Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 388
  • Last Modified:

Exchange 2003 - 2010

In transition mode from 2003 - 2010 Exchange Server.

When 2010 mailbox users use mail.domain.com in their Outlook settings for rpc\http the error message is returned ""The certificate common name webmail.domain.com doesn't validate against the mutual authentication string that was provided: msstd:mail.domain.com"

It works fine for 2003 users though, why? How did webmail url become involved?

2. On the 2003 Exchange Server I'm assuming the common name is webmail.domain.com (not sure how to verify) and I know for sure the SANs for this cert has mail.domain.com listed as well. On the 2010 Exchange Server the common name is mail.domain.com (I assume) and for sure has SAN as webmail.domain.com.

Outlook anywhere tab in 2010 is mail.domain.com, Get-OutlookProvider shows nothing for the CertPrincipalName for EXCH, EXPR and WEB, and the firewall is pointing the IP for mail.domain.com to the Exchange 2010 server.

All users need to use mail.domain.com for rpc\http.

So it should work. What do I specifically have to do to get it to work?
0
tolinrome
Asked:
tolinrome
  • 5
  • 3
  • 2
  • +1
1 Solution
 
RadweldCommented:
Hi there goto https://www.testexchangeconnectivity.com/ and run some of the tests there, it could be the autodiscover address has been configured to use webmail and I'd course this subject is not part of the certificate. You can't use a San cert when using autodiscover, in this case you would need a uc cert.
0
 
murgroupCommented:
Which server is port 443 pointed to? Exchange 2003 or 2010?
0
 
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi,

You have to double check your exchange configuration and try to find where the webmail.domain.com is configured.

If you cannot find it out, and if you want to save time simply create an a record (webmail.domain.com) on the dns using the same IP @ for mail.domain.com.

Best Regards

Salah
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
RadweldCommented:
Outlook anywhere rpc over http will use autodiscover which is usually an XML file and in that XML I bet you will find the rogue entry.
0
 
tolinromeAuthor Commented:
autodiscover and webmail are using the same IP, is that the problem? Where do I find the autodiscover XML file that you're talking about? I did go to testexchangeconnectivity.com and thats how I got the error I posted before that says:
"The certificate common name webmail.domain.com doesn't validate against the mutual authentication string that was provided: msstd:mail.domain.com"


443 is pointed to Exchange 2010.
0
 
RadweldCommented:
I would start by examining the outlook anywhere service by using the following command

http://technet.microsoft.com/en-us/library/bb124263.aspx

If you find the rouge entry there use the set-outlookanywhere command to reconfigure it

http://technet.microsoft.com/en-us/library/bb201695.aspx

0
 
tolinromeAuthor Commented:
In the first link what would be the virtual directory name that Outlook Anywhere uses?
Get-OutlookAnywhere [-Identity <VirtualDirectoryIdParameter>] [-ADPropertiesOnly <SwitchParameter>] [-DomainController <Fqdn>]

Also, the second link - I already have mail.domain.com as the external URL.

Does the OAB and EWS virtual directories need to be the same URL as Outlook Anywhere?
0
 
murgroupCommented:
To clarify your using two public IP addresses on your firewall, one for mail.domain.com(exchange 2010) and one for webmail.domain.com(exchange 2003)? You have public A records for both of those host names (mail and webmail) pointing to the public IP address? How is your firewall setup? Static route, 1-to-1 NAT, NAT pool?
The SSL certificate is a UCC cert? If so on which server is the UCC installed?
In your description you say the 2003 server has a cert with webmail.domain.com installed and the 2010 box has a cert with mail.domain.com and webmail.domain.com installed. If this is true, that is what you should be looking at.
Can you confirm the cert in exchange 2003? Go to IIS manager, right click the default website and click properties. Click the directory security tab and click view certificate. Let us know what you find.
0
 
tolinromeAuthor Commented:
murgroup - I have to do some verifying. I'll respond soon. Thanks alot.
0
 
tolinromeAuthor Commented:
External DNS for autodiscover, webmail and activesynch come in to the firewall all using the same external IP and are nated to the 2010 Exchange server. There is also the mail.domain.com external IP pointing to the Exchange 2010 server internally. When 2003 mailbox users go to webmail.domain.com they are presented with the 2010 owa logon and when they login they are redirected with the legacy url to the 2003 mail server. 2010 mailbox users can login to 2010 owa fine.
Firewall is static and static policy. I dont know how to verify if the SSL is UCC - I'm assuming it is, it has many domain names in the SAN.

On IIS 2003 Server the certificate on general tab says webmail.domain.com
On 2010 Server the certificate on the general tab says mail.domain.com

I need to make sure that all users use mail.domain.com as their rpc\http Outlook settings and webmail.domain.com as their owa settings - this will make everything seamless to the users.
Thanks!

0
 
tolinromeAuthor Commented:
anything?
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now