Solved

Outlook 2007 The name of the security certificate is invalid or does not match the name of the site

Posted on 2010-08-26
51
831 Views
Last Modified: 2012-06-27
I have found the article for this @   http://support.microsoft.com/kb/940726/en-us
I don't use the exchange management shell that much.
Is there a different way to do this?
In View Certificate I have:
Issued to:  MYSERVER.domain.local
Issued by: domain-MYSERVER-CA

I have just finished installing service pack 1 for exchange 2007 and Exchange 2007 Update Rollout 9.
thanks a lot
aa
0
Comment
Question by:Greaume
  • 24
  • 23
  • +3
51 Comments
 
LVL 14

Expert Comment

by:Shabarinath Ramadasan
ID: 33536327
What I feel is the CAS security certificate should be on the name of the CAS address published. Not based on the server name.

Eg: outlook.mydomain.com

Good luck
Shaba
0
 
LVL 5

Expert Comment

by:drilus
ID: 33536339
Your certificate has expired. That is why you are getting the error message. You can either issue yourself a new certificate or you could get one from GoDaddy on the cheap.

Here is an article on renewing your self signed certificate:
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html

If you want a 3rd party:
https://www.godaddy.com/ssl/ssl-certificates.aspx

Here is a tutorial for setting up a 3rd party certificate:
http://knowthenetwork.com/blog/2008/09/how-to-install-3rd-party-trusted-certificates-to-exchange-2007/
0
 
LVL 1

Expert Comment

by:RoboMunch
ID: 33536375
That cert is your local computer cert. You'll need to import one to the Exchange server using Import-ExchangeCertificate.
0
 

Author Comment

by:Greaume
ID: 33536399
how can I tell if the certificate has expired?
Plus this was working just fine until the service pack 1 update
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33536538
run this from exch shell

get-exchangecertificate | fl

copy paste the output here
0
 

Author Comment

by:Greaume
ID: 33536645
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=SERVERNAME.domain.local
NotAfter           : 03/12/2012 12:00:00 AM
NotBefore          : 04/12/2009 12:00:00 AM
PublicKeySize      : 1024
RootCAType         : None
SerialNumber       : 0FA99168655D05BC4DAF62F106A5D34F
Services           : IMAP, POP, IIS
Status             : Valid
Subject            : CN=SERVERNAME.domain.local
Thumbprint         : 92CAED80A1F05704F22D49A99C59E3463AF2B575

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2010 5:44:59 PM
NotBefore          : 13/10/2009 5:44:59 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6112E677000000000003
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=SERVERNAME.domain.local
Thumbprint         : 2E501D0BCA10275DC3D5A3B2303E929E2290EDA1

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2011 5:34:28 PM
NotBefore          : 13/10/2009 5:34:28 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 610943C3000000000002
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 26F476F3CDC40650A103A28021C0FA48A6F70D3C

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {domain-SERVERNAME-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2014 5:43:55 PM
NotBefore          : 13/10/2009 5:33:56 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 47C55EE35A260A9A444DFD0203E77BCF
Services           : None
Status             : Valid
Subject            : CN=domain-SERVERNAME-CA
Thumbprint         : 4C5799F068CA8DF6E3DACEBBEA20E6F0C176C7CE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-3ZALEM6NNWY}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-3ZALEM6NNWY
NotAfter           : 11/10/2019 12:28:34 PM
NotBefore          : 13/10/2009 12:28:34 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6AE0EEA2DF8C768743D5525DE7F0D0B1
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-3ZALEM6NNWY
Thumbprint         : FBBB2EB062E8D03471C7CCEA01A591EF6B9194BE
0
 

Author Comment

by:Greaume
ID: 33536666
From the orginal question
what has changed since service pack 1 and why would outlook 2007 clients be getting the certificate error?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33536690
This is the steps you took

Installed Exchange 2007
installed Sp1
Installed RU 9 ?

Correct ?
0
 

Author Comment

by:Greaume
ID: 33536711
yes
Exchange 2007 has been running for about 6 months yes
two days ego
installed sp1
then
RU 9 to get rid of constant password pop up for outlook 2007 users
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33536729
Did you try SP3 ?

SP3 is out.
http://www.microsoft.com/downloads/details.aspx?FamilyID=1687160b-634a-43cb-a65a-f355cff0afa6&displaylang=en

Also did you /preparead and /prepareschema
and run windows installer 4.5 *before* you installed Exchange 2007 SP1

I hope this is not a SBS :)
0
 

Author Comment

by:Greaume
ID: 33536772
There is nothing wrong with the server except the certificate error for outlook clients running 2007
yes it is sbs 2008 std
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33536789
Thanks for clarifying :)

get-exchangecertificate | fl

please post here.
0
 

Author Comment

by:Greaume
ID: 33536811
the microsoft article http://support.microsoft.com/kb/940726/en-us
go through exchange shell commands to fix this problem that outlook 2007 clients are having.
would these apply to this error that I am getting?
0
 

Author Comment

by:Greaume
ID: 33536816
i have it's above
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33536820
Seriously sorry :(
I have 10+ EE windows open and I end-up reading the last post and replying to that.

will check the article too.
0
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33539068
Yes! Please follow the article to set the InternalUri as follows:-
Follow the kb-940726, and run the following command on the server.

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Hope this helps!
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33539091
Mohammaed @ you are one cool dude with real cool skills.
I saved your last autodiscover post.
You are the first person who recommended setSPN along with the various -internalurl's.

> That was perfect <
0
 

Author Comment

by:Greaume
ID: 33541850
I don't have much experience with exchange command shell!!
When I run these commands do I replace mail.contoso.com with servername.domain.local which would be my server name and domain name for the local network.
Thank you
aa
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33542012
yes @ servername.domain.local

FQDN (fully qualified domain name) of your local exchange server.
0
 

Author Comment

by:Greaume
ID: 33542397
So just to make sure I get this: Sorry to be anal about this :)
1st:
Run the command in this article kb-940726
Set-ClientAccessServer –AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml
2nd:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml
3rd:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://servername.domain.local/ews/exchange.asmx
4th:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://servername.domain.local/oab

Than:
DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Thank you
aa


0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33542440
yes
You run these commands against the server listed in -IDENTITY field.

Just to be safe, you can run this, and check the identity fields.
get-ClientAccessServer

Replace the identity within " " with CAS_Server_Name

example

Set-ClientAccessServer -Identity "EXCHANGE"" -AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUrl "https://servername.domain.local/ews/exchange.asmx"
0
 

Author Comment

by:Greaume
ID: 33542692
Ok this is what I get : this is for the first command from the article kb-940726

[PS] C:\Windows\System32>get-ClientAccessServer

Name
----
SERVERNAME

[PS] C:\Windows\System32>Set-ClientAccessServer -AutodiscoverServiceInternalUri https://SERVERNAME.domain.local/autodiscover/autodiscover.xml

cmdlet Set-ClientAccessServer at command pipeline position 1
Supply values for the following parameters:
Identity: https://SERVERNAME.domain.local/autodiscover/autodiscover.xml
Set-ClientAccessServer : Cannot bind parameter 'Identity'. Cannot convert value "https://SERVERNAME.domain.local/autodiscover/autodiscover.xml" to type "Microsoft.Exchange.Configura
tion.Tasks.ClientAccessServerIdParameter". Error: "'https://SERVERNAME.domain.local/autodi
scover/autodiscover.xml' is not a valid value for the identity.
Parameter name: identity"
At line:1 char:23
+ Set-ClientAccessServer  <<<< -AutodiscoverServiceInternalUri https://SERVERNAME.domain.l
ocal/autodiscover/autodiscover.xml
[PS] C:\Windows\System32>
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33542729
you have to run this from Exchange management Shell

start > programs > exchange management shell

command is

get-clientaccessserver | fl

thanks
0
 

Author Comment

by:Greaume
ID: 33542730
I did type the command
Set-ClientAccessServer -AutodiscoverServiceInternalUri https://SERVERNAME.domain.local/autodiscover/autodiscover.xml
as one line
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33542753
Yes it's one line.
You can verify if the settings stuck by running a GET

get-clientAccessServer | fl
check if autodiscoverinternalURI field is updated with the value above @

I hope you replaced servername.domain.local with your FQDN :)
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:Greaume
ID: 33542837
Yes, servername.domain.local Replaced with  FQDN

her it is:
[PS] C:\Windows\System32>get-clientAccessServer |fl


Name                           : SERVERNAME
OutlookAnywhereEnabled         : False
AutoDiscoverServiceCN          : SERVERNAME
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://sites/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SERVERNAME.domain.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SERVERNAME,CN=Servers,CN=Exchange Administrative Group
                                 (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organi
                                 zation,CN=Microsoft Exchange,CN=Services,CN=Configuration,
                                 DC=domain,DC=local
Identity                       : SERVERNAME
Guid                           : 9456c1e3-bf78-468c-b432-c2a4ad690ec9
ObjectCategory                 : domain.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 20/01/2010 9:44:43 AM
WhenCreated                    : 13/10/2009 5:55:41 PM
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33542868
ok that didnt change it.

 try this


Set-ClientAccessServer -identity SERVERNAME -AutodiscoverServiceInternalUri:"https://SERVERNAME.domain.local/autodiscover/autodiscover.xml"

it's U R EYE @ not U R ELL
0
 

Author Comment

by:Greaume
ID: 33542979
ok this is what i have now:
I see now where this has changed

[PS] C:\Windows\System32>get-clientAccessServer |fl


Name                           : SERVERNAME
OutlookAnywhereEnabled         : False
AutoDiscoverServiceCN          : SERVERNAME
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://SERVERNAME.domain.local/autodiscover/autodiscover
                                 .xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SERVERNAME.domain.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SERVERNAME,CN=Servers,CN=Exchange Administrative Group
                                 (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organi
                                 zation,CN=Microsoft Exchange,CN=Services,CN=Configuration,
                                 DC=domain,DC=local
Identity                       : SERVERNAME
Guid                           : 9456c1e3-bf78-468c-b432-c2a4ad690ec9
ObjectCategory                 : domain.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 20/01/2010 9:44:43 AM
WhenCreated                    : 13/10/2009 5:55:41 PM
0
 

Author Comment

by:Greaume
ID: 33543089
For this command: After EWS there is a * should that be there?

Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUri "https://servername.domain.local/ews/exchange.asmx"
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33543117
yes
that way you avoid writing the whole thing :)
0
 

Author Comment

by:Greaume
ID: 33543246
it will look like this:
[PS] C:\Windows\System32>Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -Internal
Uri:"https://SERVERNAME.domain.local/ews/exchange.asmx"
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33543307
Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUrl"https://servername.domain.local/ews/exchange.asmx"

this is internal U R ELL

UR EYE is only for autodiscoverinternalURI
0
 

Author Comment

by:Greaume
ID: 33543397
Thanks for all your help I do appreciated a lot.
Set-WebServicesVirtualDirectory - Identity "Exchange\EWS*"    

Should "Exchange be SERVERNAME  ??
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33543522
you're welcome

run this

get-webservicesvirtualdirectory | fl identity

The output of that goes into -identity " "
0
 

Author Comment

by:Greaume
ID: 33544243
After this command

Set-WebServicesVirtualDirectory -Identity "SERVERNAME\EWS*" -InternalUrl: "https://SERVERNAME.domain.local/ews/exchange.asmx"

the cursor is sitting @  
>>
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33544251
press enter twice
0
 

Author Comment

by:Greaume
ID: 33544263
>>       still there
0
 

Author Comment

by:Greaume
ID: 33544303
I can do the up/down errow key , show what i have done previously
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33544354
close it and lets try again

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://SERVERNAME.domain.local/ews/exchange.asmx"
0
 

Author Comment

by:Greaume
ID: 33544457
I should be able to use the same command above with the OABVirtualDirectory
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33544494
get-oabvirtualdirectory | fl *url*
and set those fields
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33544505
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33545883
hows it going ?
0
 

Author Comment

by:Greaume
ID: 33559897
Good Day
Looking Good, outlook 2007 clients do not have this certificate error any more.

The list below I did not use
DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612
At this point since the error is gone.
Should these still be applied or can I hold off.
If you can briefly what does 1.Loopbackcheck setting do and 2nd SPN, can I check if they are correct.
This server is a global catalog server
Again , You have been lots of help , thank you
aa
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33559988
Loopback check yes - you need to set that.

SetSPN - it should already be set by now.

You can verify the entries and see if the SPN's from this article http://support.microsoft.com/kb/927612
is added in your server.

Download adfind
http://www.joeware.net/freetools/tools/adfind/index.htm

extract to c:\adfind
start > run > cmd
cd adfind

adfind -SC C:SERVERNAME
0
 

Author Comment

by:Greaume
ID: 33562378
The loopback check as per the article http://support.microsoft.com/kb/896861
does not apply to sbs 2008 it's not listed.

thanks
aa
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33562418
0
 

Author Comment

by:Greaume
ID: 33562622
This is for accessing Ex: http://companyweb from the local server where you get the login screen but still can not login?
0
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 500 total points
ID: 33562692
yes but disable loopback check is a recommended step for SBS
0
 

Author Closing Comment

by:Greaume
ID: 33562742
This has been the best help I got here yet.
Thanks for all the great help
Take care
aa
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33562761
You are welcome !!
Thanks for the points :)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now