Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

The Name of the Secuirty Certificate is invalid or does not match...

Posted on 2014-04-08
13
Medium Priority
?
1,302 Views
Last Modified: 2014-04-11
Hi all,

I could really do with a hand on the below because ive done what I can find on the net but nothing has worked.

So we installed our own commercial SSL on our exchange 2010/sbs2011 box and now our end users are getting when opening outlook :


1. The are getting the Security Alert . The name on the security certificate is invalid or does not match the name of the site
2. When trying to use out of office a pop up box appears saying the server is unavailable.

I have run the following commands in exchange shell :

Set-ClientAccessServer -Identity CASSRV -AutodiscoverServiceInternalUri https://mail.exchangelog.info/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CASSRV\EWS (Default Web Site)" -InternalUrl https://mail.exchangelog.info/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CASSRV\OAB (Default Web Site)" -InternalUrl https://mail.exchangelog.info/oab

which all executed without errors. When i click view certificate on the security alert its the correct FQDN,
Ive done this quite a few times now on other servers but for whatever reason running these commands on this server doesn't seem to solve the error .

I dont know if it matters but for some reason we can run out of office fine if using owa.

Get-ExchangeCertificate in shell give me this info :

2291967B446735897113C474699602F7A7C3B35E  ...WS.     CN=ssl.domain.x, OU=Do
E3CC4B93F67A0E6898C0F0666B0CB652BF13117D  IP..S.     CN=server.domain.local
9C801317707F56ACF01C183198E58E4A7AAF8053  IP.WS.     CN=Sites
86A292D95C239712911BBBDA4B50E2BAB696AC3B  ......     CN=server-domain-CA
3508610534F21E9DF703C5BAF03FF2C04C13F7D0  ......     CN=WMSvc-WIN-ASMM940OVOT

Any help really would be appreciated.

Andy
0
Comment
Question by:AndyPandaX
  • 6
  • 4
  • 3
13 Comments
 
LVL 1

Author Comment

by:AndyPandaX
ID: 39987300
I will add the end users are using office 2013 just in case you need to know that :)
0
 
LVL 2

Expert Comment

by:adamsanders
ID: 39987596
I have seen this before on SBS servers. I have some questions for the purpose of  clarification.
Can you verify internal DNS has the mail.exchangelog.info as your specified in EMS?
Can you browse to WebServicesVirtualDirectory -Internal URL (https://mail.exchangelog.info/ews/exchange.asmx), authenticate, and get XML?
Can you run Test-WebServicesConnectivity and post the results?
Also, did you buy a commercial SAN certificate?
Thanks,
0
 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988129
Hi Admsanders,



1. Internal DNS has a new primary zone with the FQDN fo the SSL. I can do an internal lookup and the ssl FQDN resolves to the exchanges IP

2. I can brose to the Webservice Virtual Directory, authenticate with admin detaild and get an XML page

3. I tried running the test-Webservices but get the error The specified client access server was not found in active directory

4. The SSL was a goDaddy SSL. I belive it was a SAN ssl

thank you!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988142
Further to the above the end users are getting a security popup now asking for login credentials and the error Security Alert autodiscover.primaryemaildomain.uk.net.

View certificate button gives the info :
issued to *secure-secure.co.uk
Issued by : globalsign Domain Validation.

I have no idea what this is, our ssl came from goDaddy and this is not the domain it was issued to.
0
 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988149
AdamSanders,

Sorry to bombard you with information but I have had a slight development...

Further to the above when the end user is getting the popup credentials box if I put the active directory username and password in then everything seems to work fine. No SSL pop ups and out of office works!

Does that help?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39988170
AS this is SBS, did you use the wizards within the SBS console to install the certificate?
If not, then that is the first problem you need to resolve. You need to use the wizards to configure the server, it is designed to work in that way, and if you try to use the manual tools you will find things break.

The SSL certificate you have posted belongs to Heart Internet in the UK. That almost certainly means your DNS and/or host names are not setup correctly internally and the client has gone externally for Autodiscover.

Using the wizard to install and configure the SSL certificate will almost certainly resolve those issues.

The popup box is probably because of the SSL certificate issue - Outlook cannot really cope well with SSL prompts so will throw a pop up. Entering the credentials doesn't really help much, other than passing the prompt - and sending credentials to some random server.

Simon.
0
 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988190
Hi Simon,

I followed goDaddys instructions for installing the SSL.
Heart Internet are the registrars for the primary email domain our exchange uses, and it was this domain that was being presented in the security warning box. We have no SSL cert with Heart. Also I have set the internal autodiscvoery URL to the SSL FQDN so i dont understand why its prompting in outlook for the heart internet one.

Thanks for your time
Andy
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39988247
You need to use the wizard in SBS, rather than the instructions from GoDaddy. SBS 2011 uses Exchange 2010, but it is setup in a slightly different way. The certificate is also used for other things.

The ISP has a secure site, probably for their web hosting customers, which is why you are getting SSL prompts. The DNS is not setup correctly. If you use the SSL wizard to enable the certificate then it will be done correctly, including the internal names.

With an SBS server, when you use the wizards there is no need to run any manual commands.

The problem you will have though is SBS wants to use remote.example.com, but going by your commands above, you have used mail instead of remote. Therefore you will have to run through the wizard to configure the internal host name first, changing it from the default of remote.example.com to match the name on your SSL certificate, then run through the SSL wizard choosing to use an existing certificate. Your trusted certificate should then appear.

Number one rule with SBS servers, use the wizards. If you don't, then things do not work in the way that is expected. Do NOT treat it as a full product.

Simon.
0
 
LVL 2

Expert Comment

by:adamsanders
ID: 39988518
You can use "mail.", but be sure your SAN certificate has "remote." and "autodiscover." in the subject alternate fields of the certificate. If it doesn't have the CA reissue the certificate.
You will need to create a new certificate request. Go to SBS Console, click Network, and then click Connectivity. Click Add a trusted certificate in the task pane.
0
 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988564
Thank you both guys. Once last question then, if we have to use the wizards for installing the SSL where are the wizards and how do we start them?
0
 
LVL 2

Expert Comment

by:adamsanders
ID: 39988631
You will need to create a new certificate request. Go to SBS Console, click Network, and then click Connectivity. Click Add a trusted certificate in the task pane.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39989384
You shouldn't need to create a new certificate request. The wizards are in the SBS console.
The SBS SSL wizard for creating the certificates doesn't add the additional names, so what I usually do is create the certificate request and then deal with the response in Exchange 2010 EMC, but install and enable it with the SBS wizard.

Simon.
0
 
LVL 2

Expert Comment

by:adamsanders
ID: 39995354
Hi, can you explain what part of these solutions worked for you? Thanks,
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question