Solved

Exchange 2010 Autodiscover cerfication error

Posted on 2012-04-05
3
1 solution
520 Views
Last Modified: 2012-04-13
Hello!
I have a problem with my Exchange 2010 server.
When users connect while on the domain they get the autodiscover uri from AD and that works great.
However, when connected outsite the domain - they get a certification error stating "The name on the security certification is invalid or does not match the name of the site."

I have been googling this for a while now and tryed all kinds of soloutions with no success.
I have;
Point DNS from autodiscover.domain.com TO mail.domain.com
My autodiscover Url is set to https://mail.domain.com/autodiscover/autodiscover.xml

The problem is, the cert is for mail.domain.com and this does not match with autodiscover.domain.com !

This is from testexchangeconnectivity.com

Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
 	Testing of this potential Autodiscover URL failed.
 	
	Test Steps
 	
	Attempting to resolve the host name autodiscover.domain.com in DNS.
 	The host name resolved successfully.
 	
	Additional Details
	Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
 	The port was opened successfully.
	Testing the SSL certificate to make sure it's valid.
 	The SSL certificate failed one or more certificate validation checks.
 	
	Test Steps
 	
	ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.domain.com on port 443.
 	ExRCA successfully obtained the remote SSL certificate.
 	
	Additional Details
	Validating the certificate name.
 	Certificate name validation failed.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details

Open in new window


Please, anyone who could assist me?
0
Comment
Question by:tigerffs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Join The Community
3 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
ID: 37810730
>> My autodiscover Url is set to https://mail.domain.com/autodiscover/autodiscover.xml

I presume you are referring to the autodiscover URL you have set in your Service Connection Point (SCP) for internal purposes? (Set using Set-ClientAccessServer -AutodiscoverServiceInternalUri)

If so, the SCP is valid only for domain-joined machines. If you are connecting externally or from a non-domain machine, the value stored in Active Directory is not available to those computers. In these cases, Outlook automatically infers the URL, trying https://<smtp-domain>/Autodiscover/Autodiscover.xml and then https://autodiscover.<smtp-domain>/Autodiscover/Autodiscover.xml. <smtp-domain> is the part of the @ in the email address Outlook is supplied with.

In this case, the process will fail because your SSL certificate does not mention autodiscover.domain.com as a valid DNS name.

How to resolve the problem?

Purchase a Unified Communications certificate from somewhere like GoDaddy which lists the autodiscover domain in addition to the mail domain. This is the standard practice.
Remove your autodiscover.domain.com record from external DNS and instead use the SRV connection point method to direct Autodiscover to the mail.domain.com record: http://support.microsoft.com/kb/940881 - this method does require your public DNS provider to support SRV records. Many do not.
Use a wildcard certificate - not something I would recommend. I have had issues with wildcard certificates, and they are generally a lot more costly than a multi-name SAN/UC certificate anyway

-Matt
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37812031
generate a new cert request from exchange 2010 and include all your FQDN, then purshace UCC   cert from a public CA.
continue your pending request in exchange 2010 console.
0
 
LVL 3

Author Closing Comment

by:tigerffs
ID: 37841787
I did the SRV though our DNS supplier and got it working, thank you for your assistance.
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Claim Your Free POC
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange 2013: Fix for an Invalid certificate and related issues
Article by: ☠MAS☠
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Security updates for Microsoft End of Life operating systems..
Article by: Andrew
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Setup SMTP relay to office 365
Video by: Alan
how to add IIS SMTP to handle application/Scanner relays into office 365.
How to change priority of transport agents in Exchange 2007/2010 using Exchange Management Shell
Video by: CodeTwo
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Advertise Here
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Advertise Here