Solved

Exchange 2010 security certificate error

Posted on 2011-02-24
22
500 Views
Last Modified: 2012-05-11
Hello EE. I am try to connect my Outlook 2007 users to a newly installed Exchange 2010 server. The Auto Discovery complains about the security certificate:
 " The name of the security certificate is invalid  or does not match the name of the site"
I found a Microsoft KB article that shows a solution but it is difficult to follow. We are on a dot local domain so it is a little difficult to figure out the correct syntax. Exchange 2010 is totally different from 2003. We initially stayed way from Exchange 2007 because of the hardware requirements. On 2010 I have all the roles on one server. Is there better "How To Article" I could refer to? What a learning curve.
0
Comment
Question by:InSearchOf
  • 11
  • 9
  • 2
22 Comments
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34972642
1.) Do you have a 3rd party certificate or the self signed one installed on exchange?

2.) do your outlook 2007 clients have the latest patches installed?

3.) what is the output from
Get-clientaccessserver | fl autodiscoverinternalUri

4.) are your outlook clients internal

5.) are your Outlook clients in the same domain as the Exchange server?
0
 
LVL 9

Expert Comment

by:dexIT
ID: 34972777
Do you have a third party certificate installed under Server Configuration?
0
 

Author Comment

by:InSearchOf
ID: 34973174
1 - No I do not have a third party certificate. My Windows 2008 R2 ENT AD server is configured as a CA for use with my wireless network

2 - Qutlook Clients are patched

3 - The above command executes but provides no output

4 - Clients are internal

5 - Clients are on the same domain as Exchange Server
0
 
LVL 9

Expert Comment

by:dexIT
ID: 34973300
Depending on what you're trying to do, it is practical to use a third party certificate, preferrably a Unified Communications Certificate (UCC). What are you trying to accomplish here?
0
 

Author Comment

by:InSearchOf
ID: 34973445
I am just trying to map our Outlook clients to our new Exchange Server.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34974064
Try
Get-clientaccessserver | fl
And see if the autodiscoverInternalUri is blank, if it is then that is your problem.
0
 

Author Comment

by:InSearchOf
ID: 34974180
I have the dot local FQDN listed
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34974241
is that name on your cert?

if not, change the autodiscoverinternalUri to the name on your cert

0
 
LVL 31

Accepted Solution

by:
MegaNuk3 earned 500 total points
ID: 34974268
for example:
Set-ClientAccessServer -Identity <CASServerName> -AutoDiscoverServiceInternalUri https://mail.mydomain.com/Autodiscover/Autodiscover.xml

as long as mail.mydomain.com resolves internally to the INTERNAL IP address of the CAS server

0
 

Author Comment

by:InSearchOf
ID: 34976040
Well, I have a statement in the firewall for smtp traffic to route external smtp traffic to the internal address as well as MX and A record entries on our zone file at the ISP. Is there a command or setting I can look at to view the name on the cert? I am spending most of my time in the data center till I resolve ths problem and do not have access to outlook
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34977599
Try
Get-exchangecertificate | fl
Then look at the Certs enabled for IIS

Or hit OWA from IE, click on the lock symbol and you will see the cert, click on details and then look at the cert subjects

You also need to allow port 443 from external to your CAS server because autodiscover is a web service / URL
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:InSearchOf
ID: 34978856
Do you mean allow port 443 through my firewall?
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34978870
Yes port 443 (HTTPS) to your CAS so external autodiscover ( and OWA etc) will work.
0
 

Author Comment

by:InSearchOf
ID: 34980881
Ok great I did just that. How would I determine the url to use to test OWA?
0
 
LVL 31

Assisted Solution

by:MegaNuk3
MegaNuk3 earned 500 total points
ID: 34981869
Https://<whateverexternalNameYouHaveOnYourCert>/owa

The external name needs to resolve to the external ip address of your router which is forwarding port 443 to your CAS server.

You can go to www.canyouseeme.org and put in port 443 to see if it is open

If it is you can try the IP listed on canyouseeme:
Https://<canyouseeme IP address>/owa
It should give you a cert error, but allow you to access OWA. Try it via an external Internet connection like an iPhone because a lot of routers do not let internal traffic come back in the external interface.
0
 

Author Comment

by:InSearchOf
ID: 34982372
Yes port 443 is open and https://whateverexternalNameYouHaveOnYourCert>/owa works. My DC which runs Windows 2008 R2 ENT has the CA role. Anyway to use a cert from it or the cert I exported from IIS on Exchange and imported to "The Trusted Root Certification Authorities" in Explorer. I know users being users will complain about seeing the message.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34982423
If those users are using laptops from your domain then they will trust the cert and will not get an error if the name of the site is on the cert.

Test external autodiscover now from www.testexchangeconnectivity.com and see if it completes.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34982555
I think we are diverging away from the original question here...
Have you change the autodiscoverInternalUri to a name on your cert. Does that name resolve to the INTERNAL IP address of your CAS server if you ping it?
If all the above is in place then you should be able to open outlook without certificate warnings even for new users.
0
 

Author Comment

by:InSearchOf
ID: 34982559
Under which test? The only autodiscover I see is is for Microsoft Office Outlook.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34982844
Ignore it, your question is about internal outlook certificate issues.
You can test internal autodiscover by opening outlook, then hold down CTRL key and right click on the outlook icon in the bottom right hand corner of the screen, select 'Test Autoconfiguration'. Put in a valid username/email and password. Select 'AutoDiscover' only, then test.
0
 

Author Comment

by:InSearchOf
ID: 34983495
Ok. Thanks for the info. You have been a great help.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 34983860
Thanks for the points.
Is Outlook now working and configuring itself without certificate errors?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now