Outlook 2013 certificate error

I just upgraded my exchange from 2007 to 2013, well, I migrated, as it's a new server.
Some clients are fine, but some are getting this error message.  it's attached.

How do I resolve this, as I did a google search, and I couldn't really find anything.  I found one article, which I did install the exchange certificate on this machine with this error, but it's still not working.

I tried this, but no success:
http://support.microsoft.com/kb/923575
http://msexchangeteam.in/there-is-a-problem-with-the-proxy-servers-security-certificate/

The client is running outlook 2013 RTM.  Other are running 2010, with either SP1 or Sp2.

I do know that the 2010 need to have a certain KB that makes it compatible, but this machine is using outlook 2013.   When using the outlook web app, it allows the user to log in with no errors.

Any thoughts?
outlook.PNG
DanNetwork EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pgm554Commented:
Are you using a self signed cert or a 3rd party?
0
YoavZCommented:
Hey,

What are the FQDNs for the old / new server?
From the error message you attached it seems like the problem is that the server is pusing a certificate for let's say x.domain.com but you are connecting to it via y.domain.com.

In that case, even if x.domain.com's certificate is valid, it won't work correctly because of the different FQDN.

I suggest you check this out and update if the error disappeared / changed / stayed the same.
0
DanNetwork EngineerAuthor Commented:
I am using a third-party certificate from Go Daddy.  I exported the certificates from old server and imported it into the new server, but I am getting this error message.  Some other clients are working okay though, they do not receive this message.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

DanNetwork EngineerAuthor Commented:
Yoavz,  so how do I check or fix the problem?  What is there to fix exactly?
0
YoavZCommented:
Check what FQDN those clients are using to connect to the Exchange server.

If Group-A is using a.domain.com and Group-B is using b.domain.com and both of them points to the same IP, you'll still have a problem with the certificate.

1. Check what hostname is configured in the clients mail client.
2. Make sure that the certificate is installed correctly (both public and private key should match)
0
DanNetwork EngineerAuthor Commented:
I went to the mail settings via the control panel and was able to change the server to point my outlook instead of the old server to the new server.  I restarted outlook and i was able to pass that error message, but now I'm getting a different error message.

The error message is attached.
security-alert-certificate.jpg
0
Simon Butler (Sembee)ConsultantCommented:
The error means what it says.
You need to configure Exchange to use the host names that are listed on the SSL certificate. The one you have probably missed is the Autodiscover one.

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

That needs to match the SSL certificate and you need to have it resolve internally to the Exchange server.

Simon.
0
YoavZCommented:
If you point the clients to the new server but the SSL certificate was generated for the old server's FQDN - it won't work.

check it again...
0
DanNetwork EngineerAuthor Commented:
So basically, instead of moving my cert from the old server,  to the new, should I get a new cert for my new server from my third party provider?
0
DanNetwork EngineerAuthor Commented:
The cert that I have now is the
newserver .domain.org

Isn't that what it should be?
0
Simon Butler (Sembee)ConsultantCommented:
I wouldn't use a server's real name for the SSL certificate. I prefer to use a generic name, like mail, remote, webmail etc.
However it doesn't really matter what the host name on the SSL certificate is, as long as
a. It resolves externally and internally to Exchange.
b. You configure Exchange to use it correctly.

http://semb.ee/hostnames

Simon.
0
DanNetwork EngineerAuthor Commented:
Thanks sembee, those instructions are for exchange 2010, do you have the same instructions for 2013?

So what you're saying is I should get a new cert for the server: mail.domain.org,  right?

I guess I was concerned about the outlook clients, if they are now pointing to my exchange server internal real name, will outlook automatically repoint to the new server name in the cert?  I have about 75 computers and would hate to update them one by one.
0
Simon Butler (Sembee)ConsultantCommented:
The same settings apply - nothing has changed with Exchange 2013 other than the GUI is now the web page. The script works for Exchange 2013. I do need to complete the article for Exchange 2013, I am hoping to have it ready for SP1.

If you change the host name in Outlook Anywhere, then Autodiscover will update the clients automatically to use that host name.
If you want to be completely safe, get a one year certificate, include the name they are using now as one of the additional names, then next year, switch to a multi year certificate with just generic names on it.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DanNetwork EngineerAuthor Commented:
So I'm a little lost where and what you want me to change?

So under servers -> (my server), under outlook anywhere
Under the internal host name, it was:  mail.mydomain.org

So I just changed that to servername.mydomain.org

It's been about 10 minutes and it's still not working.  Do I need to restart any services, or am I doing something wrong?   I don't see how this will affect anything?

Thanks, Dan
0
DanNetwork EngineerAuthor Commented:
Thanks everyone for your help.

Sembee, ran some of the power shell scripts, but I had to also go into the settings for the owa, active sync, etc... and make both the external and internal the same, like mail.domain.org

One of those did the trick and it's working now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Outlook

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.