Exchange 2003 - 2010
In transition mode from 2003 - 2010 Exchange Server.
When 2010 mailbox users use mail.domain.com in their Outlook settings for rpc\http the error message is returned ""The certificate common name webmail.domain.com doesn't validate against the mutual authentication string that was provided: msstd:mail.domain.com"
It works fine for 2003 users though, why? How did webmail url become involved?
2. On the 2003 Exchange Server I'm assuming the common name is webmail.domain.com (not sure how to verify) and I know for sure the SANs for this cert has mail.domain.com listed as well. On the 2010 Exchange Server the common name is mail.domain.com (I assume) and for sure has SAN as webmail.domain.com.
Outlook anywhere tab in 2010 is mail.domain.com, Get-OutlookProvider shows nothing for the CertPrincipalName for EXCH, EXPR and WEB, and the firewall is pointing the IP for mail.domain.com to the Exchange 2010 server.
All users need to use mail.domain.com for rpc\http.
So it should work. What do I specifically have to do to get it to work?
When 2010 mailbox users use mail.domain.com in their Outlook settings for rpc\http the error message is returned ""The certificate common name webmail.domain.com doesn't validate against the mutual authentication string that was provided: msstd:mail.domain.com"
It works fine for 2003 users though, why? How did webmail url become involved?
2. On the 2003 Exchange Server I'm assuming the common name is webmail.domain.com (not sure how to verify) and I know for sure the SANs for this cert has mail.domain.com listed as well. On the 2010 Exchange Server the common name is mail.domain.com (I assume) and for sure has SAN as webmail.domain.com.
Outlook anywhere tab in 2010 is mail.domain.com, Get-OutlookProvider shows nothing for the CertPrincipalName for EXCH, EXPR and WEB, and the firewall is pointing the IP for mail.domain.com to the Exchange 2010 server.
All users need to use mail.domain.com for rpc\http.
So it should work. What do I specifically have to do to get it to work?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
murgroup
Which server is port 443 pointed to? Exchange 2003 or 2010?
Hi,
You have to double check your exchange configuration and try to find where the webmail.domain.com is configured.
If you cannot find it out, and if you want to save time simply create an a record (webmail.domain.com) on the dns using the same IP @ for mail.domain.com.
Best Regards
Salah
You have to double check your exchange configuration and try to find where the webmail.domain.com is configured.
If you cannot find it out, and if you want to save time simply create an a record (webmail.domain.com) on the dns using the same IP @ for mail.domain.com.
Best Regards
Salah
Outlook anywhere rpc over http will use autodiscover which is usually an XML file and in that XML I bet you will find the rogue entry.
ASKER
autodiscover and webmail are using the same IP, is that the problem? Where do I find the autodiscover XML file that you're talking about? I did go to testexchangeconnectivity.c
"The certificate common name webmail.domain.com doesn't validate against the mutual authentication string that was provided: msstd:mail.domain.com"
443 is pointed to Exchange 2010.
"The certificate common name webmail.domain.com doesn't validate against the mutual authentication string that was provided: msstd:mail.domain.com"
443 is pointed to Exchange 2010.
I would start by examining the outlook anywhere service by using the following command
http://technet.microsoft.com/en-us/library/bb124263.aspx
If you find the rouge entry there use the set-outlookanywhere command to reconfigure it
http://technet.microsoft.com/en-us/library/bb201695.aspx
http://technet.microsoft.com/en-us/library/bb124263.aspx
If you find the rouge entry there use the set-outlookanywhere command to reconfigure it
http://technet.microsoft.com/en-us/library/bb201695.aspx
ASKER
In the first link what would be the virtual directory name that Outlook Anywhere uses?
Get-OutlookAnywhere [-Identity <VirtualDirectoryIdParamete
Also, the second link - I already have mail.domain.com as the external URL.
Does the OAB and EWS virtual directories need to be the same URL as Outlook Anywhere?
Get-OutlookAnywhere [-Identity <VirtualDirectoryIdParamete
Also, the second link - I already have mail.domain.com as the external URL.
Does the OAB and EWS virtual directories need to be the same URL as Outlook Anywhere?
To clarify your using two public IP addresses on your firewall, one for mail.domain.com(exchange 2010) and one for webmail.domain.com(exchang
The SSL certificate is a UCC cert? If so on which server is the UCC installed?
In your description you say the 2003 server has a cert with webmail.domain.com installed and the 2010 box has a cert with mail.domain.com and webmail.domain.com installed. If this is true, that is what you should be looking at.
Can you confirm the cert in exchange 2003? Go to IIS manager, right click the default website and click properties. Click the directory security tab and click view certificate. Let us know what you find.
The SSL certificate is a UCC cert? If so on which server is the UCC installed?
In your description you say the 2003 server has a cert with webmail.domain.com installed and the 2010 box has a cert with mail.domain.com and webmail.domain.com installed. If this is true, that is what you should be looking at.
Can you confirm the cert in exchange 2003? Go to IIS manager, right click the default website and click properties. Click the directory security tab and click view certificate. Let us know what you find.
ASKER
murgroup - I have to do some verifying. I'll respond soon. Thanks alot.
ASKER
External DNS for autodiscover, webmail and activesynch come in to the firewall all using the same external IP and are nated to the 2010 Exchange server. There is also the mail.domain.com external IP pointing to the Exchange 2010 server internally. When 2003 mailbox users go to webmail.domain.com they are presented with the 2010 owa logon and when they login they are redirected with the legacy url to the 2003 mail server. 2010 mailbox users can login to 2010 owa fine.
Firewall is static and static policy. I dont know how to verify if the SSL is UCC - I'm assuming it is, it has many domain names in the SAN.
On IIS 2003 Server the certificate on general tab says webmail.domain.com
On 2010 Server the certificate on the general tab says mail.domain.com
I need to make sure that all users use mail.domain.com as their rpc\http Outlook settings and webmail.domain.com as their owa settings - this will make everything seamless to the users.
Thanks!
Firewall is static and static policy. I dont know how to verify if the SSL is UCC - I'm assuming it is, it has many domain names in the SAN.
On IIS 2003 Server the certificate on general tab says webmail.domain.com
On 2010 Server the certificate on the general tab says mail.domain.com
I need to make sure that all users use mail.domain.com as their rpc\http Outlook settings and webmail.domain.com as their owa settings - this will make everything seamless to the users.
Thanks!
ASKER
anything?