Solved

Exchange 2013 SP1, Outlook Certificate Error after removing local SAN names from SSL Certificate.

Posted on 2014-04-12
25
99 Views
Last Modified: 2016-06-02
Hi,

I recently had to renew our UC SSL Certificate, and now obviously you can't include internal non FQDN domains such as .local. So I remeoved the .local internal SANs from the certificate and changed the virtual directories to use the external FQDN address for both internal and external access, as well as Outlook Anywhere. This has worked, but I now get a certificate error saying that the name is invalid or does not match the certificate.

I'm obvioulsy missing some setting or name. My server is Exchange2013.localdomain and the external name is mail.fddomain.com. Apart from the virtual directories, Outlook Anywhere and the Autodiscover Url (all of which have the external url), what else needs to be set to avoid the certificate error.

My Certificate has Autodiscover.fddomain.com, mail.fddomain.com, fddomain.com in the SANs, so it sould all be ok. But, somewhere Exchange2013.localdomain is being referenced and I can't think where.

Any pointer will be very much appriciated!

I am running Exchange 2013 SP1 on Windows 2012 STD and Outlook 2013 clients.
0
Comment
Question by:gabiosz
  • 10
  • 6
  • 5
  • +1
25 Comments
 
LVL 28

Expert Comment

by:becraig
ID: 39996101
The simple no impact solution is to update your internal urls to match the external URLs:


You can get the external urls here :
Get-ActiveSyncVirtualDirectory   | ft server,*lur* -AutoSize
Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize
Get-ClientAccessServer           | ft name,  *lur* -AutoSize
Get-EcpVirtualDirectory          | ft server,*lur* -AutoSize
Get-OabVirtualDirectory          | ft server,*lur* -AutoSize
Get-OwaVirtualDirectory          | ft server,*lur* -AutoSize
Get-WebServicesVirtualDirectory  | ft server,*lur* –AutoSize


Then change your internal urls to match the external urls:

Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
0
 

Author Comment

by:gabiosz
ID: 39996107
Thanks,

They are all correct and using the external URLs already,  except for:
Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize

Which returns:
Server       InternalUrl ExternalUrl
------           -----------      -----------
EXCHANGE2013

I can't seem to set this using the Set- command, is this right?
0
 
LVL 28

Expert Comment

by:becraig
ID: 39996110
Which endpoint are you calling when you get the certificate error ?
0
 

Author Comment

by:gabiosz
ID: 39996114
It seems to be looking for Exchange2013.localdomain, it pops up in Outlook 2013 after about 30 seconds of opening. I think that it's Autodiscover.
0
 
LVL 28

Expert Comment

by:becraig
ID: 39996121
Yup that's it.

Set auto discover to the external url for both.

More info on configuring auto discover
http://msdn.microsoft.com/en-us/library/office/jj900169(v=exchg.150).aspx

You should be able to use the dns name you used for the other endpoints above based on your server configuration
0
 

Author Comment

by:gabiosz
ID: 39996129
Using which command?

Set-AutodiscoverVirtualDirectory doesn't seem to work.
0
 
LVL 28

Expert Comment

by:becraig
ID: 39996138
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml


Also set external uri
0
 

Author Comment

by:gabiosz
ID: 39996173
Thanks, but that is already correctly set to the external URL
0
 
LVL 28

Expert Comment

by:becraig
ID: 39996186
I would reset iis and try again.

At this point none of your internal urls point to exchange2013 using the command I gave you to query the infernal abd external urls, correct ?
0
 
LVL 3

Expert Comment

by:aces4all00
ID: 39996203
Do computers that aren't part of the domain have the same issue?

If not it's probably the scp records in AD.  To modify go into the Exchange management shell and try the following replacing CASSERVER with the NetBIOS name (aka short or host name) of your CAS server and TOURDOMAIN.COM with correct DNS domain name:

Get-ClientAccessServer –Identity CASSERVER| Set-ClientAccessServer–AutodiscoverServiceInternalUri https://autodiscover.YOURDOMAIN.COM/autodiscover/autodiscover.xml

Open in new window


You'll need to do this for each CAS server.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39996297
You don't have to do anything with get/set-autodiscovervirtualdirectory
That shouldn't be touched as the URL you may set on there would not be used either internally or externally.

Go through my article on changing the URLs:
http://semb.ee/hostnames2013

Don't forget to run iisreset afterwards and ensure the external name resolves internally to the Exchange server.

Simon.
0
 

Author Comment

by:gabiosz
ID: 39999468
Hi Simon,

The article was very useful, and I followed it to the letter, including the script just in case I had missed anything, and then ran iisreset...

However, the Outlook 2013 clients are still complaining about the certificate with error "name is invalid or does not match the certificate"!

I am banging my head against a wall here.

The error dialogue has the internal server name at the top "Exchange2013.localdomain", so am I right in thinking that this is still being presented somewhere?
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 28

Expert Comment

by:becraig
ID: 39999538
I remember suggesting above that you update the internal url for autodiscover, you said it was already set to use the External url but in looking at your output that does not appear to be true:

Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize

Which returns:
Server       InternalUrl ExternalUrl
------           -----------      -----------
EXCHANGE2013

Can you please verify that you have updated the Autodiscover url and run iisreset ?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999652
Setting any URL on Autodiscover virtual directory will make no difference whatsoever. The default is null, and it should be left as that, as the clients don't query it.

If you are still getting prompts, do an Autodiscover test in the client and see which value it is that hasn't been changed.
http://semb.ee/adt

Simon.
0
 

Author Comment

by:gabiosz
ID: 39999691
The Autodiscover test returns all the correct results so I'm not sure what's going on.
0
 
LVL 3

Expert Comment

by:aces4all00
ID: 40000065
If you can please test with a machine that is not joined to the domain and let us know if you see the same behavior
0
 

Author Comment

by:gabiosz
ID: 40000101
Computers not joined to the domain are ok, they show no errors and have picked us any changes to the auto discover settings perfectly.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40000231
Non-domain machines work in a different way.
That means it has to be something wrong with the value you see here:

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

Simon.
0
 
LVL 3

Expert Comment

by:aces4all00
ID: 40000405
If you run the command Simon posted above from EMS it will likely show the Exchange2013.localdomain you indicated previously.  Please try and report the result.
0
 

Author Comment

by:gabiosz
ID: 40001234
It returns the expected result, and I'm still getting the errors :-/

Identity                                AutoDiscoverServiceInternalUri
--------                                   ------------------------------
EXCHANGE2013                 https://mail.mydomain.co.uk/Autodiscover/Autodiscover.xml
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40001309
If you browse to the URL, what happens?
You shouldn't get errors - instead you get an authentication prompt. After authenticating some ransom XML will be returned.

Simon.
0
 

Author Comment

by:gabiosz
ID: 40001403
Yes, it does just that and outputs the following when I input the credentials:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
      <Autodiscover><Response><Error Time="13:17:39.9248684" Id="3465183927"><ErrorCode>600</ErrorCode><Message>Invalid Request</Message><DebugData/></Error></Response></Autodiscover>
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40003858
The XML content isn't really a concern - as the browser isn't Outlook. If you get something back then fine. I should have said RANDOM XML above.

You need to check your URLs again, and also check the SSL bindings are correct in IIS manager.

Run

get-exchangecertificate

The trusted certificate should be bound to IIS (I in services), then self signed one should not.

Simon.
0
 

Accepted Solution

by:
gabiosz earned 0 total points
ID: 40003894
Thanks, here is the output from get-exchangecertificate without the thumbprint.

I have checked the bindings in IIS and it is ok.

Services   Subject
--------   -------
IP.WS..    CN=www.mydomain.co.uk, OU=Domain Control Validated
.......        CN=localhost
....S..       CN=Microsoft Exchange Server Auth Certificate
....S..       CN=Exchange2013
.......        CN=WMSvc-EXCHANGE2013

I have actually managed to get rid of the errors by clicking "No" on the warning once and the notification does not re-appear. Only the Outlook 2013 clients were companining, the Outlook 2010 clints worked ok. Now all seems to be working, so I hope that's the end of it.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
If you don't know how to downgrade, my instructions below should be helpful.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now