2014 5:43:55 PM
NotBefore          : 13/10/2009 5:33:56 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 47C55EE35A260A9A444DFD0203E77BCF
Services           : None
Status             : Valid
Subject            : CN=domain-SERVERNAME-CA
Thumbprint         : 4C5799F068CA8DF6E3DACEBBEA20E6F0C176C7CE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-3ZALEM6NNWY}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-3ZALEM6NNWY
NotAfter           : 11/10/2019 12:28:34 PM
NotBefore          : 13/10/2009 12:28:34 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6AE0EEA2DF8C768743D5525DE7F0D0B1
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-3ZALEM6NNWY
Thumbprint         : FBBB2EB062E8D03471C7CCEA01A591EF6B9194BE
0
 
GreaumeAuthor Commented:
From the orginal question
what has changed since service pack 1 and why would outlook 2007 clients be getting the certificate error?
0
 
sunnyc7Commented:
This is the steps you took

Installed Exchange 2007
installed Sp1
Installed RU 9 ?

Correct ?
0
 
GreaumeAuthor Commented:
yes
Exchange 2007 has been running for about 6 months yes
two days ego
installed sp1
then
RU 9 to get rid of constant password pop up for outlook 2007 users
0
 
sunnyc7Commented:
Did you try SP3 ?

SP3 is out.
http://www.microsoft.com/downloads/details.aspx?FamilyID=1687160b-634a-43cb-a65a-f355cff0afa6&displaylang=en

Also did you /preparead and /prepareschema
and run windows installer 4.5 *before* you installed Exchange 2007 SP1

I hope this is not a SBS :)
0
 
GreaumeAuthor Commented:
There is nothing wrong with the server except the certificate error for outlook clients running 2007
yes it is sbs 2008 std
0
 
sunnyc7Commented:
Thanks for clarifying :)

get-exchangecertificate | fl

please post here.
0
 
GreaumeAuthor Commented:
the microsoft article http://support.microsoft.com/kb/940726/en-us
go through exchange shell commands to fix this problem that outlook 2007 clients are having.
would these apply to this error that I am getting?
0
 
GreaumeAuthor Commented:
i have it's above
0
 
sunnyc7Commented:
Seriously sorry :(
I have 10+ EE windows open and I end-up reading the last post and replying to that.

will check the article too.
0
 
v_9mhdrfCommented:
Yes! Please follow the article to set the InternalUri as follows:-
Follow the kb-940726, and run the following command on the server.

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Hope this helps!
0
 
sunnyc7Commented:
Mohammaed @ you are one cool dude with real cool skills.
I saved your last autodiscover post.
You are the first person who recommended setSPN along with the various -internalurl's.

> That was perfect <
0
 
GreaumeAuthor Commented:
I don't have much experience with exchange command shell!!
When I run these commands do I replace mail.contoso.com with servername.domain.local which would be my server name and domain name for the local network.
Thank you
aa
0
 
sunnyc7Commented:
yes @ servername.domain.local

FQDN (fully qualified domain name) of your local exchange server.
0
 
GreaumeAuthor Commented:
So just to make sure I get this: Sorry to be anal about this :)
1st:
Run the command in this article kb-940726
Set-ClientAccessServer –AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml 
2nd:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml 
3rd:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://servername.domain.local/ews/exchange.asmx
4th:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://servername.domain.local/oab

Than:
DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Thank you
aa


0
 
sunnyc7Commented:
yes
You run these commands against the server listed in -IDENTITY field.

Just to be safe, you can run this, and check the identity fields.
get-ClientAccessServer

Replace the identity within " " with CAS_Server_Name

example

Set-ClientAccessServer -Identity "EXCHANGE"" -AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUrl "https://servername.domain.local/ews/exchange.asmx"
0
 
GreaumeAuthor Commented:
Ok this is what I get : this is for the first command from the article kb-940726

[PS] C:\Windows\System32>get-ClientAccessServer

Name
----
SERVERNAME

[PS] C:\Windows\System32>Set-ClientAccessServer -AutodiscoverServiceInternalUri https://SERVERNAME.domain.local/autodiscover/autodiscover.xml

cmdlet Set-ClientAccessServer at command pipeline position 1
Supply values for the following parameters:
Identity: https://SERVERNAME.domain.local/autodiscover/autodiscover.xml
Set-ClientAccessServer : Cannot bind parameter 'Identity'. Cannot convert value "https://SERVERNAME.domain.local/autodiscover/autodiscover.xml" to type "Microsoft.Exchange.Configura
tion.Tasks.ClientAccessServerIdParameter". Error: "'https://SERVERNAME.domain.local/autodi
scover/autodiscover.xml' is not a valid value for the identity.
Parameter name: identity"
At line:1 char:23
+ Set-ClientAccessServer  <<<< -AutodiscoverServiceInternalUri https://SERVERNAME.domain.l
ocal/autodiscover/autodiscover.xml
[PS] C:\Windows\System32>
0
 
sunnyc7Commented:
you have to run this from Exchange management Shell

start > programs > exchange management shell

command is

get-clientaccessserver | fl

thanks
0
 
GreaumeAuthor Commented:
I did type the command
Set-ClientAccessServer -AutodiscoverServiceInternalUri https://SERVERNAME.domain.local/autodiscover/autodiscover.xml
as one line
0
 
sunnyc7Commented:
Yes it's one line.
You can verify if the settings stuck by running a GET

get-clientAccessServer | fl
check if autodiscoverinternalURI field is updated with the value above @

I hope you replaced servername.domain.local with your FQDN :)
0
 
GreaumeAuthor Commented:
Yes, servername.domain.local Replaced with  FQDN

her it is:
[PS] C:\Windows\System32>get-clientAccessServer |fl


Name                           : SERVERNAME
OutlookAnywhereEnabled         : False
AutoDiscoverServiceCN          : SERVERNAME
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://sites/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SERVERNAME.domain.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SERVERNAME,CN=Servers,CN=Exchange Administrative Group
                                 (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organi
                                 zation,CN=Microsoft Exchange,CN=Services,CN=Configuration,
                                 DC=domain,DC=local
Identity                       : SERVERNAME
Guid                           : 9456c1e3-bf78-468c-b432-c2a4ad690ec9
ObjectCategory                 : domain.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 20/01/2010 9:44:43 AM
WhenCreated                    : 13/10/2009 5:55:41 PM
0
 
sunnyc7Commented:
ok that didnt change it.

 try this


Set-ClientAccessServer -identity SERVERNAME -AutodiscoverServiceInternalUri:"https://SERVERNAME.domain.local/autodiscover/autodiscover.xml"

it's U R EYE @ not U R ELL
0
 
GreaumeAuthor Commented:
ok this is what i have now:
I see now where this has changed

[PS] C:\Windows\System32>get-clientAccessServer |fl


Name                           : SERVERNAME
OutlookAnywhereEnabled         : False
AutoDiscoverServiceCN          : SERVERNAME
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://SERVERNAME.domain.local/autodiscover/autodiscover
                                 .xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SERVERNAME.domain.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SERVERNAME,CN=Servers,CN=Exchange Administrative Group
                                 (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organi
                                 zation,CN=Microsoft Exchange,CN=Services,CN=Configuration,
                                 DC=domain,DC=local
Identity                       : SERVERNAME
Guid                           : 9456c1e3-bf78-468c-b432-c2a4ad690ec9
ObjectCategory                 : domain.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 20/01/2010 9:44:43 AM
WhenCreated                    : 13/10/2009 5:55:41 PM
0
 
GreaumeAuthor Commented:
For this command: After EWS there is a * should that be there?

Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUri "https://servername.domain.local/ews/exchange.asmx"
0
 
sunnyc7Commented:
yes
that way you avoid writing the whole thing :)
0
 
GreaumeAuthor Commented:
it will look like this:
[PS] C:\Windows\System32>Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -Internal
Uri:"https://SERVERNAME.domain.local/ews/exchange.asmx"
0
 
sunnyc7Commented:
Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUrl"https://servername.domain.local/ews/exchange.asmx"

this is internal U R ELL

UR EYE is only for autodiscoverinternalURI
0
 
GreaumeAuthor Commented:
Thanks for all your help I do appreciated a lot.
Set-WebServicesVirtualDirectory - Identity "Exchange\EWS*"    

Should "Exchange be SERVERNAME  ??
0
 
sunnyc7Commented:
you're welcome

run this

get-webservicesvirtualdirectory | fl identity

The output of that goes into -identity " "
0
 
GreaumeAuthor Commented:
After this command

Set-WebServicesVirtualDirectory -Identity "SERVERNAME\EWS*" -InternalUrl: "https://SERVERNAME.domain.local/ews/exchange.asmx"

the cursor is sitting @  
>>
0
 
sunnyc7Commented:
press enter twice
0
 
GreaumeAuthor Commented:
>>       still there
0
 
GreaumeAuthor Commented:
I can do the up/down errow key , show what i have done previously
0
 
sunnyc7Commented:
close it and lets try again

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://SERVERNAME.domain.local/ews/exchange.asmx"
0
 
GreaumeAuthor Commented:
I should be able to use the same command above with the OABVirtualDirectory
0
 
sunnyc7Commented:
get-oabvirtualdirectory | fl *url*
and set those fields
0
 
sunnyc7Commented:
hows it going ?
0
 
GreaumeAuthor Commented:
Good Day
Looking Good, outlook 2007 clients do not have this certificate error any more.

The list below I did not use
DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612
At this point since the error is gone.
Should these still be applied or can I hold off.
If you can briefly what does 1.Loopbackcheck setting do and 2nd SPN, can I check if they are correct.
This server is a global catalog server
Again , You have been lots of help , thank you
aa
0
 
sunnyc7Commented:
Loopback check yes - you need to set that.

SetSPN - it should already be set by now.

You can verify the entries and see if the SPN's from this article http://support.microsoft.com/kb/927612
is added in your server.

Download adfind
http://www.joeware.net/freetools/tools/adfind/index.htm

extract to c:\adfind
start > run > cmd
cd adfind

adfind -SC C:SERVERNAME
0
 
GreaumeAuthor Commented:
The loopback check as per the article http://support.microsoft.com/kb/896861
does not apply to sbs 2008 it's not listed.

thanks
aa
0
 
GreaumeAuthor Commented:
This is for accessing Ex: http://companyweb from the local server where you get the login screen but still can not login?
0
 
sunnyc7Commented:
yes but disable loopback check is a recommended step for SBS
0
 
GreaumeAuthor Commented:
This has been the best help I got here yet.
Thanks for all the great help
Take care
aa
0
 
sunnyc7Commented:
You are welcome !!
Thanks for the points :)
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 24
  • 23
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now