Dan
asked on
Outlook 2013 certificate error
I just upgraded my exchange from 2007 to 2013, well, I migrated, as it's a new server.
Some clients are fine, but some are getting this error message. it's attached.
How do I resolve this, as I did a google search, and I couldn't really find anything. I found one article, which I did install the exchange certificate on this machine with this error, but it's still not working.
I tried this, but no success:
http://support.microsoft.com/kb/923575
http://msexchangeteam.in/there-is-a-problem-with-the-proxy-servers-security-certificate/
The client is running outlook 2013 RTM. Other are running 2010, with either SP1 or Sp2.
I do know that the 2010 need to have a certain KB that makes it compatible, but this machine is using outlook 2013. When using the outlook web app, it allows the user to log in with no errors.
Any thoughts?
outlook.PNG
Some clients are fine, but some are getting this error message. it's attached.
How do I resolve this, as I did a google search, and I couldn't really find anything. I found one article, which I did install the exchange certificate on this machine with this error, but it's still not working.
I tried this, but no success:
http://support.microsoft.com/kb/923575
http://msexchangeteam.in/there-is-a-problem-with-the-proxy-servers-security-certificate/
The client is running outlook 2013 RTM. Other are running 2010, with either SP1 or Sp2.
I do know that the 2010 need to have a certain KB that makes it compatible, but this machine is using outlook 2013. When using the outlook web app, it allows the user to log in with no errors.
Any thoughts?
outlook.PNG
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am using a third-party certificate from Go Daddy. I exported the certificates from old server and imported it into the new server, but I am getting this error message. Some other clients are working okay though, they do not receive this message.
ASKER
Yoavz, so how do I check or fix the problem? What is there to fix exactly?
Check what FQDN those clients are using to connect to the Exchange server.
If Group-A is using a.domain.com and Group-B is using b.domain.com and both of them points to the same IP, you'll still have a problem with the certificate.
1. Check what hostname is configured in the clients mail client.
2. Make sure that the certificate is installed correctly (both public and private key should match)
If Group-A is using a.domain.com and Group-B is using b.domain.com and both of them points to the same IP, you'll still have a problem with the certificate.
1. Check what hostname is configured in the clients mail client.
2. Make sure that the certificate is installed correctly (both public and private key should match)
ASKER
I went to the mail settings via the control panel and was able to change the server to point my outlook instead of the old server to the new server. I restarted outlook and i was able to pass that error message, but now I'm getting a different error message.
The error message is attached.
security-alert-certificate.jpg
The error message is attached.
security-alert-certificate.jpg
The error means what it says.
You need to configure Exchange to use the host names that are listed on the SSL certificate. The one you have probably missed is the Autodiscover one.
get-clientaccessserver | select identity, autodiscoverserviceinterna luri
That needs to match the SSL certificate and you need to have it resolve internally to the Exchange server.
Simon.
You need to configure Exchange to use the host names that are listed on the SSL certificate. The one you have probably missed is the Autodiscover one.
get-clientaccessserver | select identity, autodiscoverserviceinterna
That needs to match the SSL certificate and you need to have it resolve internally to the Exchange server.
Simon.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So basically, instead of moving my cert from the old server, to the new, should I get a new cert for my new server from my third party provider?
ASKER
The cert that I have now is the
newserver .domain.org
Isn't that what it should be?
newserver .domain.org
Isn't that what it should be?
I wouldn't use a server's real name for the SSL certificate. I prefer to use a generic name, like mail, remote, webmail etc.
However it doesn't really matter what the host name on the SSL certificate is, as long as
a. It resolves externally and internally to Exchange.
b. You configure Exchange to use it correctly.
http://semb.ee/hostnames
Simon.
However it doesn't really matter what the host name on the SSL certificate is, as long as
a. It resolves externally and internally to Exchange.
b. You configure Exchange to use it correctly.
http://semb.ee/hostnames
Simon.
ASKER
Thanks sembee, those instructions are for exchange 2010, do you have the same instructions for 2013?
So what you're saying is I should get a new cert for the server: mail.domain.org, right?
I guess I was concerned about the outlook clients, if they are now pointing to my exchange server internal real name, will outlook automatically repoint to the new server name in the cert? I have about 75 computers and would hate to update them one by one.
So what you're saying is I should get a new cert for the server: mail.domain.org, right?
I guess I was concerned about the outlook clients, if they are now pointing to my exchange server internal real name, will outlook automatically repoint to the new server name in the cert? I have about 75 computers and would hate to update them one by one.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So I'm a little lost where and what you want me to change?
So under servers -> (my server), under outlook anywhere
Under the internal host name, it was: mail.mydomain.org
So I just changed that to servername.mydomain.org
It's been about 10 minutes and it's still not working. Do I need to restart any services, or am I doing something wrong? I don't see how this will affect anything?
Thanks, Dan
So under servers -> (my server), under outlook anywhere
Under the internal host name, it was: mail.mydomain.org
So I just changed that to servername.mydomain.org
It's been about 10 minutes and it's still not working. Do I need to restart any services, or am I doing something wrong? I don't see how this will affect anything?
Thanks, Dan
ASKER
Thanks everyone for your help.
Sembee, ran some of the power shell scripts, but I had to also go into the settings for the owa, active sync, etc... and make both the external and internal the same, like mail.domain.org
One of those did the trick and it's working now.
Sembee, ran some of the power shell scripts, but I had to also go into the settings for the owa, active sync, etc... and make both the external and internal the same, like mail.domain.org
One of those did the trick and it's working now.
What are the FQDNs for the old / new server?
From the error message you attached it seems like the problem is that the server is pusing a certificate for let's say x.domain.com but you are connecting to it via y.domain.com.
In that case, even if x.domain.com's certificate is valid, it won't work correctly because of the different FQDN.
I suggest you check this out and update if the error disappeared / changed / stayed the same.