Solved

Exchange 2013 invalid certificate

Posted on 2014-04-10
10
525 Views
Last Modified: 2014-04-18
Hi Guys
I just installed an Exchange 2013 and I install an 3 party certificate that point to mail.extdomain.com and I create a zone on DNS called extdoamin.com the I create an A record on that zone called mail.extdomain.com pointing to the internal IP of the Exchange server and an autodiscover.extdomain.com pointing to the IP of the Exchange server.
For some reason when I start to configure Outlook 2013 on the clients PC's I get he certificate error bellow.
Any idea why?

cert
0
Comment
Question by:infedonetwork
  • 5
  • 5
10 Comments
 
LVL 28

Expert Comment

by:becraig
Comment Utility
You can run the following commands to get the External Urls:
Get-ActiveSyncVirtualDirectory   | ft server,*lur* -AutoSize
Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize
Get-ClientAccessServer           | ft name,  *lur* -AutoSize
Get-EcpVirtualDirectory          | ft server,*lur* -AutoSize
Get-OabVirtualDirectory          | ft server,*lur* -AutoSize
Get-OwaVirtualDirectory          | ft server,*lur* -AutoSize
Get-WebServicesVirtualDirectory  | ft server,*lur* –AutoSize

Then change your internal urls to match the external urls:

Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
0
 
LVL 2

Author Comment

by:infedonetwork
Comment Utility
Can I do this from the ECP?
I already set all the externals URL from ECP under virtual directory.
I can try to do it but lust time I did it from there it mess-up.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Do you not have the exchange cmdlets available ?

That would make it much easier for you, you can validate the command here before you run, however the first command I gave you would give you the EXACT urls under both Internal and External - the first command makes no changes it only gives you the detailed info on current configuration.
0
 
LVL 2

Author Comment

by:infedonetwork
Comment Utility
Those are the results for the commands you give me.
I was wondering if the autodiscover "exchange" I should change it to "mail.domain.com"?
Also do I have to change all those internal URL to match the external or just the autodiscover one and the OWA?
Can that be done from ECP virtual directory?

exchange
0
 
LVL 2

Author Comment

by:infedonetwork
Comment Utility
If you look at the certificate error on top right it say autodiscover.domain.ca
That's when I create the A record for Autodiscover on DNS.
If I delete that record and leave on DNS only mail.domain.com then I 'm getting on the certificate the exchange name instead of the autodiscover.doamain.ca
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 28

Accepted Solution

by:
becraig earned 500 total points
Comment Utility
No you do not need to change to mail.xx.com

you are using a .ca domain just have the domain reflect what the EXT url currently says.
Hostname - being the name of the server

Commands:
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.xx.ca/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.xx.ca/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.xx.ca/oab

Validate the urls against your actual domain names
0
 
LVL 2

Author Comment

by:infedonetwork
Comment Utility
I did all that and 2 out of 5 outlook profiles was not giving me the certificate error.
So I delete from DNS the autodiscover.domain.ca and left only mail.domain.com and now I did 3 profiles and no more cert error.
I will let you know how that goes once I'm done with everything.
Also I was wondering if I did something wrong on the deployment or this is something that needs to be done every time after Exchange is installed. I have the felling that I did something wrong with the 3th party certificate when I did the cert request.
I'm just assuming.
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
I was just the mapping of the names to the certificates.

Now that is resolved I think you should be ok.
0
 
LVL 2

Author Comment

by:infedonetwork
Comment Utility
So this is something that I can do to make sure it does not happen next time or I have to do this every exchange I deploy?
0
 
LVL 28

Expert Comment

by:becraig
Comment Utility
Once you deploy with the internal and External URLs matching then you will not run into this issue.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now