Solved

The Name of the Secuirty Certificate is invalid or does not match...

Posted on 2014-04-08
13
1,091 Views
Last Modified: 2014-04-11
Hi all,

I could really do with a hand on the below because ive done what I can find on the net but nothing has worked.

So we installed our own commercial SSL on our exchange 2010/sbs2011 box and now our end users are getting when opening outlook :


1. The are getting the Security Alert . The name on the security certificate is invalid or does not match the name of the site
2. When trying to use out of office a pop up box appears saying the server is unavailable.

I have run the following commands in exchange shell :

Set-ClientAccessServer -Identity CASSRV -AutodiscoverServiceInternalUri https://mail.exchangelog.info/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CASSRV\EWS (Default Web Site)" -InternalUrl https://mail.exchangelog.info/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CASSRV\OAB (Default Web Site)" -InternalUrl https://mail.exchangelog.info/oab

which all executed without errors. When i click view certificate on the security alert its the correct FQDN,
Ive done this quite a few times now on other servers but for whatever reason running these commands on this server doesn't seem to solve the error .

I dont know if it matters but for some reason we can run out of office fine if using owa.

Get-ExchangeCertificate in shell give me this info :

2291967B446735897113C474699602F7A7C3B35E  ...WS.     CN=ssl.domain.x, OU=Do
E3CC4B93F67A0E6898C0F0666B0CB652BF13117D  IP..S.     CN=server.domain.local
9C801317707F56ACF01C183198E58E4A7AAF8053  IP.WS.     CN=Sites
86A292D95C239712911BBBDA4B50E2BAB696AC3B  ......     CN=server-domain-CA
3508610534F21E9DF703C5BAF03FF2C04C13F7D0  ......     CN=WMSvc-WIN-ASMM940OVOT

Any help really would be appreciated.

Andy
0
Comment
Question by:AndyPandaX
  • 6
  • 4
  • 3
13 Comments
 
LVL 1

Author Comment

by:AndyPandaX
ID: 39987300
I will add the end users are using office 2013 just in case you need to know that :)
0
 
LVL 2

Expert Comment

by:adamsanders
ID: 39987596
I have seen this before on SBS servers. I have some questions for the purpose of  clarification.
Can you verify internal DNS has the mail.exchangelog.info as your specified in EMS?
Can you browse to WebServicesVirtualDirectory -Internal URL (https://mail.exchangelog.info/ews/exchange.asmx), authenticate, and get XML?
Can you run Test-WebServicesConnectivity and post the results?
Also, did you buy a commercial SAN certificate?
Thanks,
0
 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988129
Hi Admsanders,



1. Internal DNS has a new primary zone with the FQDN fo the SSL. I can do an internal lookup and the ssl FQDN resolves to the exchanges IP

2. I can brose to the Webservice Virtual Directory, authenticate with admin detaild and get an XML page

3. I tried running the test-Webservices but get the error The specified client access server was not found in active directory

4. The SSL was a goDaddy SSL. I belive it was a SAN ssl

thank you!
0
 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988142
Further to the above the end users are getting a security popup now asking for login credentials and the error Security Alert autodiscover.primaryemaildomain.uk.net.

View certificate button gives the info :
issued to *secure-secure.co.uk
Issued by : globalsign Domain Validation.

I have no idea what this is, our ssl came from goDaddy and this is not the domain it was issued to.
0
 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988149
AdamSanders,

Sorry to bombard you with information but I have had a slight development...

Further to the above when the end user is getting the popup credentials box if I put the active directory username and password in then everything seems to work fine. No SSL pop ups and out of office works!

Does that help?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39988170
AS this is SBS, did you use the wizards within the SBS console to install the certificate?
If not, then that is the first problem you need to resolve. You need to use the wizards to configure the server, it is designed to work in that way, and if you try to use the manual tools you will find things break.

The SSL certificate you have posted belongs to Heart Internet in the UK. That almost certainly means your DNS and/or host names are not setup correctly internally and the client has gone externally for Autodiscover.

Using the wizard to install and configure the SSL certificate will almost certainly resolve those issues.

The popup box is probably because of the SSL certificate issue - Outlook cannot really cope well with SSL prompts so will throw a pop up. Entering the credentials doesn't really help much, other than passing the prompt - and sending credentials to some random server.

Simon.
0
How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988190
Hi Simon,

I followed goDaddys instructions for installing the SSL.
Heart Internet are the registrars for the primary email domain our exchange uses, and it was this domain that was being presented in the security warning box. We have no SSL cert with Heart. Also I have set the internal autodiscvoery URL to the SSL FQDN so i dont understand why its prompting in outlook for the heart internet one.

Thanks for your time
Andy
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39988247
You need to use the wizard in SBS, rather than the instructions from GoDaddy. SBS 2011 uses Exchange 2010, but it is setup in a slightly different way. The certificate is also used for other things.

The ISP has a secure site, probably for their web hosting customers, which is why you are getting SSL prompts. The DNS is not setup correctly. If you use the SSL wizard to enable the certificate then it will be done correctly, including the internal names.

With an SBS server, when you use the wizards there is no need to run any manual commands.

The problem you will have though is SBS wants to use remote.example.com, but going by your commands above, you have used mail instead of remote. Therefore you will have to run through the wizard to configure the internal host name first, changing it from the default of remote.example.com to match the name on your SSL certificate, then run through the SSL wizard choosing to use an existing certificate. Your trusted certificate should then appear.

Number one rule with SBS servers, use the wizards. If you don't, then things do not work in the way that is expected. Do NOT treat it as a full product.

Simon.
0
 
LVL 2

Expert Comment

by:adamsanders
ID: 39988518
You can use "mail.", but be sure your SAN certificate has "remote." and "autodiscover." in the subject alternate fields of the certificate. If it doesn't have the CA reissue the certificate.
You will need to create a new certificate request. Go to SBS Console, click Network, and then click Connectivity. Click Add a trusted certificate in the task pane.
0
 
LVL 1

Author Comment

by:AndyPandaX
ID: 39988564
Thank you both guys. Once last question then, if we have to use the wizards for installing the SSL where are the wizards and how do we start them?
0
 
LVL 2

Expert Comment

by:adamsanders
ID: 39988631
You will need to create a new certificate request. Go to SBS Console, click Network, and then click Connectivity. Click Add a trusted certificate in the task pane.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39989384
You shouldn't need to create a new certificate request. The wizards are in the SBS console.
The SBS SSL wizard for creating the certificates doesn't add the additional names, so what I usually do is create the certificate request and then deal with the response in Exchange 2010 EMC, but install and enable it with the SBS wizard.

Simon.
0
 
LVL 2

Expert Comment

by:adamsanders
ID: 39995354
Hi, can you explain what part of these solutions worked for you? Thanks,
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now