Solved

Exchange 2013 invalid certificate

Posted on 2014-04-10
10
552 Views
Last Modified: 2014-04-18
Hi Guys
I just installed an Exchange 2013 and I install an 3 party certificate that point to mail.extdomain.com and I create a zone on DNS called extdoamin.com the I create an A record on that zone called mail.extdomain.com pointing to the internal IP of the Exchange server and an autodiscover.extdomain.com pointing to the IP of the Exchange server.
For some reason when I start to configure Outlook 2013 on the clients PC's I get he certificate error bellow.
Any idea why?

cert
0
Comment
Question by:infedonetwork
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39993180
You can run the following commands to get the External Urls:
Get-ActiveSyncVirtualDirectory   | ft server,*lur* -AutoSize
Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize
Get-ClientAccessServer           | ft name,  *lur* -AutoSize
Get-EcpVirtualDirectory          | ft server,*lur* -AutoSize
Get-OabVirtualDirectory          | ft server,*lur* -AutoSize
Get-OwaVirtualDirectory          | ft server,*lur* -AutoSize
Get-WebServicesVirtualDirectory  | ft server,*lur* –AutoSize

Then change your internal urls to match the external urls:

Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx 

Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 39993188
Can I do this from the ECP?
I already set all the externals URL from ECP under virtual directory.
I can try to do it but lust time I did it from there it mess-up.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39993195
Do you not have the exchange cmdlets available ?

That would make it much easier for you, you can validate the command here before you run, however the first command I gave you would give you the EXACT urls under both Internal and External - the first command makes no changes it only gives you the detailed info on current configuration.
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 2

Author Comment

by:infedonetwork
ID: 39993201
Those are the results for the commands you give me.
I was wondering if the autodiscover "exchange" I should change it to "mail.domain.com"?
Also do I have to change all those internal URL to match the external or just the autodiscover one and the OWA?
Can that be done from ECP virtual directory?

exchange
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 39993207
If you look at the certificate error on top right it say autodiscover.domain.ca
That's when I create the A record for Autodiscover on DNS.
If I delete that record and leave on DNS only mail.domain.com then I 'm getting on the certificate the exchange name instead of the autodiscover.doamain.ca
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39993211
No you do not need to change to mail.xx.com

you are using a .ca domain just have the domain reflect what the EXT url currently says.
Hostname - being the name of the server

Commands:
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.xx.ca/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.xx.ca/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.xx.ca/oab

Validate the urls against your actual domain names
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 39994436
I did all that and 2 out of 5 outlook profiles was not giving me the certificate error.
So I delete from DNS the autodiscover.domain.ca and left only mail.domain.com and now I did 3 profiles and no more cert error.
I will let you know how that goes once I'm done with everything.
Also I was wondering if I did something wrong on the deployment or this is something that needs to be done every time after Exchange is installed. I have the felling that I did something wrong with the 3th party certificate when I did the cert request.
I'm just assuming.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39994615
I was just the mapping of the names to the certificates.

Now that is resolved I think you should be ok.
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 39994663
So this is something that I can do to make sure it does not happen next time or I have to do this every exchange I deploy?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39994665
Once you deploy with the internal and External URLs matching then you will not run into this issue.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question