Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Multiple subdomains giving "The name of the security certificate is invalid or does not match the name of the site"  for using Outlook Anywhere

Posted on 2011-03-21
16
Medium Priority
?
519 Views
Last Modified: 2012-05-11
Dear experts,

after going over all related questions in this site and others; as well as going over all related MS support articles I could find I have no other option then to post the question myself.

Environment is Exchange 2007 (1 CAS and 1 CCR Cluster), AD is mixed 2003/2008
Clients are all Outlook 2007 or higher

We are using a countryspecific subdomain for emails so that customers can easely find out to which country/site they are mailing.

EMail adrresses are @countrycode.company.com with each of the having @company.com as secondary address.

The certificate is hence registered to mail.company.com

Whenever clients that have @countrycode.company.com connect to Outlook Anywhere they get the annoying popup saying  "The name of the security certificate is invalid or does not match the name of the site"  since it is looking for autodisover.COUNTRYCODE.company.com

There is too many countries to include them all into one certificate

Any resolutions please ?

Thanks
0
Comment
Question by:ulensr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
16 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 2000 total points
ID: 35180994
Yep basically the idea is to

1. add autodiscover.company.com to your SAN certificate
2. delete autodiscover.countrycode.domain.com for all countries
3. in each country create an SRV record so that

Service: _autodiscover
Protocol: _tcp
Name: Keep it empty
Port Number: 443
Host: autodiscover.domain.com
0
 

Author Comment

by:ulensr
ID: 35181196
Hi,

there is only one autodiscover left (company.com), SAN cert does have autodiscover.company.com

The SRV records do we do them internally or on ISP level ?

Kind regards
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35181261
srv records should be created in your external DNS

however if there is no autodisover.COUNTRYCODE.company.com in your external DNS you should not get the error you pointed to above.

are you sure the error says autodisover.COUNTRYCODE.company.com ?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:ulensr
ID: 35181328
Yes, very sure ... :)

We have registered mail. autodiscover. but no countrycode.

These DO exist for MX records but that shouldn't be an issue I believe

However, I have just tried to add that record but the ISP does says it needs to be _autodiscover._tcp.something so we registered _autodiscover._tcp.company.com but still it pops up
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35181386
are you having the pop up internaly or externally ?
0
 

Author Comment

by:ulensr
ID: 35181581
Externally
0
 

Author Comment

by:ulensr
ID: 35181588
And if we put @company.com as primary address this doesn't happen but we need to have countrycode.company.com as reply address

0
 
LVL 49

Expert Comment

by:Akhater
ID: 35181882
nop there is somehting wrong

from external if you run

nslookup autodiscover.country.domain.com

what is the answer
0
 

Author Comment

by:ulensr
ID: 35182033
Non-authoritative answer:
Name:    autodiscover.company.com
Address:  xx.xxx.xx.xx

IP is correct (same as mail.)
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35182148
this was autodiscover.company.com my question was about autodiscover.COUNTRY.company.com
0
 

Author Comment

by:ulensr
ID: 35182293
Non-authoritative answer:
Name:    autodiscover.countrycode.company.com
Address:  xx.xxx.xx.xx

IP is correct (same as mail.)

Same IP as the main on
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35182324
that's what  i told you first these should be removed from dns
0
 

Author Comment

by:ulensr
ID: 35182397
they do not exist but mx records exist pointing to mail.company.com
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35182445
how they don't not exist the nslookup is saying they do
0
 

Author Comment

by:ulensr
ID: 35187900
Ok I found the cause for that , there was a *.company.com which we now removed

non-existing domain is what we get now when doing nslookup on autodiscover.countrycode.company.com

That did the trick indeed, the popup is now gone so your first solution is correct :)
0
 

Author Closing Comment

by:ulensr
ID: 35187908
Important is to look that no wildcard DNS entries exist
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
how to add IIS SMTP to handle application/Scanner relays into office 365.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question