Solved

Outlook 2013 certificate error

Posted on 2014-02-16
15
717 Views
Last Modified: 2014-02-17
I just upgraded my exchange from 2007 to 2013, well, I migrated, as it's a new server.
Some clients are fine, but some are getting this error message.  it's attached.

How do I resolve this, as I did a google search, and I couldn't really find anything.  I found one article, which I did install the exchange certificate on this machine with this error, but it's still not working.

I tried this, but no success:
http://support.microsoft.com/kb/923575
http://msexchangeteam.in/there-is-a-problem-with-the-proxy-servers-security-certificate/

The client is running outlook 2013 RTM.  Other are running 2010, with either SP1 or Sp2.

I do know that the 2010 need to have a certain KB that makes it compatible, but this machine is using outlook 2013.   When using the outlook web app, it allows the user to log in with no errors.

Any thoughts?
outlook.PNG
0
Comment
Question by:afacts
  • 8
  • 3
  • 3
  • +1
15 Comments
 
LVL 30

Assisted Solution

by:pgm554
pgm554 earned 100 total points
ID: 39863434
Are you using a self signed cert or a 3rd party?
0
 

Expert Comment

by:YoavZ
ID: 39863446
Hey,

What are the FQDNs for the old / new server?
From the error message you attached it seems like the problem is that the server is pusing a certificate for let's say x.domain.com but you are connecting to it via y.domain.com.

In that case, even if x.domain.com's certificate is valid, it won't work correctly because of the different FQDN.

I suggest you check this out and update if the error disappeared / changed / stayed the same.
0
 

Author Comment

by:afacts
ID: 39863554
I am using a third-party certificate from Go Daddy.  I exported the certificates from old server and imported it into the new server, but I am getting this error message.  Some other clients are working okay though, they do not receive this message.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:afacts
ID: 39863555
Yoavz,  so how do I check or fix the problem?  What is there to fix exactly?
0
 

Expert Comment

by:YoavZ
ID: 39863578
Check what FQDN those clients are using to connect to the Exchange server.

If Group-A is using a.domain.com and Group-B is using b.domain.com and both of them points to the same IP, you'll still have a problem with the certificate.

1. Check what hostname is configured in the clients mail client.
2. Make sure that the certificate is installed correctly (both public and private key should match)
0
 

Author Comment

by:afacts
ID: 39863771
I went to the mail settings via the control panel and was able to change the server to point my outlook instead of the old server to the new server.  I restarted outlook and i was able to pass that error message, but now I'm getting a different error message.

The error message is attached.
security-alert-certificate.jpg
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39864095
The error means what it says.
You need to configure Exchange to use the host names that are listed on the SSL certificate. The one you have probably missed is the Autodiscover one.

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

That needs to match the SSL certificate and you need to have it resolve internally to the Exchange server.

Simon.
0
 

Assisted Solution

by:YoavZ
YoavZ earned 100 total points
ID: 39864243
If you point the clients to the new server but the SSL certificate was generated for the old server's FQDN - it won't work.

check it again...
0
 

Author Comment

by:afacts
ID: 39864515
So basically, instead of moving my cert from the old server,  to the new, should I get a new cert for my new server from my third party provider?
0
 

Author Comment

by:afacts
ID: 39864518
The cert that I have now is the
newserver .domain.org

Isn't that what it should be?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39864542
I wouldn't use a server's real name for the SSL certificate. I prefer to use a generic name, like mail, remote, webmail etc.
However it doesn't really matter what the host name on the SSL certificate is, as long as
a. It resolves externally and internally to Exchange.
b. You configure Exchange to use it correctly.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:afacts
ID: 39864601
Thanks sembee, those instructions are for exchange 2010, do you have the same instructions for 2013?

So what you're saying is I should get a new cert for the server: mail.domain.org,  right?

I guess I was concerned about the outlook clients, if they are now pointing to my exchange server internal real name, will outlook automatically repoint to the new server name in the cert?  I have about 75 computers and would hate to update them one by one.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 300 total points
ID: 39865855
The same settings apply - nothing has changed with Exchange 2013 other than the GUI is now the web page. The script works for Exchange 2013. I do need to complete the article for Exchange 2013, I am hoping to have it ready for SP1.

If you change the host name in Outlook Anywhere, then Autodiscover will update the clients automatically to use that host name.
If you want to be completely safe, get a one year certificate, include the name they are using now as one of the additional names, then next year, switch to a multi year certificate with just generic names on it.

Simon.
0
 

Author Comment

by:afacts
ID: 39865870
So I'm a little lost where and what you want me to change?

So under servers -> (my server), under outlook anywhere
Under the internal host name, it was:  mail.mydomain.org

So I just changed that to servername.mydomain.org

It's been about 10 minutes and it's still not working.  Do I need to restart any services, or am I doing something wrong?   I don't see how this will affect anything?

Thanks, Dan
0
 

Author Closing Comment

by:afacts
ID: 39866238
Thanks everyone for your help.

Sembee, ran some of the power shell scripts, but I had to also go into the settings for the owa, active sync, etc... and make both the external and internal the same, like mail.domain.org

One of those did the trick and it's working now.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this step by step procedure, you will come to know the details of creating an Outlook meeting in 2007, 2010, 2013 & 2016.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question