Solved

SSL Certificate Name Mismatch in SBS 2008

Posted on 2010-09-12
43
1,065 Views
Last Modified: 2012-06-21
I did some testing of Exchange 2007 using the website https://www.testexchangeconnectivity.com/Default.aspx

It showed that I had an SSL Certificate Name Mismatch.

My internet domain sends my www.domain.com to a paid hosted website and I use the recommended remote.domain.com to my IP address on my local SBS 2008 server.

I don't seem to have any trouble with OWA, active sync or remote HTTPS.

In the testing I get these 3 errors:
SSL Certificate Name Mismatch
The Host Name Could Not be Resolved in DNS
Could Not Find Autodiscover Service Location (SRV) Record in DNS

My signed certificates is from www.crosslogicdomains.com which looks like it the same folks that put out www.godaddy.com.

I do have reverse DNS setup on my local IP address for remote.domain.com.

I am not sure where to look first to fix this issue.



     
0
Comment
Question by:Alpha4043
  • 23
  • 20
43 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 33657387
the 3 errors you are seeing are at 3 different stages,

1. testexchangeconnectivity will try to access using https://domain.com/autodiscover/....

that's probably when you are getting SSL Certificate Name Mismatch

2. it tries https://autodiscover.domain.com/autodiscover/...

when you are getting "The Host Name Could Not be Resolved in DNS"

and it also tries to find an SRV for autodiscover server which is probably not present in your case so you have

Could Not Find Autodiscover Service Location (SRV) Record in DNS
0
 

Author Comment

by:Alpha4043
ID: 33657409
That seems to be the case.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33657411
all the above means that you cannot use autodiscover but not that you can't use activesync/rpc or owa
0
 

Author Comment

by:Alpha4043
ID: 33657424
So are you saying that there is no problem?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33657434
when in testexchangeconnectivity do not pick the "use autodiscover" option, instead enter manually the url

https://remote.domain.com if it passes then you have no problem but the one that you are not able to use autodiscover
0
 

Author Comment

by:Alpha4043
ID: 33657481
Ok, and this is because the domain name is split to two different places?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33657845
No this is because

1. you don't have in your DNS autodiscover.yourdomain.com
2. you don't have in you certificate autodisover.yourdomain.com
0
 

Author Comment

by:Alpha4043
ID: 33658249
Ok, Do I need to do that? What do I need to do to make all that happen?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33658266
you dont NEED to do that as long as you are OK without autodiscover...

if your DNS provider supports SRV records just add

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: remote.domain.com
0
 

Author Comment

by:Alpha4043
ID: 33658297
Yes it does.

I see the following blanks to fill in:

Service:                              Protocol:
Name:
Priority:                Weight:              Port:

Target:                                  TTL: 1 Hour

So service would be "autodiscover"
Protocol would be "TCP"
Name: I have no idea or does it matter?
Priority:  ?
Weight: ?
Port 443
Target: "remote.domain.com"??
0
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 33658326
serveice _autodiscover
protocol _tcp
priority weight = 0
target remote.domain.com
port 443

right...

for the name can u leave it empty ?
0
 

Author Comment

by:Alpha4043
ID: 33658344
So nothing in the name. OK. Do I test with:  https://autodiscover.domain.com/autodiscover/  ?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33658350
no it is remote.domain.com nothing has changed. you will need to wait for DNS replication to happen
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33658354
and in name enter @

0
 

Author Comment

by:Alpha4043
ID: 33658371
Is the _ necessary in the _autodiscover and _tcp  ?

When I look at the SRV is shows

Service: _      Protocol: _
Name:
Priority: 0                Weight: 0             Port: 0

Target: remote.domain.com     TTL: 1 Hour

0
 
LVL 49

Expert Comment

by:Akhater
ID: 33658374
if the _ already exists no need to add it

for the name let it be @
0
 

Author Comment

by:Alpha4043
ID: 33658391
It looks like it took it but when I look on the The DNS control page it shows up as listed below after I save it.

Service: _      
Protocol: _
Name: @
Priority: 1
Weight: 0
Target: remote.domain.com
TTL: 1 Hour

0
 
LVL 49

Expert Comment

by:Akhater
ID: 33658396
you mean there is no autodiscover in service and tcp in protocol ? also where is the port ?
0
 

Author Comment

by:Alpha4043
ID: 33658620
I put the information in the blanks but when it is saved it shows what I list above.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33658626
i think u shld contact your dns provider in that case
0
 

Author Comment

by:Alpha4043
ID: 33658633
I agree.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:Alpha4043
ID: 33661097
I just talked to the people that have our DNS. They said all I need was a C NAME setup with autodiscover in the HOST and remote.domain.com in the POINTS TO fields.

What do I need to do with certificate autodisover.yourdomain.com?

0
 
LVL 49

Expert Comment

by:Akhater
ID: 33662215
I told you to created as SRV record so you don't do it a CNAME so you won't have to get another certificate
0
 

Author Comment

by:Alpha4043
ID: 33664443

Well I tried to get the guy to help me set up SRV and he said that the CNAME was the way they recommended because he thought only hosting sites needed that setup.

 I have attached copies of what the SRV section looks like. I am pretty sure this is just like Godaddy.com.

When you look at the after that is how the information shows up in the record.
When-entering-Info.PNG
example-after.PNG
SRV-Descriptions.PNG
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33664488
if you want to do it CNAME it would also work however you will need another certificate

0
 

Author Comment

by:Alpha4043
ID: 33664513
I don't really want another certificate if I can make this work.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33664632
Well that's why i started with SRV records to start with, the config you are doing is correct, you just need to nag on your DNS provider to fix the SRV issue
0
 

Author Comment

by:Alpha4043
ID: 33664673
I will do that. Is what I am putting in the fields look correct to you?  Is this what you are used to dealing with or is it totally different?

Thanks for your patients and expertise.
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 500 total points
ID: 33664726
wait one sec

from a computer on the internet please run

nslookup
set type=srv
_autodiscover._tcp.domain.com


what it gives you ?

if you want to share with me your domain name i will do it for you
0
 

Author Comment

by:Alpha4043
ID: 33664750
Well it looks like SRV is finally listed correctly. Everything is in the correct location.

I am deleting the CNAME record.

 
0
 

Author Comment

by:Alpha4043
ID: 33664768
It shows me my domain name server with it's private IP address.
0
 

Author Comment

by:Alpha4043
ID: 33664828
My email address is djh27521@ncrrbiz.com.  I will send you the report I get from the test.
It is looking better.
0
 

Author Comment

by:Alpha4043
ID: 33672855
Would it be better for me to open another question to continue with this?
0
 

Author Closing Comment

by:Alpha4043
ID: 33673728
Good to work with. Answer got too involved. I think there is still some issue with the certificate.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33674617
thank you for the points, however if the question is not done yet for you I can finish helping you here or in another question.

If you decide to open another quesiton just update me with its number, I will carry it over till it is done
0
 

Author Comment

by:Alpha4043
ID: 33675154
That would be great. I don't have any other source to turn to on this but I also didn't want for you to feel like this was a never ending question.

It looks like the SRV is setup correctly in the DNS but I still think I have issues with the certificate not matching. Not sure how to check or test that.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33677347
no the SRV record is not correct. we are left with 3 options

1. call your DNS provider and nag till they fix DNS for you
2. create it a CNAME record and rekey your certificate
3. live without autodiscover since all is working
0
 

Author Comment

by:Alpha4043
ID: 33677441
I sent you what my DNS looked like.

What do I need to do if I need to rekey my certificate?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33677476
you will need to get a new CSR from exchange with the names

remote.domain.com and autodiscover.domain.com

go to your ssl provider and rekey it , it should be free of charge
0
 

Author Comment

by:Alpha4043
ID: 33677504
Didn't my SRV look right in the DNS settings?  
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33677593
in the screen shot it does look right, however the query is not returning anything there is an issue with the DNS provider
0
 

Author Comment

by:Alpha4043
ID: 33685519
Here is the second response from the tech support.  What does this mean?  


Thank you for your reply.  At this time the DNS record is setup as a recursive record which is not supported in our system.  You will need to remove the domain name from the target and simply use remote.  You will need to make sure that the domain name is never used in the records created.

Please let us know if we can assist you in any other way.

Best Regards,
Thad P.
Online Support Representative

0
 
LVL 49

Expert Comment

by:Akhater
ID: 33686593
well this is rather good news

it means in the target just put remote instead of remote.domain.com


i'd say delete the record and create a new one
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Suggested Solutions

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now