Solved

Outlook 2013 certificate error

Posted on 2014-02-16
15
705 Views
Last Modified: 2014-02-17
I just upgraded my exchange from 2007 to 2013, well, I migrated, as it's a new server.
Some clients are fine, but some are getting this error message.  it's attached.

How do I resolve this, as I did a google search, and I couldn't really find anything.  I found one article, which I did install the exchange certificate on this machine with this error, but it's still not working.

I tried this, but no success:
http://support.microsoft.com/kb/923575
http://msexchangeteam.in/there-is-a-problem-with-the-proxy-servers-security-certificate/

The client is running outlook 2013 RTM.  Other are running 2010, with either SP1 or Sp2.

I do know that the 2010 need to have a certain KB that makes it compatible, but this machine is using outlook 2013.   When using the outlook web app, it allows the user to log in with no errors.

Any thoughts?
outlook.PNG
0
Comment
Question by:afacts
  • 8
  • 3
  • 3
  • +1
15 Comments
 
LVL 30

Assisted Solution

by:pgm554
pgm554 earned 100 total points
ID: 39863434
Are you using a self signed cert or a 3rd party?
0
 

Expert Comment

by:YoavZ
ID: 39863446
Hey,

What are the FQDNs for the old / new server?
From the error message you attached it seems like the problem is that the server is pusing a certificate for let's say x.domain.com but you are connecting to it via y.domain.com.

In that case, even if x.domain.com's certificate is valid, it won't work correctly because of the different FQDN.

I suggest you check this out and update if the error disappeared / changed / stayed the same.
0
 

Author Comment

by:afacts
ID: 39863554
I am using a third-party certificate from Go Daddy.  I exported the certificates from old server and imported it into the new server, but I am getting this error message.  Some other clients are working okay though, they do not receive this message.
0
 

Author Comment

by:afacts
ID: 39863555
Yoavz,  so how do I check or fix the problem?  What is there to fix exactly?
0
 

Expert Comment

by:YoavZ
ID: 39863578
Check what FQDN those clients are using to connect to the Exchange server.

If Group-A is using a.domain.com and Group-B is using b.domain.com and both of them points to the same IP, you'll still have a problem with the certificate.

1. Check what hostname is configured in the clients mail client.
2. Make sure that the certificate is installed correctly (both public and private key should match)
0
 

Author Comment

by:afacts
ID: 39863771
I went to the mail settings via the control panel and was able to change the server to point my outlook instead of the old server to the new server.  I restarted outlook and i was able to pass that error message, but now I'm getting a different error message.

The error message is attached.
security-alert-certificate.jpg
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39864095
The error means what it says.
You need to configure Exchange to use the host names that are listed on the SSL certificate. The one you have probably missed is the Autodiscover one.

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

That needs to match the SSL certificate and you need to have it resolve internally to the Exchange server.

Simon.
0
The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

 

Assisted Solution

by:YoavZ
YoavZ earned 100 total points
ID: 39864243
If you point the clients to the new server but the SSL certificate was generated for the old server's FQDN - it won't work.

check it again...
0
 

Author Comment

by:afacts
ID: 39864515
So basically, instead of moving my cert from the old server,  to the new, should I get a new cert for my new server from my third party provider?
0
 

Author Comment

by:afacts
ID: 39864518
The cert that I have now is the
newserver .domain.org

Isn't that what it should be?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39864542
I wouldn't use a server's real name for the SSL certificate. I prefer to use a generic name, like mail, remote, webmail etc.
However it doesn't really matter what the host name on the SSL certificate is, as long as
a. It resolves externally and internally to Exchange.
b. You configure Exchange to use it correctly.

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:afacts
ID: 39864601
Thanks sembee, those instructions are for exchange 2010, do you have the same instructions for 2013?

So what you're saying is I should get a new cert for the server: mail.domain.org,  right?

I guess I was concerned about the outlook clients, if they are now pointing to my exchange server internal real name, will outlook automatically repoint to the new server name in the cert?  I have about 75 computers and would hate to update them one by one.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 300 total points
ID: 39865855
The same settings apply - nothing has changed with Exchange 2013 other than the GUI is now the web page. The script works for Exchange 2013. I do need to complete the article for Exchange 2013, I am hoping to have it ready for SP1.

If you change the host name in Outlook Anywhere, then Autodiscover will update the clients automatically to use that host name.
If you want to be completely safe, get a one year certificate, include the name they are using now as one of the additional names, then next year, switch to a multi year certificate with just generic names on it.

Simon.
0
 

Author Comment

by:afacts
ID: 39865870
So I'm a little lost where and what you want me to change?

So under servers -> (my server), under outlook anywhere
Under the internal host name, it was:  mail.mydomain.org

So I just changed that to servername.mydomain.org

It's been about 10 minutes and it's still not working.  Do I need to restart any services, or am I doing something wrong?   I don't see how this will affect anything?

Thanks, Dan
0
 

Author Closing Comment

by:afacts
ID: 39866238
Thanks everyone for your help.

Sembee, ran some of the power shell scripts, but I had to also go into the settings for the owa, active sync, etc... and make both the external and internal the same, like mail.domain.org

One of those did the trick and it's working now.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
If you don't know how to downgrade, my instructions below should be helpful.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now