Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 935
  • Last Modified:

When using Outlook 2010 Client Cert domain name not valid error

Exchange 2010 SP1
Outlook 2010

Hi - I created a godaddy cert for my external domain for OWA. Imported the cert., OWA works ok
When I did the cert request I checked the Outlook web app on the intranet and added internal FQDN of exchange server (red.mydomain.com)

But the cert only lists the external domain (owa.mydomain.com)

I get the error attached error when launcing or config Outlook client
What am I missing?
Default MS Exchange cert exists with CN=Red
Snap1.jpg
0
BigBadWolf_000
Asked:
BigBadWolf_000
  • 7
  • 6
  • 4
  • +1
1 Solution
 
AkhaterCommented:
if the certificate doesn't contain red.mydomain.com then it is normal you get this error

what you can do is

1. change the Exchange URLs to give owa.domain.com instead of red.domain.com
2. in your internal DNS add a record owa.domain.com pointing to the internal IP of your exchange server
0
 
BigBadWolf_000Author Commented:
I want to keep internal as RED why does the default cert not work ....is it because I assigned SMTP Services to the external owa.mydomain.com cert.

does the external cert need both IIS and SMTP services assigned to it?
0
 
sunnyc7Commented:
The cert has to match the domain name

Your cert is issued to OWA.domain.com
Your domain is - red.domain.com

You can change the internal to owa.domain.com
and then create a DNS entry where you add a A-record for owa.domain.com to point to lan IP of exchange 2010
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
AkhaterCommented:
no it is because you can only assign one certificate for IIS you have assinged the one of godaddy so the default one was removed.

you can just rekey your certificate to include red.domain.com
0
 
sunnyc7Commented:
That's another possibility :)
0
 
BigBadWolf_000Author Commented:
Akhater: Thanks...when I submitted the req to godaddy it included red. I selected their Exc 2007 cert download.

sunnyc7: yes i have that already...whichs works for accessing the webmail access internally.

I am talking about Outlook Client which finds RED (even if I type in OWA it resolves to RED)

I am guessing rekeying may be my only option...Akhater: any additional thoughts

 
0
 
AkhaterCommented:
yes outlook clients takes the configuration from autodiscovery services so as long as in the exchange it is configured to use RED it will switch back to RED
0
 
BigBadWolf_000Author Commented:
Akhater: Why is mapi looking for an SSL cert...does not make sense...I can turn of the encryption in the profile ...but then I get an address book error

---------------------------
The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.
---------------------------
There must be a simple solution to this....why would I need an SSL cert for internal mapi
0
 
AkhaterCommented:
you don't need SSL for mapi, you need SSL for autodiscover to work, this is the way exchange 2010/2007 works

outlook will connect through https to the autodiscover servrice to pull all needed URLS

OWA/OAB/EWS etc..

0
 
BigBadWolf_000Author Commented:
How can I change the url that autodiscover looks for internally???


0
 
sunnyc7Commented:
get-clientaccessserver | fl InternalUrl
get-autodiscovervirtualdirectory | fl InternalUrl

post the results of both

thanks
0
 
BigBadWolf_000Author Commented:
Too expensive to setup cert with multiple subdomains....what can I do to work around...besides having internal and external FQDN being the same name
 
0
 
AkhaterCommented:
you don't have a lot of options it is either have both the same or get a SAN certificate

a SAN certificate is for $80/year not exactly expensive
0
 
BigBadWolf_000Author Commented:
sunnyc7:
get-clientaccessserver | fl InternalUrl
returns...nothing...blank space

get-clientaccessserver
returns.....
NAME
--------
RED

get-autodiscovervirtualdirectory | fl InternalUrl
returns...
InternalUrl:

0
 
AkhaterCommented:
if you want to make them both the same you will need to

1. open EMC -> server config ->Client access
2. go to each tab and change the name from RED to mail....


then got to EMS

get-webservicesvirutaldirectory |fl *url*

then
get-webservicesvirutaldirectory | set-webservicesvirtualdirectory -externalURL https://mail....../...... (copied from step before)


finally go issue

get-clientaccessserver | fl *uri*

get-clientaccessserver | set-clientaccesserver -AutoDiscoverServiceInternalUri https://mail.....

0
 
sunnyc7Commented:
This is your problem http:#33667204
Blank space - that means SCP's and url's ar enot configured and akhater gave the answer above.

Along with externalURL - you need to set internalURL for completeness

Was out of action for a while.
0
 
BigBadWolf_000Author Commented:
Thanks all...It was easier to just put in a UC certificate (that can contain internal and external domains - recquired by MS)...all works fine now. FYI..it was strange that the EMS did not show the InternalUrl when they show in the EMC
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 6
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now