[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 736
  • Last Modified:

Outlook 2013 certificate error

I just upgraded my exchange from 2007 to 2013, well, I migrated, as it's a new server.
Some clients are fine, but some are getting this error message.  it's attached.

How do I resolve this, as I did a google search, and I couldn't really find anything.  I found one article, which I did install the exchange certificate on this machine with this error, but it's still not working.

I tried this, but no success:
http://support.microsoft.com/kb/923575
http://msexchangeteam.in/there-is-a-problem-with-the-proxy-servers-security-certificate/

The client is running outlook 2013 RTM.  Other are running 2010, with either SP1 or Sp2.

I do know that the 2010 need to have a certain KB that makes it compatible, but this machine is using outlook 2013.   When using the outlook web app, it allows the user to log in with no errors.

Any thoughts?
outlook.PNG
0
afacts
Asked:
afacts
  • 8
  • 3
  • 3
  • +1
3 Solutions
 
pgm554Commented:
Are you using a self signed cert or a 3rd party?
0
 
YoavZCommented:
Hey,

What are the FQDNs for the old / new server?
From the error message you attached it seems like the problem is that the server is pusing a certificate for let's say x.domain.com but you are connecting to it via y.domain.com.

In that case, even if x.domain.com's certificate is valid, it won't work correctly because of the different FQDN.

I suggest you check this out and update if the error disappeared / changed / stayed the same.
0
 
afactsNetwork EngineerAuthor Commented:
I am using a third-party certificate from Go Daddy.  I exported the certificates from old server and imported it into the new server, but I am getting this error message.  Some other clients are working okay though, they do not receive this message.
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
afactsNetwork EngineerAuthor Commented:
Yoavz,  so how do I check or fix the problem?  What is there to fix exactly?
0
 
YoavZCommented:
Check what FQDN those clients are using to connect to the Exchange server.

If Group-A is using a.domain.com and Group-B is using b.domain.com and both of them points to the same IP, you'll still have a problem with the certificate.

1. Check what hostname is configured in the clients mail client.
2. Make sure that the certificate is installed correctly (both public and private key should match)
0
 
afactsNetwork EngineerAuthor Commented:
I went to the mail settings via the control panel and was able to change the server to point my outlook instead of the old server to the new server.  I restarted outlook and i was able to pass that error message, but now I'm getting a different error message.

The error message is attached.
security-alert-certificate.jpg
0
 
Simon Butler (Sembee)ConsultantCommented:
The error means what it says.
You need to configure Exchange to use the host names that are listed on the SSL certificate. The one you have probably missed is the Autodiscover one.

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

That needs to match the SSL certificate and you need to have it resolve internally to the Exchange server.

Simon.
0
 
YoavZCommented:
If you point the clients to the new server but the SSL certificate was generated for the old server's FQDN - it won't work.

check it again...
0
 
afactsNetwork EngineerAuthor Commented:
So basically, instead of moving my cert from the old server,  to the new, should I get a new cert for my new server from my third party provider?
0
 
afactsNetwork EngineerAuthor Commented:
The cert that I have now is the
newserver .domain.org

Isn't that what it should be?
0
 
Simon Butler (Sembee)ConsultantCommented:
I wouldn't use a server's real name for the SSL certificate. I prefer to use a generic name, like mail, remote, webmail etc.
However it doesn't really matter what the host name on the SSL certificate is, as long as
a. It resolves externally and internally to Exchange.
b. You configure Exchange to use it correctly.

http://semb.ee/hostnames

Simon.
0
 
afactsNetwork EngineerAuthor Commented:
Thanks sembee, those instructions are for exchange 2010, do you have the same instructions for 2013?

So what you're saying is I should get a new cert for the server: mail.domain.org,  right?

I guess I was concerned about the outlook clients, if they are now pointing to my exchange server internal real name, will outlook automatically repoint to the new server name in the cert?  I have about 75 computers and would hate to update them one by one.
0
 
Simon Butler (Sembee)ConsultantCommented:
The same settings apply - nothing has changed with Exchange 2013 other than the GUI is now the web page. The script works for Exchange 2013. I do need to complete the article for Exchange 2013, I am hoping to have it ready for SP1.

If you change the host name in Outlook Anywhere, then Autodiscover will update the clients automatically to use that host name.
If you want to be completely safe, get a one year certificate, include the name they are using now as one of the additional names, then next year, switch to a multi year certificate with just generic names on it.

Simon.
0
 
afactsNetwork EngineerAuthor Commented:
So I'm a little lost where and what you want me to change?

So under servers -> (my server), under outlook anywhere
Under the internal host name, it was:  mail.mydomain.org

So I just changed that to servername.mydomain.org

It's been about 10 minutes and it's still not working.  Do I need to restart any services, or am I doing something wrong?   I don't see how this will affect anything?

Thanks, Dan
0
 
afactsNetwork EngineerAuthor Commented:
Thanks everyone for your help.

Sembee, ran some of the power shell scripts, but I had to also go into the settings for the owa, active sync, etc... and make both the external and internal the same, like mail.domain.org

One of those did the trick and it's working now.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 8
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now