We help IT Professionals succeed at work.

Exchange 2003 - 2010

tolinrome
tolinrome asked
on
I have all inbound email pointing to my 2010 server and activesync and owa are working fine. rpc\http (Outlook anywhere) is not working for my clients.

When I use the exchange connectivity test I receive "The certtificate common name webmail.domain.com doesnt validate against the mutual authentication string that was provided: msstd:mail.domain.com.

How can I fix this error?

On Exchange 2010 I have mail.domain.com on the Outlook Anywhere tab, I have mail.domain.com for the Outlook 2007 client proxy settings. I'm stressing...

Comment
Watch Question

AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
you have mail.domain.com on the outlook anywhere tab and in the outlook configuration but your certificate is issued to webmail.domain.com


so what is webmail.domain.com pointing to /?

Commented:
hi,

on the exchangeserver managemtn shell:
Set-OutlookProvider EXPR -CertPrincipalName msstd: webmail.domain.com
Set-OutlookProvider EXPR -Server webmail.domain.com

then you must a little bit wait  - it importend - the config must repliakte to the outlook..
and webmail.domain.com must be reachable....

that resolve the issue?

Author

Commented:
webmail.domain.com is a certificate on my 2003 exchange server which stil lhas mailboxes on it.
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
No offence puschkin but at the moment changing the outlook provider might do more harm than good since we don't know the topology yet well enough.

At the end chances are you will be right and the OP will use it but let's just make sure it is the correct step to do .


tolinrome, the certificate on 2003 and 2010 are the same ?

users having this error are on 2003 or 2010 ?

Author

Commented:
puschkin, If I do what you suggest then what about all the Outlook clients that have mail.domain.com in their rpc/http settings? does mail.domain.com stay in the settings? I cant tell all users to change their outlook proxy settings to webmail.domain.com.
When we only had the Exchange 2003 server it worked fine with webmail.domain.com on the server and mail.domain.com in Outlook.

Author

Commented:
the cert in 2003 is named webmail.domain.com and on 2010 mail.domain.com and both of these have all the other domains included (SAN).
Users having this error are on both.

Commented:

you outlook is connecting to msstd:mail.domain.com... then he become a certificate who have insert: webmail.domain.com - that is the problem...
the change on the console in exchange 2007 or 2010 set the settings of the Outllok 2007 or 2010 over the autodiscover.... you Outlok setting is changing automatically.... you can check this:
you change the entry manuelly on outllok.... then you cloe an reopen outlook - the setting is the old - because outllok autodiscover from exchange....
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
You obviously have an issue here, the certificate on 2010 looks like having webmail as it common name (following the error). can you confirm that

At the moment I wouldn't recommend changing the outlook provider yet

Author

Commented:
puschkin, I didn tknow that the settings in Autodiscover will actually overwrite (or fill in) what is needed in the Outlook client - thanks you for letting me know that.

For the commonname on 2010 I did the following:

Get-exchangecertificate | fl

Subject: CN=mail.domain.com
Solutions Architect
CERTIFIED EXPERT
Commented:
You say the CN for the certificate assigned to your 2010 server has a CN of mail.domain.com when the error of exchange claims it to be webmail.domain.com


Can you confirm that the real IPs in the DNS records of mail.domain.com is pointing to 2010 and webmail.domain.com is pointing to 2003 ??

Commented:
you can please check this:
Get-ExchangeCertificate -DomainName mail.domain.com
what is the answer?

Commented:
from begin:
autodiscover is link to the external adress. - when your maildomain (external) is:
username@maildomain.com - then the autodiscover is go to autodiscover.maildomain.com.
this adress muss through you router / firewall nat to one of the 2 servers? - witch server is linkt from external ?

Author

Commented:
I think thats where the mess is.

I need webmail.domain.com to point to 2010 then the legacy url redirects the 2003 users to their mailboxes. users have webmail.domain.com in their IE favorite URLs.

mail.domain.com IP is still going to the 2003 box in the firewall.

This weekend I will point the mail.domain.com IP to the 2010 and only the legacy URL to the 2003 server then everything should be ok, correct?

Commented:
that is possible...
Akhater: - is exaktly for the first time?
we will see what is the situation after chaning ?

Commented:
sorry for my bad english - im german... :-)

Commented:
other question - why you have 2 exchange servers?
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
so you have them mixed up !

Yes mail.domain.com should point to 2010

legacyurl should be webmail.domain.com and point to 2003.

If you want them the other way around you need to change your configuration and change the certificates

Author

Commented:
Get-ExchangeCertificate -DomainName mail.domain.com

the bottom entry is the legacy url
ExchangeCertificate.JPG

Author

Commented:
so, in my current situation if I point all mail.domain.com IP to exchange 2010 and point legacy url to 2003 server then everythign should be ok?
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
yes in your config if you point mail.domain.com to 2010 and legacy url webmail to 2003 all will work fine

Author

Commented:

Legacy URL is not webmail. Domain. Com but mail1.domain.com. This will point to 2
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
Ok let's go over this once again

1. 2010 has a certificate with CN mail.domain.com and is configured to use mail.domain.com in outlook anywhere
2. in the public DNS mail.domain.com points to IP of 2010
3. in public DNS autodiscover.domain.com points to IP of 2010
4. on 2010 legacyurl is configured to use mail1.domain.com
5. in public DNS mail1.domain.com points to 2003
6. you have NOT made any change to the outlook provider


if all above 6 points are met all will work fine

Author

Commented:
1. 2010 has a certificate with CN mail.domain.com and is configured to use mail.domain.com in outlook anywhere
Yes
2. in the public DNS mail.domain.com points to IP of 2010
Yes (this wekend)
3. in public DNS autodiscover.domain.com points to IP of 2010
Yes
4. on 2010 legacyurl is configured to use mail1.domain.com
Yes
5. in public DNS mail1.domain.com points to 2003
Yes
6. you have NOT made any change to the outlook provider
Not knowingly

AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
run get-outlookprovider it shld return blank values for CertPrincipalName

Author

Commented:
Thats correct, its all blank.

So, let me ask about autodiscover. When connecting for outlook anywhere from the client it doesnt matter the actual URL they go to (in my case webmail.domain.com) - it only matters what the url is in the proxy settings in Outlook (in my case mail.domain.com), and that mail.domain.com matches against the certificate name in Exchange 2010?

Thanks.
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
Yes

Author

Commented:
I need your help...
Everything is working fine except I cant get 2003 mailbox users to use rpc\http.

 autodiscover1 autodiscover2

Author

Commented:
why must client mailboxes be on 2010 as shown in error message?

 autodiscover

Author

Commented:
when testing exchange 2003 user fo rrpc/http I get:

RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime
AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
was rpc over http ever working on you 2003 ?

what happens if you manually specify the url of the 2003 instead of letting autodiscove rhandle it ?

Author

Commented:
yes it was working on 2003.

had to put changes back to what was before because of this error. MS should have had a fix for this. Will let you know soon. maybe the autodiscover website needs to be recreated?

Author

Commented:
testexchangeconnectivity results for user mailbox on exchange 2003 server

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
   Test Steps
   ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user joe2003@domain.com.
  ExRCA failed to obtain an Autodiscover XML response.
 
 
but for user mailoxes on 2010 all is ok.

AkhaterSolutions Architect
CERTIFIED EXPERT

Commented:
do not use autodiscover just input the url of exchange 2003

Author

Commented:
2007 outllok for 2003 mailbox users use mail.domain.com and it works, but when I had all email traffic pointing to Exchange 2010 server it didnt work.

Also, for 2010 Outlook Anywhere tab that is mail.domain.com, someone said to put legacy url there?

Author

Commented:
internal dns A records are:

mail - exchange2010
legacymail - exchange2003

for owa users go to webmail.domain.com and 2010 mailbox users login no problem and 2003 mailbox users upon login are redirected with legacy url to 2003 and all works well.

activesynch works fine for both 2003 and 2010 mailbox users

Explore More ContentExplore courses, solutions, and other research materials related to this topic.