Solved

Exchange 2013 SP1, Outlook Certificate Error after removing local SAN names from SSL Certificate.

Posted on 2014-04-12
25
137 Views
Last Modified: 2016-06-02
Hi,

I recently had to renew our UC SSL Certificate, and now obviously you can't include internal non FQDN domains such as .local. So I remeoved the .local internal SANs from the certificate and changed the virtual directories to use the external FQDN address for both internal and external access, as well as Outlook Anywhere. This has worked, but I now get a certificate error saying that the name is invalid or does not match the certificate.

I'm obvioulsy missing some setting or name. My server is Exchange2013.localdomain and the external name is mail.fddomain.com. Apart from the virtual directories, Outlook Anywhere and the Autodiscover Url (all of which have the external url), what else needs to be set to avoid the certificate error.

My Certificate has Autodiscover.fddomain.com, mail.fddomain.com, fddomain.com in the SANs, so it sould all be ok. But, somewhere Exchange2013.localdomain is being referenced and I can't think where.

Any pointer will be very much appriciated!

I am running Exchange 2013 SP1 on Windows 2012 STD and Outlook 2013 clients.
0
Comment
Question by:gabiosz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 6
  • 5
  • +1
25 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39996101
The simple no impact solution is to update your internal urls to match the external URLs:


You can get the external urls here :
Get-ActiveSyncVirtualDirectory   | ft server,*lur* -AutoSize
Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize
Get-ClientAccessServer           | ft name,  *lur* -AutoSize
Get-EcpVirtualDirectory          | ft server,*lur* -AutoSize
Get-OabVirtualDirectory          | ft server,*lur* -AutoSize
Get-OwaVirtualDirectory          | ft server,*lur* -AutoSize
Get-WebServicesVirtualDirectory  | ft server,*lur* –AutoSize


Then change your internal urls to match the external urls:

Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab
0
 

Author Comment

by:gabiosz
ID: 39996107
Thanks,

They are all correct and using the external URLs already,  except for:
Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize

Which returns:
Server       InternalUrl ExternalUrl
------           -----------      -----------
EXCHANGE2013

I can't seem to set this using the Set- command, is this right?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39996110
Which endpoint are you calling when you get the certificate error ?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:gabiosz
ID: 39996114
It seems to be looking for Exchange2013.localdomain, it pops up in Outlook 2013 after about 30 seconds of opening. I think that it's Autodiscover.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39996121
Yup that's it.

Set auto discover to the external url for both.

More info on configuring auto discover
http://msdn.microsoft.com/en-us/library/office/jj900169(v=exchg.150).aspx

You should be able to use the dns name you used for the other endpoints above based on your server configuration
0
 

Author Comment

by:gabiosz
ID: 39996129
Using which command?

Set-AutodiscoverVirtualDirectory doesn't seem to work.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39996138
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml


Also set external uri
0
 

Author Comment

by:gabiosz
ID: 39996173
Thanks, but that is already correctly set to the external URL
0
 
LVL 29

Expert Comment

by:becraig
ID: 39996186
I would reset iis and try again.

At this point none of your internal urls point to exchange2013 using the command I gave you to query the infernal abd external urls, correct ?
0
 
LVL 3

Expert Comment

by:aces4all00
ID: 39996203
Do computers that aren't part of the domain have the same issue?

If not it's probably the scp records in AD.  To modify go into the Exchange management shell and try the following replacing CASSERVER with the NetBIOS name (aka short or host name) of your CAS server and TOURDOMAIN.COM with correct DNS domain name:

Get-ClientAccessServer –Identity CASSERVER| Set-ClientAccessServer–AutodiscoverServiceInternalUri https://autodiscover.YOURDOMAIN.COM/autodiscover/autodiscover.xml

Open in new window


You'll need to do this for each CAS server.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39996297
You don't have to do anything with get/set-autodiscovervirtualdirectory
That shouldn't be touched as the URL you may set on there would not be used either internally or externally.

Go through my article on changing the URLs:
http://semb.ee/hostnames2013

Don't forget to run iisreset afterwards and ensure the external name resolves internally to the Exchange server.

Simon.
0
 

Author Comment

by:gabiosz
ID: 39999468
Hi Simon,

The article was very useful, and I followed it to the letter, including the script just in case I had missed anything, and then ran iisreset...

However, the Outlook 2013 clients are still complaining about the certificate with error "name is invalid or does not match the certificate"!

I am banging my head against a wall here.

The error dialogue has the internal server name at the top "Exchange2013.localdomain", so am I right in thinking that this is still being presented somewhere?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39999538
I remember suggesting above that you update the internal url for autodiscover, you said it was already set to use the External url but in looking at your output that does not appear to be true:

Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize

Which returns:
Server       InternalUrl ExternalUrl
------           -----------      -----------
EXCHANGE2013

Can you please verify that you have updated the Autodiscover url and run iisreset ?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39999652
Setting any URL on Autodiscover virtual directory will make no difference whatsoever. The default is null, and it should be left as that, as the clients don't query it.

If you are still getting prompts, do an Autodiscover test in the client and see which value it is that hasn't been changed.
http://semb.ee/adt

Simon.
0
 

Author Comment

by:gabiosz
ID: 39999691
The Autodiscover test returns all the correct results so I'm not sure what's going on.
0
 
LVL 3

Expert Comment

by:aces4all00
ID: 40000065
If you can please test with a machine that is not joined to the domain and let us know if you see the same behavior
0
 

Author Comment

by:gabiosz
ID: 40000101
Computers not joined to the domain are ok, they show no errors and have picked us any changes to the auto discover settings perfectly.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40000231
Non-domain machines work in a different way.
That means it has to be something wrong with the value you see here:

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

Simon.
0
 
LVL 3

Expert Comment

by:aces4all00
ID: 40000405
If you run the command Simon posted above from EMS it will likely show the Exchange2013.localdomain you indicated previously.  Please try and report the result.
0
 

Author Comment

by:gabiosz
ID: 40001234
It returns the expected result, and I'm still getting the errors :-/

Identity                                AutoDiscoverServiceInternalUri
--------                                   ------------------------------
EXCHANGE2013                 https://mail.mydomain.co.uk/Autodiscover/Autodiscover.xml
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40001309
If you browse to the URL, what happens?
You shouldn't get errors - instead you get an authentication prompt. After authenticating some ransom XML will be returned.

Simon.
0
 

Author Comment

by:gabiosz
ID: 40001403
Yes, it does just that and outputs the following when I input the credentials:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
      <Autodiscover><Response><Error Time="13:17:39.9248684" Id="3465183927"><ErrorCode>600</ErrorCode><Message>Invalid Request</Message><DebugData/></Error></Response></Autodiscover>
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40003858
The XML content isn't really a concern - as the browser isn't Outlook. If you get something back then fine. I should have said RANDOM XML above.

You need to check your URLs again, and also check the SSL bindings are correct in IIS manager.

Run

get-exchangecertificate

The trusted certificate should be bound to IIS (I in services), then self signed one should not.

Simon.
0
 

Accepted Solution

by:
gabiosz earned 0 total points
ID: 40003894
Thanks, here is the output from get-exchangecertificate without the thumbprint.

I have checked the bindings in IIS and it is ok.

Services   Subject
--------   -------
IP.WS..    CN=www.mydomain.co.uk, OU=Domain Control Validated
.......        CN=localhost
....S..       CN=Microsoft Exchange Server Auth Certificate
....S..       CN=Exchange2013
.......        CN=WMSvc-EXCHANGE2013

I have actually managed to get rid of the errors by clicking "No" on the warning once and the notification does not re-appear. Only the Outlook 2013 clients were companining, the Outlook 2010 clints worked ok. Now all seems to be working, so I hope that's the end of it.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question