Solved

Exchange 2013 certificate issues with Outlook Anywhere

Posted on 2013-10-27
14
18,214 Views
Last Modified: 2014-07-17
Hello,

I am at my wits end with a certificate issue on a new Exchange 2013 installation. I installed a certificate from godaddy.com that works fine for Exchange ActiveSync and allows Outlook Anywhere access. The internal domain is domain.local and the certificate is setup for mail.domain.com. I created dns entries for mail.domain.com on the dns server and they resolve to the local email server. All internal and external addresses are set using https://mail.domain.com/.... within the Exchange Admin Center.

All users are receiving the following error when they open Outlook.

"There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site exchange-cal.domain.local. Outlook is unable to connect to the proxy server. (Error Code 10)"

They also receive a security alert stating the name on the security certificate is invalid or does not match the name of the site,

Outlook works fine, but users are complaining about the pop ups.

Is there a way to resolve the pop ups other than purchasing a san certificate? I understand that many certificate authorities will not issue certificates with domain.local internal domain names.

Thanks so much,
Steve
0
Comment
Question by:steve90ttz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 27

Expert Comment

by:☠MAS☠
ID: 39604816
Do you have autodiscover.domain.com added to the cert?

If yes Please post a screenshot of the error.
0
 
LVL 1

Author Comment

by:steve90ttz
ID: 39604820
Hello.

Thanks for the response. mail.domain.com and www.mail.domain.com are part of the certificate. autodiscover.domain.com is not part of the certificate. Should it be?


Thanks,
Steve
0
 
LVL 27

Assisted Solution

by:☠MAS☠
☠MAS☠ earned 250 total points
ID: 39604824
You should have autodiscover.domain.com as a SAN in your cert.
Add autodiscover.domain.com and reissue the cert and install it. Your error should disappear.

Please update us after adding and installing cert with autodiscover.domain.com.

Delete the old cert from server to make sure services are using new cert.

Do you have autodiscover.domain.com in your external DNS which points to external IP?
If not please create that as well
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 250 total points
ID: 39606105
Internally you can get away without Autodiscover.example.com, because internal clients do not use it, unless you tell them to.
Externally you cannot, you need to cover Autodiscover some how.

If you have a single name SSL certificate, then use an SRV record for Autodiscover.
http://semb.ee/srv

Then configure the URLs internally to use the same external name.
The Exchange 2010 version of my article is fine for this: http://semb.ee/hostnames

Simon.
0
 
LVL 1

Author Comment

by:steve90ttz
ID: 39612050
Thanks for the help abbasiftt and Sembee2. I have made numerous changes and have been able to get the certificate error stating the name on the security certificate is invalid or does not match the name of the site. I am still having issues with the following error appearing when launching Outlook.

"There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site exchange-cal.domain.local. Outlook is unable to connect to the proxy server. (Error Code 10)"

I created the dns entries as mentioned in Sembee2's links. All internal and external urls from the exchange admin center, are pointing to the mail.domain.com that the certificate is assigned to. I processed a request for a new certificate with autodiscover.domain.com as well as mail.domain.com, but the new certificate only lists mail.domain.com.

Should the Microsoft Exchange Server Auth Certificate be removed from the certificate list? I believe it is created during installation? It is currently assigned to SMTP. There is also a WMSVC certificate that is not assigned to any services?

Thanks again,
Steve
0
 
LVL 27

Expert Comment

by:☠MAS☠
ID: 39613374
Enable services (IIS) on the new cert and restart exchange transport service and try.
http://technet.microsoft.com/en-us/library/aa997231(v=exchg.150).aspx
http://technet.microsoft.com/en-us/library/dd351257(v=exchg.141).aspx

This command will list you the installed certificates with thumbprint
Get-ExchangeCertificate
0
 
LVL 1

Author Comment

by:steve90ttz
ID: 39670925
Hello abbasiftt,

Thanks for your response. Sorry for my tardy response. I was away on holidays and didn't have a chance to try any changes until now.

I tried enabling the certificate using Exchange management shell for the smtp and IIS services. I restarted the exchange transport service and I am still getting the same error.

"There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site exchange-cal.domain.local. Outlook is unable to connect to the proxy server. (Error Code 10)"

Thanks again for all your assistance,
Steve
0
 
LVL 27

Expert Comment

by:☠MAS☠
ID: 39670973
Do you have autodiscover.domain.com added in to certificate?
If yes
Please make sure you enabled services to the new certificate
0
 
LVL 27

Expert Comment

by:☠MAS☠
ID: 39670974
check common name in th certificate as well
0
 
LVL 1

Author Closing Comment

by:steve90ttz
ID: 39687618
Thanks so much for all of your help (and patience). You are truly an invaluable resource.

Thanks,
Steve
0
 
LVL 27

Expert Comment

by:☠MAS☠
ID: 39687859
Glad to help you again
0
 

Expert Comment

by:Terellion
ID: 40202160
Hi there, I'm having the same issue as this. However we have an Exchange 2007 server in the mix aswell with autodiscover DNS record pointing to that server. I've put autodiscover in ours but getting the same error unfortunately. Anyone else had this too?

Thanks
0
 
LVL 27

Expert Comment

by:☠MAS☠
ID: 40202217
@Terellion
This is a closed question. You should ask this as a new question and post the URL here if you wish.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses
Course of the Month11 days, 4 hours left to enroll

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question