Solved

SSL Certificat Mismatch

Posted on 2011-03-10
8
931 Views
Last Modified: 2013-01-15
I am getting the follow error

Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   Validating the certificate name.
  Certificate name validation failed.
   Tell me more about this issue and how to resolve it
   Additional Details
  Host name mail.domainname.org doesn't match any name found on the server certificate CN=SERVERNAME.
 
 How can I resolve this issue
 
0
Comment
Question by:rsilver24
8 Comments
 
LVL 10

Expert Comment

by:cjrmail2k
ID: 35096368
Is this a new certificate? Did you match it to your domain DNS name? What version of exchange are you using?
0
 

Author Comment

by:rsilver24
ID: 35097734
No it is not a new certification.  I am running Exchange 2010 and I am not sure how to check to see if it is matched to DNS name
0
 
LVL 10

Expert Comment

by:cjrmail2k
ID: 35098370
if you run iis on the cas you should be able to right-click on the default site and click properties/security and check certificate
0
 
LVL 8

Accepted Solution

by:
praveenkumare_sp earned 500 total points
ID: 35103133
Hi rsilver24:

Go to EMC click on server config > in the middle plane u would see a certificate

if u see  many double click on the one that says IIS as one of its service

Once the certificate opens click on details tab and under Subject alternative name field see whether do u see FQDN of the server  if not follow the steps below to solve ur issue  

In the below lines i have explained how to change the Internal url  such that u dont need to have CAS FQDN in the certificate


follow the below kb and change the urls 940726

http://support.microsoft.com/kb/940726
"Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site""


In short this is what u have to do(taken for ur reference from url)



To resolve this issue, modify the URLs for the appropriate Exchange 2007 components. To do this, follow these steps:
1.      Start the Exchange Management Shell.
2.      Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
3.      Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
4.      Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
5.      Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
6.      Open IIS Manager.
7.      Expand the local computer, and then expand Application Pools.
8.      Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:
•      The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
https://ServerName.contoso.com/ews/exchange.asmx
•      The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as "mail.contoso.com."
In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.

let me know if u have any queries
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:rsilver24
ID: 35127943
I went through these steps but it is still not working.  But something is not matching up.  I uninstalled the CAS from my backend server last week and reinstalled it on my frontend server.  When I ran the activesync test it tells me that the host name mail.hali88.org doesn't match any name found on the server certificate CN=Haliserv2 (this is my backend server) and no longer my CAS.  
0
 

Author Comment

by:rsilver24
ID: 35129500
Hi any update on this issue?
0
 

Author Comment

by:rsilver24
ID: 35148209
Hello can someone please help with this issue?
0
 
LVL 2

Expert Comment

by:anuragshankar
ID: 37383642
Do you have a Internal Host(A) entry in the DNS. Remove it and then check.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now