Exchange 2010 certificate question

Running Exchange 2010 standard, I can't seem to figure where the SMTP certificate is coming from, the server (ServerA) and clients are on the same subnet. When any client, Outlook 2003 to 2013 connect they are prompted with a certificate warning, stating the name on the cert does not match. When I click "view certificate" I see  that is issued to ServerB by ServerB which should obviously be issued to ServerA. The other server (ServerB) is a MS Windows 2008 box. When I go to the server configuration on the mail server and review the certs that are applied I see the one I would expect to be delivered to the clients but is not getting applied but I do not see the certificate that is getting applied. Confused on how this is possible.
BERITMAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Stelian StanNetwork AdministratorCommented:
To find all the certificates on Exchange run:
get-exchangecertificate -DomainName "your domain name"

Open in new window

0
BERITMAuthor Commented:
The results print the certificate I would expect to see from the client but it is not the one the clients are receiving. The certificate it reported is a wildcard from GoDaddy. CN=*.ourdomain.com and as I stated its the one I would expect the clients to pick up.
0
Jordan SmithCommented:
What server name are you clients using to connect to the server?  Probably not an "ourdomain.com" as that is the internet facing name.  You godaddy cert for "*.ourdomain.com" will not work if your local clients are looking for "ServerA.ourlocaldomain.local".

Either you will need to configure your firewall to route your local clients back to ServerA, or you will need to get a certificate that includes your local FQDN for ServerA (which I don't believe anyone will issue any longer.)
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

BERITMAuthor Commented:
1. mail.ourdomainname.com
2. Going with your permise that the wildcard cert will not work that doesn't explain why the clients are picking up a cert from ServerB.
3. I didn't follow this but it is clear you're saying a wildcard cert will not work
0
BERITMAuthor Commented:
Oddly if I go to https://mail.ourdomain.com from a web client it does pick up the correct cert, the wildcard
0
Jordan SmithCommented:
From within your network, does mail.ourdomain.com resolve to ServerA, ServerB, or your public IP address?

If you ignore the certificate warning, does Outlook connect successfully to Exchange?

Basically, I'm wondering if Outlook clients are looking at the wrong server (ServerB), which would explain the wrong certificate(Self-Signed ServerB certificate).
0
BERITMAuthor Commented:
1. Internally it resolves to ServerA, private IP address
2. Yes, they connect and mail flows internally and externally
3. I see where you're going but DNS seems to resolve as expected both internally and externally
0
Jordan SmithCommented:
So obviously the certificate is installed correctly to the https binding of ServerA in IIS...  

I have run into this issue, as well as frequent requests for Passwords by Outlook, when the Exchange Server and the clients have different primary DNS servers.  Can you confirm if this is the case?

By the way, what is the role of ServerB?  Is it a DNS, DC, old Exchange server, anything like that?
0
BERITMAuthor Commented:
I agree, it does appear the cert is installed okay.

DNS settings match on the server and the clients.

ServerB holds FSMO, so it runs AD, DNS, DHCP, and file shares.

Oddly enough I disabled cache mode in Outlook and I did not get the cert error, re-enabled cache mode and the problem re-appears.
0
Simon Butler (Sembee)ConsultantCommented:
Do you have IIS or certificate services on the server the clients are getting the certificate from? As it is a domain controller, it sounds like the clients are trying to access the root of the domain, which will resolve to the domain controller. You probably have a URL misconfigured in Exchange somewhere.

Do an Autodiscover test, see what that comes back with.
http://semb.ee/adt

Simon.
0
BERITMAuthor Commented:
Interesting, I stopped cert services and the problem persists, I then disabled IIS Admin and WWW on ServerB and the cert issue disappeared.

Any thoughts on which URLs I should look at in Exchange?

I don't get the "test email auto configuration" option, not sure if it works with Outlook 2013.
0
Simon Butler (Sembee)ConsultantCommented:
It does work, as I use it all the time. Do ensure that you hold down CTRL to get the additional options.

SImon.
0
BERITMAuthor Commented:
I have no doubt it works for you 100% of the time but it's not for me, attached are the results of holding down CTRL and right clicking on the Outlook icon in the system tray, tried it on a device running 2013 and device running 2003, neither worked.
Untitled.jpg
0
Simon Butler (Sembee)ConsultantCommented:
You right clicked on the Outlook icon in the task bar, not the system tray (next to the clock). I have just checked an Outlook 2013 system and I get the same menu as you when I right click on Outlook anywhere in the task bar, but do get the menu I am referring to in the system tray (Windows 8.1, Outlook 2013).

Simon.
0
BERITMAuthor Commented:
Good eye, sorry about that. Ok I was able to run the test and what should I be looking for in the results?

The internal OWA URL = https://internalname.domain.com/owa
The external OWA URL = https://mail.domain.com/owa
Server: internalname.domain.com
0
Simon Butler (Sembee)ConsultantCommented:
You looking at all of the results, not just OWA etc. There must be something in there that is using the root of the domain.

Simon.
0
BERITMAuthor Commented:
I don't see anything that mentions root.
internal name=servera
External name=mail

Server: servera.domain.com
availability service url: https://servera.domain.com/EWS/exchange.asmx
oof url: https://servera.domain.com/ews/exchange.asmx

protocol: exchange http
server: mail.domain.com
ssl: yes
mutual auth: no
availability service url: https:/domain.com/EWS/exchange.asmx
oof url: https://domain.com/EWS/exchange.asmx
auth package: basic
cert principal name: msstd:mail.domain.com
exchange control panel: https://mail.domain.com/ecp

under Log tab:
Autodiscover to https://servera.domain.com/autodiscover.xml succeeded (0x0000000)
0
Simon Butler (Sembee)ConsultantCommented:
It wasn't the server name that I was asking you to look for. It was the root of the domain:

Here you are:

availability service url: https:/domain.com/EWS/exchange.asmx
oof url: https://domain.com/EWS/exchange.asmx

That is wrong.

Change it to a name that is on your SSL certificate and resolves internally to Exchange.

The best practise is to use split DNS to use the external name internally as well.
http://semb.ee/hostnames

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BERITMAuthor Commented:
I've requested that this question be deleted for the following reason:

end
0
Simon Butler (Sembee)ConsultantCommented:
Need a better reason than "end" for the question to be deleted.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.