Solved

Certificate Name Validation Failed - Exchange 2003 SBS

Posted on 2012-04-10
10
1,316 Views
Last Modified: 2012-04-16
Need your help.  I have a client who has a SBS 2003 server with Exchange 2003.  I am trying to get mail on an iPhone (or any smartphone) via this Exchange server.  This thing is kicking my you know what.  Anyway, I found a neat little routine that you can run that simulates an iPhone with all the email/exchange configurations and tells you why you can NOT connect (get/send email).  So I did it and the results are below.  Basically, the last section says "Certificate Name Validation failed"...so I assume it's a certificate issue...I am looking for steps to solve this so that the user's can get their email on their smartphone.  Thanks in advance for your help/comments.

FYI: I went to https://www.testexchangeconnectivity.com  and put in the required user and email configuration information (just like you'd do to configure an iPhone for Exchange).  The following are the results.  See last portion about Certificate Name Validation.

-----------------------------------
ExRCA is testing Exchange ActiveSync.
 The Exchange ActiveSync test failed.
 Test Steps
 Attempting to resolve the host name mail.balmoving.com in DNS.
 The host name resolved successfully.
 Additional Details
 IP addresses returned: xx.xx.xx.xx

Testing TCP port 443 on host mail.balmoving.com to ensure it's listening and open.
 The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
 The SSL certificate failed one or more certificate validation checks.
 Test Steps
 ExRCA is attempting to obtain the SSL certificate from remote server mail.balmoving.com on port 443.
 ExRCA successfully obtained the remote SSL certificate.
 Additional Details
 Remote Certificate Subject: CN=office.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local, Issuer: CN=office.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local.

Validating the certificate name.
 Certificate name validation failed.
  Tell me more about this issue and how to resolve it
 Additional Details
 Host name mail.balmoving.com doesn't match any name found on the server certificate CN=office.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local.
0
Comment
Question by:infosys3
  • 6
  • 3
10 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 37830548
My article should help you here:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

But for now - just re-run the Connect To The Internet Wizard, change nothing until you get to the Certificate part, then create a new certificate called mail.balmoving.com, then complete the wizard (chaning nothing else) and let the wizard complete.

Once completed - re-run the test on the test site (make sure you tick the "ignore trust for SSL" check box and see what gives, then if you have problems, refer to my article for guidance.

Shout if you are stuck anywhere.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830552
One problem is the domain you have posted isn't valid, which you have hopefully masked on purpose.
0
 
LVL 7

Expert Comment

by:Jarred Power
ID: 37830556
Your Cert has the Wrong CN =office.balmoving.com  
You either need to change the Cert to reflect your MX record mail.balmoving.com or change the MX record.  Changing the cert word probably be the best route.   See http://www.emailsecuritymatters.com/site/blog/best-practices/how-to-create-self-signed-ssl-certificate-exchange-2003-2007-2010-windows/  to create new self signed cert.  Remember to use  mail.balmoving.com.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830565
Don't follow the link above - this is SBS - you need to use the Wizard I have mentioned.
0
 

Author Comment

by:infosys3
ID: 37830651
Many thanks...I am not at the site now...and will not be until Thursday...  I will let you know...also, Yes, I did mask the domain.  I will contact you Thursday.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830661
No problems - I should be around unless someone's server blows up in the mean-time!
0
 

Author Comment

by:infosys3
ID: 37846448
jpower5000---
Your link is quite extensie...and I think I did all configs correctly, but, alas, I am now getting this error..see last couple of lines...any ideas.  Again, many thanks for your help.
============

Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   ExRCA is attempting to obtain the SSL certificate from remote server mail.maloneymoving.com on port 443.
  ExRCA successfully obtained the remote SSL certificate.
   Additional Details
  Remote Certificate Subject: CN=mail.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local, Issuer: CN=mail.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local.
 
 Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name mail.balmoving.com was found in the Certificate Subject Common name.
 
 Validating certificate trust for Windows Mobile devices.
  Certificate trust validation failed.
   Test Steps
   ExRCA is attempting to build certificate chains for certificate CN=mail.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local.
  A certificate chain couldn't be constructed for the certificate.
   Tell me more about this issue and how to resolve it
   Additional Details
  The certificate chain didn't end in a trusted root. Root = CN=mail.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37846484
Did you tick the Ignore Trust for SSL check box?  If you have a self-issued certificate - you need to tick that box on the test.
0
 

Author Closing Comment

by:infosys3
ID: 37851267
Alan:
Wooo...you are the man.  No, I didn't tick it, but that was Friday afternoon when I was doing all the testing.   This morning I did make the tick and got all "green" designations.  Moreover, I sent a test email and, alas, the email showed up on my iphone.  I had made the changes on the Exchange server Fri afternoon as per your link above I did some email testing like I did this morning, but no-go, no- mail.   I assume that Fri night, Exchange "rectified" something????  Anyway, you have been a tremendous help as I have been banging my head against a brick wall.  Many thanks...I am sending a New Orleans shrimp poor-boy sandwich in the mail to you today.  Plus, you get a gold star for helping me.
Best regards, Bruce
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37851277
Thanks Bruce - I'll look forward to the sandwich ;)

Glad you are sorted and thanks too for the points.  Sometimes the changes do take a little while to take effect.

Best wishes

Alan
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now