Solved

Exchange 2010 SSL Certificate - Name mismatch across VPN connection.

Posted on 2011-03-10
11
1,131 Views
Last Modified: 2013-02-18
Recently added a branch office to connect to the main office with a hardware VPN.  Joined the local server to the domain and all networking works fine.

The Exchange 2010 server is located in the main office.  Outlook clients locally connect fine.  Outlook clients externally can connect from the outside using the certificate.

Outlook clients across the VPN get "The name on the security certificate is invalid or does not match the name of the site".  Press OK and all works ok.  At the top of the Secirity Alert it does show the correct Exchange server, but when you view the GoDaddy certificate it lists the external.domain.com address.

I know it has something to do with the branch office being on a different network across the VPN.  Suggestions?

Suggestions?
0
Comment
Question by:xsawkins
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 16

Expert Comment

by:Auric1983
Comment Utility
At your main office do you have it configured so "External.domain.com" resolves to the internal IP (Split DNS) for your local outlook clients?

It sounds to me as if the SAN certificate on the Exchange server does not include the FQDN of the exchange server (ex. exchange.domain.local)

If you have it all setup correctly at your main office then it's probably  just DNS, I'd make sure the remote site is either running it's own DNS as part of the domain OR referencing a domain controller / dns server at the main office.

0
 
LVL 16

Expert Comment

by:Auric1983
Comment Utility
I should also mention,

Not including the server name will cause that SAN / Certificate name mismatch, but it's not a big deal, hence the question about split DNS.  There are a few steps that you need to do and a few EMS commands that need to be executed if this hasn't already been done.

Let me know if you need more info on that and I'll get the commands and reference for you.
0
 
LVL 9

Expert Comment

by:pcchiu
Comment Utility
For exchange 2010 you can get the UCC certificate which will fix the name mismatch issue.  Especially if you plan to use outlook 2010 which you will encounter more of those naming error if you only use the regular certificate.

You can use the following tool to generate the necessary crs:
https://www.digicert.com/easy-csr/exchange2010.htm

and then purchase the UCC certificate from godaddy (which is cheaper)
0
 
LVL 8

Accepted Solution

by:
praveenkumare_sp earned 500 total points
Comment Utility
In the below Paragraph i have explained how to change the Internal url  such that u dont need to have CAS FQDN in the certificate


follow the below kb and change the urls 940726

http://support.microsoft.com/kb/940726
"Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site""


In short this is what u have to do(taken for ur reference from url)



To resolve this issue, modify the URLs for the appropriate Exchange 2007 components. To do this, follow these steps:
1.      Start the Exchange Management Shell.
2.      Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
3.      Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
4.      Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
5.      Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
6.      Open IIS Manager.
7.      Expand the local computer, and then expand Application Pools.
8.      Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:
•      The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
https://ServerName.contoso.com/ews/exchange.asmx
•      The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as "mail.contoso.com."
In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.


this should fix ur issue

let me know if u need more info
0
 

Author Comment

by:xsawkins
Comment Utility
The branch office is on the same domain with a local domain controller and DNS running on it.  Most of the clients in the branch office do run Office 2010, with just a few Office 2007 clients.

Currently the exchange server does have cert from godaddy on it.

Thanks for all the references to look at.  I will be looking at it shortly and update everyone.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:xsawkins
Comment Utility
Regarding the DNS question:

From both local networks the address of https://servername.domain.local/owa resolve to Outlook Web App

From the the main office (Exchange server location) the address of https://mail.ExternalDomain.com/owa does not resolve.  From the branch office it does.

The error from the branch office refers to only showing the external address on the cert.  When you view the cert, the "issue to" is: mail.ExternalDomain.com
0
 
LVL 9

Expert Comment

by:pcchiu
Comment Utility
I think if you go for the UCC which will be much easier; you can have up to 5 domain name for the same certificate(so it will cover all the autodiscover internal and external and one extra for something else).

0
 
LVL 16

Expert Comment

by:Auric1983
Comment Utility
Do you get a cert error at the main site when you go to server.domain.local/owa ??

Just thinking if it works at the main site and owa works outside it may not be a cert issue.
0
 

Author Comment

by:xsawkins
Comment Utility
Outlook clients at the main site do not get a cert error.  From both sites you can go to server.domain.local/owa with no problems.

Internal clients are setup directly to exchange - no proxy settings as if coming in from the outside.  External clients use the external address of mail.domainname.com/owa in their http proxy settings with no cert error.

I did add a new DNS zone for the domainname.com address with host A records for mail & www, just incase it was a DNS issue, but that did not resolve the problem.
0
 

Author Comment

by:xsawkins
Comment Utility
RE:
I think if you go for the UCC which will be much easier; you can have up to 5 domain name for the same certificate(so it will cover all the autodiscover internal and external and one extra for something else).

-----------------

I guess I do not understand how this can help with fixing a certificate already in existance?  Can you be more specific than pointing me to a site and suggesting a UCC?  Is the problem related to not having the proper alternative names in the certificate?

The certificate works fine for external OWA/WebApp users going to mail.domainname.com/owa

How does this affect users that are using Outlook across a VPN?
0
 

Author Comment

by:xsawkins
Comment Utility
Thanks for they help.  Changing the InternalUrl to the ExternalUrl of the certificate and adding DNS entries for the external address for the internal did the trick.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
"Migrate" an SMTP relay receive connector to a new server using info from an old server.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
how to add IIS SMTP to handle application/Scanner relays into office 365.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now