• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1368
  • Last Modified:

Certificate Name Validation Failed - Exchange 2003 SBS

Need your help.  I have a client who has a SBS 2003 server with Exchange 2003.  I am trying to get mail on an iPhone (or any smartphone) via this Exchange server.  This thing is kicking my you know what.  Anyway, I found a neat little routine that you can run that simulates an iPhone with all the email/exchange configurations and tells you why you can NOT connect (get/send email).  So I did it and the results are below.  Basically, the last section says "Certificate Name Validation failed"...so I assume it's a certificate issue...I am looking for steps to solve this so that the user's can get their email on their smartphone.  Thanks in advance for your help/comments.

FYI: I went to https://www.testexchangeconnectivity.com  and put in the required user and email configuration information (just like you'd do to configure an iPhone for Exchange).  The following are the results.  See last portion about Certificate Name Validation.

-----------------------------------
ExRCA is testing Exchange ActiveSync.
 The Exchange ActiveSync test failed.
 Test Steps
 Attempting to resolve the host name mail.balmoving.com in DNS.
 The host name resolved successfully.
 Additional Details
 IP addresses returned: xx.xx.xx.xx

Testing TCP port 443 on host mail.balmoving.com to ensure it's listening and open.
 The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
 The SSL certificate failed one or more certificate validation checks.
 Test Steps
 ExRCA is attempting to obtain the SSL certificate from remote server mail.balmoving.com on port 443.
 ExRCA successfully obtained the remote SSL certificate.
 Additional Details
 Remote Certificate Subject: CN=office.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local, Issuer: CN=office.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local.

Validating the certificate name.
 Certificate name validation failed.
  Tell me more about this issue and how to resolve it
 Additional Details
 Host name mail.balmoving.com doesn't match any name found on the server certificate CN=office.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local.
0
infosys3
Asked:
infosys3
  • 6
  • 3
1 Solution
 
Alan HardistyCommented:
My article should help you here:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html

But for now - just re-run the Connect To The Internet Wizard, change nothing until you get to the Certificate part, then create a new certificate called mail.balmoving.com, then complete the wizard (chaning nothing else) and let the wizard complete.

Once completed - re-run the test on the test site (make sure you tick the "ignore trust for SSL" check box and see what gives, then if you have problems, refer to my article for guidance.

Shout if you are stuck anywhere.

Alan
0
 
Alan HardistyCommented:
One problem is the domain you have posted isn't valid, which you have hopefully masked on purpose.
0
 
Jarred PowerCommented:
Your Cert has the Wrong CN =office.balmoving.com  
You either need to change the Cert to reflect your MX record mail.balmoving.com or change the MX record.  Changing the cert word probably be the best route.   See http://www.emailsecuritymatters.com/site/blog/best-practices/how-to-create-self-signed-ssl-certificate-exchange-2003-2007-2010-windows/  to create new self signed cert.  Remember to use  mail.balmoving.com.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Alan HardistyCommented:
Don't follow the link above - this is SBS - you need to use the Wizard I have mentioned.
0
 
infosys3Author Commented:
Many thanks...I am not at the site now...and will not be until Thursday...  I will let you know...also, Yes, I did mask the domain.  I will contact you Thursday.
0
 
Alan HardistyCommented:
No problems - I should be around unless someone's server blows up in the mean-time!
0
 
infosys3Author Commented:
jpower5000---
Your link is quite extensie...and I think I did all configs correctly, but, alas, I am now getting this error..see last couple of lines...any ideas.  Again, many thanks for your help.
============

Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   ExRCA is attempting to obtain the SSL certificate from remote server mail.maloneymoving.com on port 443.
  ExRCA successfully obtained the remote SSL certificate.
   Additional Details
  Remote Certificate Subject: CN=mail.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local, Issuer: CN=mail.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local.
 
 Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name mail.balmoving.com was found in the Certificate Subject Common name.
 
 Validating certificate trust for Windows Mobile devices.
  Certificate trust validation failed.
   Test Steps
   ExRCA is attempting to build certificate chains for certificate CN=mail.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local.
  A certificate chain couldn't be constructed for the certificate.
   Tell me more about this issue and how to resolve it
   Additional Details
  The certificate chain didn't end in a trusted root. Root = CN=mail.balmoving.com, CN=companyweb, CN=sbs, CN=localhost, CN=sbs.balmoving.local
0
 
Alan HardistyCommented:
Did you tick the Ignore Trust for SSL check box?  If you have a self-issued certificate - you need to tick that box on the test.
0
 
infosys3Author Commented:
Alan:
Wooo...you are the man.  No, I didn't tick it, but that was Friday afternoon when I was doing all the testing.   This morning I did make the tick and got all "green" designations.  Moreover, I sent a test email and, alas, the email showed up on my iphone.  I had made the changes on the Exchange server Fri afternoon as per your link above I did some email testing like I did this morning, but no-go, no- mail.   I assume that Fri night, Exchange "rectified" something????  Anyway, you have been a tremendous help as I have been banging my head against a brick wall.  Many thanks...I am sending a New Orleans shrimp poor-boy sandwich in the mail to you today.  Plus, you get a gold star for helping me.
Best regards, Bruce
0
 
Alan HardistyCommented:
Thanks Bruce - I'll look forward to the sandwich ;)

Glad you are sorted and thanks too for the points.  Sometimes the changes do take a little while to take effect.

Best wishes

Alan
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now