Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 520
  • Last Modified:

Exchange 2010 security certificate error

Hello EE. I am try to connect my Outlook 2007 users to a newly installed Exchange 2010 server. The Auto Discovery complains about the security certificate:
 " The name of the security certificate is invalid  or does not match the name of the site"
I found a Microsoft KB article that shows a solution but it is difficult to follow. We are on a dot local domain so it is a little difficult to figure out the correct syntax. Exchange 2010 is totally different from 2003. We initially stayed way from Exchange 2007 because of the hardware requirements. On 2010 I have all the roles on one server. Is there better "How To Article" I could refer to? What a learning curve.
0
InSearchOf
Asked:
InSearchOf
  • 11
  • 9
  • 2
2 Solutions
 
MegaNuk3Commented:
1.) Do you have a 3rd party certificate or the self signed one installed on exchange?

2.) do your outlook 2007 clients have the latest patches installed?

3.) what is the output from
Get-clientaccessserver | fl autodiscoverinternalUri

4.) are your outlook clients internal

5.) are your Outlook clients in the same domain as the Exchange server?
0
 
dexITCommented:
Do you have a third party certificate installed under Server Configuration?
0
 
InSearchOfAuthor Commented:
1 - No I do not have a third party certificate. My Windows 2008 R2 ENT AD server is configured as a CA for use with my wireless network

2 - Qutlook Clients are patched

3 - The above command executes but provides no output

4 - Clients are internal

5 - Clients are on the same domain as Exchange Server
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
dexITCommented:
Depending on what you're trying to do, it is practical to use a third party certificate, preferrably a Unified Communications Certificate (UCC). What are you trying to accomplish here?
0
 
InSearchOfAuthor Commented:
I am just trying to map our Outlook clients to our new Exchange Server.
0
 
MegaNuk3Commented:
Try
Get-clientaccessserver | fl
And see if the autodiscoverInternalUri is blank, if it is then that is your problem.
0
 
InSearchOfAuthor Commented:
I have the dot local FQDN listed
0
 
MegaNuk3Commented:
is that name on your cert?

if not, change the autodiscoverinternalUri to the name on your cert

0
 
MegaNuk3Commented:
for example:
Set-ClientAccessServer -Identity <CASServerName> -AutoDiscoverServiceInternalUri https://mail.mydomain.com/Autodiscover/Autodiscover.xml

as long as mail.mydomain.com resolves internally to the INTERNAL IP address of the CAS server

0
 
InSearchOfAuthor Commented:
Well, I have a statement in the firewall for smtp traffic to route external smtp traffic to the internal address as well as MX and A record entries on our zone file at the ISP. Is there a command or setting I can look at to view the name on the cert? I am spending most of my time in the data center till I resolve ths problem and do not have access to outlook
0
 
MegaNuk3Commented:
Try
Get-exchangecertificate | fl
Then look at the Certs enabled for IIS

Or hit OWA from IE, click on the lock symbol and you will see the cert, click on details and then look at the cert subjects

You also need to allow port 443 from external to your CAS server because autodiscover is a web service / URL
0
 
InSearchOfAuthor Commented:
Do you mean allow port 443 through my firewall?
0
 
MegaNuk3Commented:
Yes port 443 (HTTPS) to your CAS so external autodiscover ( and OWA etc) will work.
0
 
InSearchOfAuthor Commented:
Ok great I did just that. How would I determine the url to use to test OWA?
0
 
MegaNuk3Commented:
Https://<whateverexternalNameYouHaveOnYourCert>/owa

The external name needs to resolve to the external ip address of your router which is forwarding port 443 to your CAS server.

You can go to www.canyouseeme.org and put in port 443 to see if it is open

If it is you can try the IP listed on canyouseeme:
Https://<canyouseeme IP address>/owa
It should give you a cert error, but allow you to access OWA. Try it via an external Internet connection like an iPhone because a lot of routers do not let internal traffic come back in the external interface.
0
 
InSearchOfAuthor Commented:
Yes port 443 is open and https://whateverexternalNameYouHaveOnYourCert>/owa works. My DC which runs Windows 2008 R2 ENT has the CA role. Anyway to use a cert from it or the cert I exported from IIS on Exchange and imported to "The Trusted Root Certification Authorities" in Explorer. I know users being users will complain about seeing the message.
0
 
MegaNuk3Commented:
If those users are using laptops from your domain then they will trust the cert and will not get an error if the name of the site is on the cert.

Test external autodiscover now from www.testexchangeconnectivity.com and see if it completes.
0
 
MegaNuk3Commented:
I think we are diverging away from the original question here...
Have you change the autodiscoverInternalUri to a name on your cert. Does that name resolve to the INTERNAL IP address of your CAS server if you ping it?
If all the above is in place then you should be able to open outlook without certificate warnings even for new users.
0
 
InSearchOfAuthor Commented:
Under which test? The only autodiscover I see is is for Microsoft Office Outlook.
0
 
MegaNuk3Commented:
Ignore it, your question is about internal outlook certificate issues.
You can test internal autodiscover by opening outlook, then hold down CTRL key and right click on the outlook icon in the bottom right hand corner of the screen, select 'Test Autoconfiguration'. Put in a valid username/email and password. Select 'AutoDiscover' only, then test.
0
 
InSearchOfAuthor Commented:
Ok. Thanks for the info. You have been a great help.
0
 
MegaNuk3Commented:
Thanks for the points.
Is Outlook now working and configuring itself without certificate errors?
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 11
  • 9
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now