SSL Certificate Name Mismatch in SBS 2008

I did some testing of Exchange 2007 using the website https://www.testexchangeconnectivity.com/Default.aspx

It showed that I had an SSL Certificate Name Mismatch.

My internet domain sends my www.domain.com to a paid hosted website and I use the recommended remote.domain.com to my IP address on my local SBS 2008 server.

I don't seem to have any trouble with OWA, active sync or remote HTTPS.

In the testing I get these 3 errors:
SSL Certificate Name Mismatch
The Host Name Could Not be Resolved in DNS
Could Not Find Autodiscover Service Location (SRV) Record in DNS

My signed certificates is from www.crosslogicdomains.com which looks like it the same folks that put out www.godaddy.com.

I do have reverse DNS setup on my local IP address for remote.domain.com.

I am not sure where to look first to fix this issue.



     
Alpha4043Asked:
Who is Participating?
 
AkhaterCommented:
serveice _autodiscover
protocol _tcp
priority weight = 0
target remote.domain.com
port 443

right...

for the name can u leave it empty ?
0
 
AkhaterCommented:
the 3 errors you are seeing are at 3 different stages,

1. testexchangeconnectivity will try to access using https://domain.com/autodiscover/....

that's probably when you are getting SSL Certificate Name Mismatch

2. it tries https://autodiscover.domain.com/autodiscover/...

when you are getting "The Host Name Could Not be Resolved in DNS"

and it also tries to find an SRV for autodiscover server which is probably not present in your case so you have

Could Not Find Autodiscover Service Location (SRV) Record in DNS
0
 
Alpha4043Author Commented:
That seems to be the case.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
AkhaterCommented:
all the above means that you cannot use autodiscover but not that you can't use activesync/rpc or owa
0
 
Alpha4043Author Commented:
So are you saying that there is no problem?
0
 
AkhaterCommented:
when in testexchangeconnectivity do not pick the "use autodiscover" option, instead enter manually the url

https://remote.domain.com if it passes then you have no problem but the one that you are not able to use autodiscover
0
 
Alpha4043Author Commented:
Ok, and this is because the domain name is split to two different places?
0
 
AkhaterCommented:
No this is because

1. you don't have in your DNS autodiscover.yourdomain.com
2. you don't have in you certificate autodisover.yourdomain.com
0
 
Alpha4043Author Commented:
Ok, Do I need to do that? What do I need to do to make all that happen?
0
 
AkhaterCommented:
you dont NEED to do that as long as you are OK without autodiscover...

if your DNS provider supports SRV records just add

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: remote.domain.com
0
 
Alpha4043Author Commented:
Yes it does.

I see the following blanks to fill in:

Service:                              Protocol:
Name:
Priority:                Weight:              Port:

Target:                                  TTL: 1 Hour

So service would be "autodiscover"
Protocol would be "TCP"
Name: I have no idea or does it matter?
Priority:  ?
Weight: ?
Port 443
Target: "remote.domain.com"??
0
 
Alpha4043Author Commented:
So nothing in the name. OK. Do I test with:  https://autodiscover.domain.com/autodiscover/  ?
0
 
AkhaterCommented:
no it is remote.domain.com nothing has changed. you will need to wait for DNS replication to happen
0
 
AkhaterCommented:
and in name enter @

0
 
Alpha4043Author Commented:
Is the _ necessary in the _autodiscover and _tcp  ?

When I look at the SRV is shows

Service: _      Protocol: _
Name:
Priority: 0                Weight: 0             Port: 0

Target: remote.domain.com     TTL: 1 Hour

0
 
AkhaterCommented:
if the _ already exists no need to add it

for the name let it be @
0
 
Alpha4043Author Commented:
It looks like it took it but when I look on the The DNS control page it shows up as listed below after I save it.

Service: _      
Protocol: _
Name: @
Priority: 1
Weight: 0
Target: remote.domain.com
TTL: 1 Hour

0
 
AkhaterCommented:
you mean there is no autodiscover in service and tcp in protocol ? also where is the port ?
0
 
Alpha4043Author Commented:
I put the information in the blanks but when it is saved it shows what I list above.
0
 
AkhaterCommented:
i think u shld contact your dns provider in that case
0
 
Alpha4043Author Commented:
I agree.
0
 
Alpha4043Author Commented:
I just talked to the people that have our DNS. They said all I need was a C NAME setup with autodiscover in the HOST and remote.domain.com in the POINTS TO fields.

What do I need to do with certificate autodisover.yourdomain.com?

0
 
AkhaterCommented:
I told you to created as SRV record so you don't do it a CNAME so you won't have to get another certificate
0
 
Alpha4043Author Commented:

Well I tried to get the guy to help me set up SRV and he said that the CNAME was the way they recommended because he thought only hosting sites needed that setup.

 I have attached copies of what the SRV section looks like. I am pretty sure this is just like Godaddy.com.

When you look at the after that is how the information shows up in the record.
When-entering-Info.PNG
example-after.PNG
SRV-Descriptions.PNG
0
 
AkhaterCommented:
if you want to do it CNAME it would also work however you will need another certificate

0
 
Alpha4043Author Commented:
I don't really want another certificate if I can make this work.
0
 
AkhaterCommented:
Well that's why i started with SRV records to start with, the config you are doing is correct, you just need to nag on your DNS provider to fix the SRV issue
0
 
Alpha4043Author Commented:
I will do that. Is what I am putting in the fields look correct to you?  Is this what you are used to dealing with or is it totally different?

Thanks for your patients and expertise.
0
 
AkhaterCommented:
wait one sec

from a computer on the internet please run

nslookup
set type=srv
_autodiscover._tcp.domain.com


what it gives you ?

if you want to share with me your domain name i will do it for you
0
 
Alpha4043Author Commented:
Well it looks like SRV is finally listed correctly. Everything is in the correct location.

I am deleting the CNAME record.

 
0
 
Alpha4043Author Commented:
It shows me my domain name server with it's private IP address.
0
 
Alpha4043Author Commented:
My email address is djh27521@ncrrbiz.com.  I will send you the report I get from the test.
It is looking better.
0
 
Alpha4043Author Commented:
Would it be better for me to open another question to continue with this?
0
 
Alpha4043Author Commented:
Good to work with. Answer got too involved. I think there is still some issue with the certificate.
0
 
AkhaterCommented:
thank you for the points, however if the question is not done yet for you I can finish helping you here or in another question.

If you decide to open another quesiton just update me with its number, I will carry it over till it is done
0
 
Alpha4043Author Commented:
That would be great. I don't have any other source to turn to on this but I also didn't want for you to feel like this was a never ending question.

It looks like the SRV is setup correctly in the DNS but I still think I have issues with the certificate not matching. Not sure how to check or test that.
0
 
AkhaterCommented:
no the SRV record is not correct. we are left with 3 options

1. call your DNS provider and nag till they fix DNS for you
2. create it a CNAME record and rekey your certificate
3. live without autodiscover since all is working
0
 
Alpha4043Author Commented:
I sent you what my DNS looked like.

What do I need to do if I need to rekey my certificate?
0
 
AkhaterCommented:
you will need to get a new CSR from exchange with the names

remote.domain.com and autodiscover.domain.com

go to your ssl provider and rekey it , it should be free of charge
0
 
Alpha4043Author Commented:
Didn't my SRV look right in the DNS settings?  
0
 
AkhaterCommented:
in the screen shot it does look right, however the query is not returning anything there is an issue with the DNS provider
0
 
Alpha4043Author Commented:
Here is the second response from the tech support.  What does this mean?  


Thank you for your reply.  At this time the DNS record is setup as a recursive record which is not supported in our system.  You will need to remove the domain name from the target and simply use remote.  You will need to make sure that the domain name is never used in the records created.

Please let us know if we can assist you in any other way.

Best Regards,
Thad P.
Online Support Representative

0
 
AkhaterCommented:
well this is rather good news

it means in the target just put remote instead of remote.domain.com


i'd say delete the record and create a new one
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.