Outlook 2007 The name of the security certificate is invalid or does not match the name of the site

I have found the article for this @   http://support.microsoft.com/kb/940726/en-us
I don't use the exchange management shell that much.
Is there a different way to do this?
In View Certificate I have:
Issued to:  MYSERVER.domain.local
Issued by: domain-MYSERVER-CA

I have just finished installing service pack 1 for exchange 2007 and Exchange 2007 Update Rollout 9.
thanks a lot
aa
GreaumeAsked:
Who is Participating?
 
sunnyc7Commented:
yes but disable loopback check is a recommended step for SBS
0
 
Shabarinath RamadasanInfrastructure ArchitectCommented:
What I feel is the CAS security certificate should be on the name of the CAS address published. Not based on the server name.

Eg: outlook.mydomain.com

Good luck
Shaba
0
 
drilusCommented:
Your certificate has expired. That is why you are getting the error message. You can either issue yourself a new certificate or you could get one from GoDaddy on the cheap.

Here is an article on renewing your self signed certificate:
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html

If you want a 3rd party:
https://www.godaddy.com/ssl/ssl-certificates.aspx

Here is a tutorial for setting up a 3rd party certificate:
http://knowthenetwork.com/blog/2008/09/how-to-install-3rd-party-trusted-certificates-to-exchange-2007/
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
RoboMunchCommented:
That cert is your local computer cert. You'll need to import one to the Exchange server using Import-ExchangeCertificate.
0
 
GreaumeAuthor Commented:
how can I tell if the certificate has expired?
Plus this was working just fine until the service pack 1 update
0
 
sunnyc7Commented:
run this from exch shell

get-exchangecertificate | fl

copy paste the output here
0
 
GreaumeAuthor Commented:
AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=SERVERNAME.domain.local
NotAfter           : 03/12/2012 12:00:00 AM
NotBefore          : 04/12/2009 12:00:00 AM
PublicKeySize      : 1024
RootCAType         : None
SerialNumber       : 0FA99168655D05BC4DAF62F106A5D34F
Services           : IMAP, POP, IIS
Status             : Valid
Subject            : CN=SERVERNAME.domain.local
Thumbprint         : 92CAED80A1F05704F22D49A99C59E3463AF2B575

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2010 5:44:59 PM
NotBefore          : 13/10/2009 5:44:59 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6112E677000000000003
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=SERVERNAME.domain.local
Thumbprint         : 2E501D0BCA10275DC3D5A3B2303E929E2290EDA1

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2011 5:34:28 PM
NotBefore          : 13/10/2009 5:34:28 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 610943C3000000000002
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 26F476F3CDC40650A103A28021C0FA48A6F70D3C

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {domain-SERVERNAME-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2014 5:43:55 PM
NotBefore          : 13/10/2009 5:33:56 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 47C55EE35A260A9A444DFD0203E77BCF
Services           : None
Status             : Valid
Subject            : CN=domain-SERVERNAME-CA
Thumbprint         : 4C5799F068CA8DF6E3DACEBBEA20E6F0C176C7CE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-3ZALEM6NNWY}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-3ZALEM6NNWY
NotAfter           : 11/10/2019 12:28:34 PM
NotBefore          : 13/10/2009 12:28:34 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6AE0EEA2DF8C768743D5525DE7F0D0B1
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-3ZALEM6NNWY
Thumbprint         : FBBB2EB062E8D03471C7CCEA01A591EF6B9194BE
0
 
GreaumeAuthor Commented:
From the orginal question
what has changed since service pack 1 and why would outlook 2007 clients be getting the certificate error?
0
 
sunnyc7Commented:
This is the steps you took

Installed Exchange 2007
installed Sp1
Installed RU 9 ?

Correct ?
0
 
GreaumeAuthor Commented:
yes
Exchange 2007 has been running for about 6 months yes
two days ego
installed sp1
then
RU 9 to get rid of constant password pop up for outlook 2007 users
0
 
sunnyc7Commented:
Did you try SP3 ?

SP3 is out.
http://www.microsoft.com/downloads/details.aspx?FamilyID=1687160b-634a-43cb-a65a-f355cff0afa6&displaylang=en

Also did you /preparead and /prepareschema
and run windows installer 4.5 *before* you installed Exchange 2007 SP1

I hope this is not a SBS :)
0
 
GreaumeAuthor Commented:
There is nothing wrong with the server except the certificate error for outlook clients running 2007
yes it is sbs 2008 std
0
 
sunnyc7Commented:
Thanks for clarifying :)

get-exchangecertificate | fl

please post here.
0
 
GreaumeAuthor Commented:
the microsoft article http://support.microsoft.com/kb/940726/en-us
go through exchange shell commands to fix this problem that outlook 2007 clients are having.
would these apply to this error that I am getting?
0
 
GreaumeAuthor Commented:
i have it's above
0
 
sunnyc7Commented:
Seriously sorry :(
I have 10+ EE windows open and I end-up reading the last post and replying to that.

will check the article too.
0
 
v_9mhdrfCommented:
Yes! Please follow the article to set the InternalUri as follows:-
Follow the kb-940726, and run the following command on the server.

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Hope this helps!
0
 
sunnyc7Commented:
Mohammaed @ you are one cool dude with real cool skills.
I saved your last autodiscover post.
You are the first person who recommended setSPN along with the various -internalurl's.

> That was perfect <
0
 
GreaumeAuthor Commented:
I don't have much experience with exchange command shell!!
When I run these commands do I replace mail.contoso.com with servername.domain.local which would be my server name and domain name for the local network.
Thank you
aa
0
 
sunnyc7Commented:
yes @ servername.domain.local

FQDN (fully qualified domain name) of your local exchange server.
0
 
GreaumeAuthor Commented:
So just to make sure I get this: Sorry to be anal about this :)
1st:
Run the command in this article kb-940726
Set-ClientAccessServer –AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml 
2nd:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml 
3rd:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://servername.domain.local/ews/exchange.asmx
4th:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://servername.domain.local/oab

Than:
DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Thank you
aa


0
 
sunnyc7Commented:
yes
You run these commands against the server listed in -IDENTITY field.

Just to be safe, you can run this, and check the identity fields.
get-ClientAccessServer

Replace the identity within " " with CAS_Server_Name

example

Set-ClientAccessServer -Identity "EXCHANGE"" -AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUrl "https://servername.domain.local/ews/exchange.asmx"
0
 
GreaumeAuthor Commented:
Ok this is what I get : this is for the first command from the article kb-940726

[PS] C:\Windows\System32>get-ClientAccessServer

Name
----
SERVERNAME

[PS] C:\Windows\System32>Set-ClientAccessServer -AutodiscoverServiceInternalUri https://SERVERNAME.domain.local/autodiscover/autodiscover.xml

cmdlet Set-ClientAccessServer at command pipeline position 1
Supply values for the following parameters:
Identity: https://SERVERNAME.domain.local/autodiscover/autodiscover.xml
Set-ClientAccessServer : Cannot bind parameter 'Identity'. Cannot convert value "https://SERVERNAME.domain.local/autodiscover/autodiscover.xml" to type "Microsoft.Exchange.Configura
tion.Tasks.ClientAccessServerIdParameter". Error: "'https://SERVERNAME.domain.local/autodi
scover/autodiscover.xml' is not a valid value for the identity.
Parameter name: identity"
At line:1 char:23
+ Set-ClientAccessServer  <<<< -AutodiscoverServiceInternalUri https://SERVERNAME.domain.l
ocal/autodiscover/autodiscover.xml
[PS] C:\Windows\System32>
0
 
sunnyc7Commented:
you have to run this from Exchange management Shell

start > programs > exchange management shell

command is

get-clientaccessserver | fl

thanks
0
 
GreaumeAuthor Commented:
I did type the command
Set-ClientAccessServer -AutodiscoverServiceInternalUri https://SERVERNAME.domain.local/autodiscover/autodiscover.xml
as one line
0
 
sunnyc7Commented:
Yes it's one line.
You can verify if the settings stuck by running a GET

get-clientAccessServer | fl
check if autodiscoverinternalURI field is updated with the value above @

I hope you replaced servername.domain.local with your FQDN :)
0
 
GreaumeAuthor Commented:
Yes, servername.domain.local Replaced with  FQDN

her it is:
[PS] C:\Windows\System32>get-clientAccessServer |fl


Name                           : SERVERNAME
OutlookAnywhereEnabled         : False
AutoDiscoverServiceCN          : SERVERNAME
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://sites/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SERVERNAME.domain.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SERVERNAME,CN=Servers,CN=Exchange Administrative Group
                                 (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organi
                                 zation,CN=Microsoft Exchange,CN=Services,CN=Configuration,
                                 DC=domain,DC=local
Identity                       : SERVERNAME
Guid                           : 9456c1e3-bf78-468c-b432-c2a4ad690ec9
ObjectCategory                 : domain.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 20/01/2010 9:44:43 AM
WhenCreated                    : 13/10/2009 5:55:41 PM
0
 
sunnyc7Commented:
ok that didnt change it.

 try this


Set-ClientAccessServer -identity SERVERNAME -AutodiscoverServiceInternalUri:"https://SERVERNAME.domain.local/autodiscover/autodiscover.xml"

it's U R EYE @ not U R ELL
0
 
GreaumeAuthor Commented:
ok this is what i have now:
I see now where this has changed

[PS] C:\Windows\System32>get-clientAccessServer |fl


Name                           : SERVERNAME
OutlookAnywhereEnabled         : False
AutoDiscoverServiceCN          : SERVERNAME
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://SERVERNAME.domain.local/autodiscover/autodiscover
                                 .xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SERVERNAME.domain.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SERVERNAME,CN=Servers,CN=Exchange Administrative Group
                                 (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organi
                                 zation,CN=Microsoft Exchange,CN=Services,CN=Configuration,
                                 DC=domain,DC=local
Identity                       : SERVERNAME
Guid                           : 9456c1e3-bf78-468c-b432-c2a4ad690ec9
ObjectCategory                 : domain.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 20/01/2010 9:44:43 AM
WhenCreated                    : 13/10/2009 5:55:41 PM
0
 
GreaumeAuthor Commented:
For this command: After EWS there is a * should that be there?

Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUri "https://servername.domain.local/ews/exchange.asmx"
0
 
sunnyc7Commented:
yes
that way you avoid writing the whole thing :)
0
 
GreaumeAuthor Commented:
it will look like this:
[PS] C:\Windows\System32>Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -Internal
Uri:"https://SERVERNAME.domain.local/ews/exchange.asmx"
0
 
sunnyc7Commented:
Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUrl"https://servername.domain.local/ews/exchange.asmx"

this is internal U R ELL

UR EYE is only for autodiscoverinternalURI
0
 
GreaumeAuthor Commented:
Thanks for all your help I do appreciated a lot.
Set-WebServicesVirtualDirectory - Identity "Exchange\EWS*"    

Should "Exchange be SERVERNAME  ??
0
 
sunnyc7Commented:
you're welcome

run this

get-webservicesvirtualdirectory | fl identity

The output of that goes into -identity " "
0
 
GreaumeAuthor Commented:
After this command

Set-WebServicesVirtualDirectory -Identity "SERVERNAME\EWS*" -InternalUrl: "https://SERVERNAME.domain.local/ews/exchange.asmx"

the cursor is sitting @  
>>
0
 
sunnyc7Commented:
press enter twice
0
 
GreaumeAuthor Commented:
>>       still there
0
 
GreaumeAuthor Commented:
I can do the up/down errow key , show what i have done previously
0
 
sunnyc7Commented:
close it and lets try again

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://SERVERNAME.domain.local/ews/exchange.asmx"
0
 
GreaumeAuthor Commented:
I should be able to use the same command above with the OABVirtualDirectory
0
 
sunnyc7Commented:
get-oabvirtualdirectory | fl *url*
and set those fields
0
 
sunnyc7Commented:
hows it going ?
0
 
GreaumeAuthor Commented:
Good Day
Looking Good, outlook 2007 clients do not have this certificate error any more.

The list below I did not use
DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612
At this point since the error is gone.
Should these still be applied or can I hold off.
If you can briefly what does 1.Loopbackcheck setting do and 2nd SPN, can I check if they are correct.
This server is a global catalog server
Again , You have been lots of help , thank you
aa
0
 
sunnyc7Commented:
Loopback check yes - you need to set that.

SetSPN - it should already be set by now.

You can verify the entries and see if the SPN's from this article http://support.microsoft.com/kb/927612
is added in your server.

Download adfind
http://www.joeware.net/freetools/tools/adfind/index.htm

extract to c:\adfind
start > run > cmd
cd adfind

adfind -SC C:SERVERNAME
0
 
GreaumeAuthor Commented:
The loopback check as per the article http://support.microsoft.com/kb/896861
does not apply to sbs 2008 it's not listed.

thanks
aa
0
 
GreaumeAuthor Commented:
This is for accessing Ex: http://companyweb from the local server where you get the login screen but still can not login?
0
 
GreaumeAuthor Commented:
This has been the best help I got here yet.
Thanks for all the great help
Take care
aa
0
 
sunnyc7Commented:
You are welcome !!
Thanks for the points :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.