Solved

When using Outlook 2010 Client Cert domain name not valid error

Posted on 2010-09-13
18
905 Views
Last Modified: 2012-05-10
Exchange 2010 SP1
Outlook 2010

Hi - I created a godaddy cert for my external domain for OWA. Imported the cert., OWA works ok
When I did the cert request I checked the Outlook web app on the intranet and added internal FQDN of exchange server (red.mydomain.com)

But the cert only lists the external domain (owa.mydomain.com)

I get the error attached error when launcing or config Outlook client
What am I missing?
Default MS Exchange cert exists with CN=Red
Snap1.jpg
0
Comment
Question by:BigBadWolf_000
  • 7
  • 6
  • 4
  • +1
18 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 33666108
if the certificate doesn't contain red.mydomain.com then it is normal you get this error

what you can do is

1. change the Exchange URLs to give owa.domain.com instead of red.domain.com
2. in your internal DNS add a record owa.domain.com pointing to the internal IP of your exchange server
0
 
LVL 14

Author Comment

by:BigBadWolf_000
ID: 33666156
I want to keep internal as RED why does the default cert not work ....is it because I assigned SMTP Services to the external owa.mydomain.com cert.

does the external cert need both IIS and SMTP services assigned to it?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33666172
The cert has to match the domain name

Your cert is issued to OWA.domain.com
Your domain is - red.domain.com

You can change the internal to owa.domain.com
and then create a DNS entry where you add a A-record for owa.domain.com to point to lan IP of exchange 2010
0
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 33666196
no it is because you can only assign one certificate for IIS you have assinged the one of godaddy so the default one was removed.

you can just rekey your certificate to include red.domain.com
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33666256
That's another possibility :)
0
 
LVL 14

Author Comment

by:BigBadWolf_000
ID: 33666387
Akhater: Thanks...when I submitted the req to godaddy it included red. I selected their Exc 2007 cert download.

sunnyc7: yes i have that already...whichs works for accessing the webmail access internally.

I am talking about Outlook Client which finds RED (even if I type in OWA it resolves to RED)

I am guessing rekeying may be my only option...Akhater: any additional thoughts

 
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33666420
yes outlook clients takes the configuration from autodiscovery services so as long as in the exchange it is configured to use RED it will switch back to RED
0
 
LVL 19

Expert Comment

by:R--R
ID: 33666622
0
 
LVL 14

Author Comment

by:BigBadWolf_000
ID: 33667076
Akhater: Why is mapi looking for an SSL cert...does not make sense...I can turn of the encryption in the profile ...but then I get an address book error

---------------------------
The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.
---------------------------
There must be a simple solution to this....why would I need an SSL cert for internal mapi
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 49

Expert Comment

by:Akhater
ID: 33667090
you don't need SSL for mapi, you need SSL for autodiscover to work, this is the way exchange 2010/2007 works

outlook will connect through https to the autodiscover servrice to pull all needed URLS

OWA/OAB/EWS etc..

0
 
LVL 14

Author Comment

by:BigBadWolf_000
ID: 33667128
How can I change the url that autodiscover looks for internally???


0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33667137
get-clientaccessserver | fl InternalUrl
get-autodiscovervirtualdirectory | fl InternalUrl

post the results of both

thanks
0
 
LVL 14

Author Comment

by:BigBadWolf_000
ID: 33667142
Too expensive to setup cert with multiple subdomains....what can I do to work around...besides having internal and external FQDN being the same name
 
0
 
LVL 49

Expert Comment

by:Akhater
ID: 33667194
you don't have a lot of options it is either have both the same or get a SAN certificate

a SAN certificate is for $80/year not exactly expensive
0
 
LVL 14

Author Comment

by:BigBadWolf_000
ID: 33667204
sunnyc7:
get-clientaccessserver | fl InternalUrl
returns...nothing...blank space

get-clientaccessserver
returns.....
NAME
--------
RED

get-autodiscovervirtualdirectory | fl InternalUrl
returns...
InternalUrl:

0
 
LVL 49

Expert Comment

by:Akhater
ID: 33667238
if you want to make them both the same you will need to

1. open EMC -> server config ->Client access
2. go to each tab and change the name from RED to mail....


then got to EMS

get-webservicesvirutaldirectory |fl *url*

then
get-webservicesvirutaldirectory | set-webservicesvirtualdirectory -externalURL https://mail....../...... (copied from step before)


finally go issue

get-clientaccessserver | fl *uri*

get-clientaccessserver | set-clientaccesserver -AutoDiscoverServiceInternalUri https://mail.....

0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33667722
This is your problem http:#33667204
Blank space - that means SCP's and url's ar enot configured and akhater gave the answer above.

Along with externalURL - you need to set internalURL for completeness

Was out of action for a while.
0
 
LVL 14

Author Closing Comment

by:BigBadWolf_000
ID: 33674700
Thanks all...It was easier to just put in a UC certificate (that can contain internal and external domains - recquired by MS)...all works fine now. FYI..it was strange that the EMS did not show the InternalUrl when they show in the EMC
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Suggested Solutions

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now