Solved

Multiple subdomains giving "The name of the security certificate is invalid or does not match the name of the site"  for using Outlook Anywhere

Posted on 2011-03-21
16
512 Views
Last Modified: 2012-05-11
Dear experts,

after going over all related questions in this site and others; as well as going over all related MS support articles I could find I have no other option then to post the question myself.

Environment is Exchange 2007 (1 CAS and 1 CCR Cluster), AD is mixed 2003/2008
Clients are all Outlook 2007 or higher

We are using a countryspecific subdomain for emails so that customers can easely find out to which country/site they are mailing.

EMail adrresses are @countrycode.company.com with each of the having @company.com as secondary address.

The certificate is hence registered to mail.company.com

Whenever clients that have @countrycode.company.com connect to Outlook Anywhere they get the annoying popup saying  "The name of the security certificate is invalid or does not match the name of the site"  since it is looking for autodisover.COUNTRYCODE.company.com

There is too many countries to include them all into one certificate

Any resolutions please ?

Thanks
0
Comment
Question by:ulensr
  • 9
  • 7
16 Comments
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 35180994
Yep basically the idea is to

1. add autodiscover.company.com to your SAN certificate
2. delete autodiscover.countrycode.domain.com for all countries
3. in each country create an SRV record so that

Service: _autodiscover
Protocol: _tcp
Name: Keep it empty
Port Number: 443
Host: autodiscover.domain.com
0
 

Author Comment

by:ulensr
ID: 35181196
Hi,

there is only one autodiscover left (company.com), SAN cert does have autodiscover.company.com

The SRV records do we do them internally or on ISP level ?

Kind regards
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35181261
srv records should be created in your external DNS

however if there is no autodisover.COUNTRYCODE.company.com in your external DNS you should not get the error you pointed to above.

are you sure the error says autodisover.COUNTRYCODE.company.com ?
0
 

Author Comment

by:ulensr
ID: 35181328
Yes, very sure ... :)

We have registered mail. autodiscover. but no countrycode.

These DO exist for MX records but that shouldn't be an issue I believe

However, I have just tried to add that record but the ISP does says it needs to be _autodiscover._tcp.something so we registered _autodiscover._tcp.company.com but still it pops up
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35181386
are you having the pop up internaly or externally ?
0
 

Author Comment

by:ulensr
ID: 35181581
Externally
0
 

Author Comment

by:ulensr
ID: 35181588
And if we put @company.com as primary address this doesn't happen but we need to have countrycode.company.com as reply address

0
 
LVL 49

Expert Comment

by:Akhater
ID: 35181882
nop there is somehting wrong

from external if you run

nslookup autodiscover.country.domain.com

what is the answer
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 

Author Comment

by:ulensr
ID: 35182033
Non-authoritative answer:
Name:    autodiscover.company.com
Address:  xx.xxx.xx.xx

IP is correct (same as mail.)
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35182148
this was autodiscover.company.com my question was about autodiscover.COUNTRY.company.com
0
 

Author Comment

by:ulensr
ID: 35182293
Non-authoritative answer:
Name:    autodiscover.countrycode.company.com
Address:  xx.xxx.xx.xx

IP is correct (same as mail.)

Same IP as the main on
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35182324
that's what  i told you first these should be removed from dns
0
 

Author Comment

by:ulensr
ID: 35182397
they do not exist but mx records exist pointing to mail.company.com
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35182445
how they don't not exist the nslookup is saying they do
0
 

Author Comment

by:ulensr
ID: 35187900
Ok I found the cause for that , there was a *.company.com which we now removed

non-existing domain is what we get now when doing nslookup on autodiscover.countrycode.company.com

That did the trick indeed, the popup is now gone so your first solution is correct :)
0
 

Author Closing Comment

by:ulensr
ID: 35187908
Important is to look that no wildcard DNS entries exist
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now