Exchange 2010 certificate error

Posted on 2012-08-31
Medium Priority
Last Modified: 2012-09-26
I have a 2010 Exchange server.

Intenally when I open outlook I get the following error:

The name on the security certificate is invalid or does not match the name of the site.

I go to https://www.testexchangeconnectivity.com/ and it tells me:  Connectivity Test Successful with Warnings

One such warning looks like it may be related but I am not sure how to proceed:

Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.

Test Steps

ExRCA is attempting to build certificate chains for certificate CN=remote.burleycpa.com, OU=Domain Control Validated, O=remote.burleycpa.com.

One or more certificate chains were constructed successfully.

Additional Details

Analyzing the certificate chains for compatibility problems with versions of Windows.

Potential compatibility problems were identified with some versions of Windows.

Additional Details

ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

Any thoughts or direction??
Question by:Curtis Long
LVL 63

Accepted Solution

Simon Butler (Sembee) earned 668 total points
ID: 38356023
All that means is that for full certificate compliance, the WINDOWS workstations need to have a root certificate update. If the machines are being fully patched then this isn't an issue. I think the root certificate update in question is from 2005.

That will NOT be the cause of your internal error.
The reason for your internal error will be one of three things, you need to see what reason the certificate is failing on. The primary reason is a single name SSL for say mail.example.com but the relevant changes haven't been made in Exchange to use that host name.


Author Comment

by:Curtis Long
ID: 38356038
How would I assign this name in exchange??
LVL 43

Assisted Solution

by:Adam Brown
Adam Brown earned 668 total points
ID: 38356151
The error is due to you using a certificate that does not have your internal url set on it. For this, you would configure your internal URLs for exchange to match what you have on the certificate. http://msunified.net/2010/01/13/configure-exchange-2010-internalurl-powershell-script/  has a powershell script that will help you set the InternalURLs for all of your exchange virtual directories. When you do this, you should only access Exchange using the url you set with the script.
LVL 58

Assisted Solution

tigermatt earned 664 total points
ID: 38357237

As Simon has already discussed, there could be many reasons for this issue.

What name(s) are listed on your commercial SSL certificate which you have installed?

The most common cause I come across for issues of this nature are setups which use a single-name (as already mentioned) or a SAN certificate which just lists the external names in instances where the internal AD domain does not match the external AD domain (i.e. mail.domain.com and autodiscover.domain.com are listed).

While the latter is my preferred approach and the one documented out in Technet (and also used by Microsoft Corporate IT), it does require configuration changes in Exchange to the URLs and URLs handed out for internal clients to access the Autodiscover service to ensure access is via one of the FQDNs which is listed on your certificate - and will therefore avoid certificate warnings.

You can make changes to all the virtual directories which you need to worry about in the Exchange Management Console, under the Server Configuration > Client Access node. You will see various tabs for each server which show the various virtual directories; editing the properties exposes the InternalURL and ExternalURL values. For any access using an HTTPS secured URL, the domain used for access must be listed on your SSL certificate.

For modifying the value on the Autodiscover Service Connection Point (SCP), which is used by internal, domain-joined Outlook clients, you will need to use the management shell:

Set-ClientAccessServer <Server Name> -AutodiscoverServiceInternalUri https://autodiscover.mycompany.com/Autodiscover/Autodiscover.xml

where autodiscover.mycompany.com is a valid name as listed on the SSL certificate.

In addition, you will most likely need to configure split DNS to allow the mail.mycompany.com and autodiscover.mycompany.com records to be resolved to the internal IP address of your Client Access Server(s). This will depend on your firewall and current DNS situation, but in any event, it is a wise idea to ensure a loss of ISP connectivity to the Internet does not cause further hiccups with internal email through being unable to resolve the public names on the nameservers for your public domain.


Author Comment

by:Curtis Long
ID: 38423179
Sorry, I got distracted for a few.

I will check these items and report back.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
MS Outlook undoubtedly is the most widely used email client.Its user-friendliness, cost effectiveness, and availability with Microsoft Office Suite make it the most popular email application.  Its compatibility with Microsoft applications like Exch…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses
Course of the Month16 days, 6 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question