Solved

The name on the security certificate is invalid or does not match the name of the site

Posted on 2010-11-25
24
4,491 Views
Last Modified: 2012-05-10
I have an Exchange 2010 server with the domain of www.mydomain.com.  I have clients on this server, using email addresses such as user@notmydomain.com, and otheruser@someotherdomain.com.

I have an SSL certificate installed from GoDaddy for mail.mydomain.com.  Its not a UCC certificate.  Just the single domain.  OWA works fine, no error messages and clients connect to it via https://mail.mydomain.com/owa

Issue is within Outlook 2007 or 2010.  When offsite clients (not connected to the domain system) connect to Outlook using Outlook anywhere, they receive the "Security Alert" about the certificate not matching the name of the site, for the domain autodiscover.notmydomain.com.  

The message makes sense, because the name doesn't match...because their email addresses are on a different domain (user@notmydomain.com), but the certificate is for mail.mydomain.com

If the client clicks "YES" at the "do you want to proceed" everything works fine...

I tried installing the certificate to the client machines into the trusted root certification authority but the error still persists for these clients.

I would change to a UCC certificate to include autodiscover.mydomain.com, however I don't think this will solve the issue...?

Tips?



 error
0
Comment
Question by:mikeshaver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 10
24 Comments
 
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 34215474
Hi,

Refer this article:
http://support.microsoft.com/kb/940726

and verfiy your settings.

NOte: Better to have UCC Certificate.

Hope this helps,
Shree
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 34215487
If I get the UCC certificate, can I add ALL the domains to it, like this:

mail.mydomain.com
autodiscover.mydomain.com
autodiscover.otherdomain.com
autodiscover.differentdomain.com
autodiscover.yetanotherone.com

Etc?

And will this prevent the error on all clients?  Or would I still have to setup something else?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34215488
the domain name you have removed is it @mydomain.com or @notmydomain.com ?
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 1

Author Comment

by:mikeshaver
ID: 34215495
Its @notmydomain.com  (but it does the same thing for autodiscover.mydomain.com as well).
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34215505
the ucc certificate will solve the @mydomain.com not the @myotherdomain.com

is autodiscover.mydmain.com and autodiscover.notmydomain.com resolvale in dns?
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 34215513
Damn on the UCC thing.  Thought I could throw some money at this and make it go away.  

Yes, autodiscover.notmydomain.com can be resolved in DNS.  I created an A record for it.  It resolves to the IP of my mail server at mail.mydomain.com
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34215519
well remove it from DNS and it will go away....
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 34215525
Yes, but then I assume the autodiscover services won't work for myotherdomain.com, and thus I won't be able to use Out of office replies?  (I was getting a "server not found" from Out of Office before I went down the configuration of autodiscover path...)

?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34215537
it is not working now anyway :)
it won't work if it is not trusted

here is what you can do to solve your problem without putting money on the UCC certificate

replace both A records for autodiscover with srv records pointing to mail.mydoamin.com

0
 
LVL 1

Author Comment

by:mikeshaver
ID: 34215559
OK, so just so I am clear...I should:

At my DNS provider (GoDaddy):

1 - Erase the A record for autodiscover.mydomain.com which is currently pointing to the IP of the mail server.

2 - I already have an SRV record with the following which I will leave intact?:
service: _autodiscover
Protocol: _tcp
Name:  mail (this is the netbios name of my server)
Priority and weight: 0
Port: 443
Target:  mail.mydomain.com
TTL:  1 hour

3 - In the DNS manager for otherdomain.com, remove the A record for autodiscover which points at the IP of the mail server for mail.mydomain.com

4 - I already have an SRV record for myotherdomain.com with these settings, I leave this intact as well?
service: _autodiscover
Protocol: _tcp
Name:  mail (this is the netbios name of my server)
Priority and weight: 0
Port: 443
Target:  mail.mydomain.com
TTL:  1 hour

I would repeat step 4 for every otherdomain such as myotherdomain.com, differentdomain.com etc?

Yes/No/Maybe so?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34215562
1- ok

2-
service: _autodiscover
Protocol: _tcp
Name: @
Priority and weight: 0
Port: 443
Target:  mail.mydomain.com
TTL:  1 hour

3. create the same record that in 2
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 34215567
Kinda makes sense...

Your point 1 is clear obvioulsy, delete the A record for autodiscover.mydomain.com

On Point 2, we are still talking about the SRV record for mydomain.com, correct?

As for point 3, that is refering to otherdomain.com, where I change the SRV record to be identical to the SRV record for mydomain.com

Yes?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34215570
yes but in your SRV record the name is @ not netbios name of computer

0
 
LVL 1

Author Comment

by:mikeshaver
ID: 34215572
Got that.  Thanks.

And I still remove the A record for autodiscover in ALL domains, including mydomain.com and otherdomain.com

If so...I'm going to try it...?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34215573
yes remove all the A records and replace them with SRV records

the easiest way is to test with a domain that has no A record to avoid dns replication time
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 34215574
Great, will try it now and post back!
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 34215577
Once DNS settings are updated/propogated, should a ping to autodiscover.myotherdomain.com and autodiscover.mydomain.com resolve and reply?  I would assume so?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34215579
no :) it is an SRV record not a cname record

nslookup _autodiscover._tcp.otherdomain.com

should give back some info with mail.mydomain.com at the end
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 34215584
I added the SRV to a domain that didn't have the autodiscover A record in place before. As well as removing the A record for autodiscover.mydomain.com  

NSlookup that you gave above gives back:  
Name:  _autodiscover._tcp.otherdomain.com  (nothing more?)
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 34215587
Just reran the nslookup and got this:

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available
 for _autodiscover._tcp.myotherdomain.com

Maybe I just need some patience?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34215590
ok try

nslookup
set type=srv
_autodiscover._tcp.myotherdomain.com
0
 
LVL 1

Author Comment

by:mikeshaver
ID: 34215597
That worked!

Just remoted into my client machine at myotherdomain.com, and there was an outlook popup asking to allow the server to configure the client.  Clicked OK and checked the box to not ask again.

No cert errors!  

Awesome!  Thanks for the huge help!
0
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 34215599
;o) your welcome
0
 
LVL 1

Author Closing Comment

by:mikeshaver
ID: 34215615
Awesome!!!!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
email adress opens in chrome 13 60
Exchange 2008 new SSL certificate with new name 3 54
Exchange server Error 3 34
Move a email in Outlook 2016 5 60
In this step by step procedure, you will come to know the details of creating an Outlook meeting in 2007, 2010, 2013 & 2016.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question