[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 892
  • Last Modified:

Exchange 2013 Local Certificate Error

Server Information
Microsoft Windows Server 2012 R2 Standard
Microsoft Exchange Server 2013
Local Domain sd.com
Public Domain: strdetail.com

Godaddy UCC SSL Certificate Subject Alternative Names:
mail.strdetail.com
autodiscover.strdetail.com
Services: SMTP, IMPA, POP, IIS

Virtual Directories
ECP
Internal URL: https://mail.strdetail.com/ecp
External URL: https://mail.strdetail.com/ecp

EWS
Internal URL: https://mail.strdetail.com/EWS/Exchange.asmx
External URL: https://mail.strdetail.com/EWS/Exchange.asmx

Microsoft-Server-ActiveSync
Internal URL: https://mail.strdetail.com/Microsoft-Server-ActiveSync
External URL: https://mail.strdetail.com/Microsoft-Server-ActiveSync

OAB
Internal URL: https://mail.strdetail.com/OAB
External URL: https://mail.strdetail.com/OAB

OWA
Internal URL: https://mail.strdetail.com/owa
External URL: https://mail.strdetail.com/owa

PowerShell
Internal URL: https://mail.strdetail.com/powershell
External URL: https://mail.strdetail.com/powershell

DNS SRV records have been created for both internal and external domains and are pointed to mail.strdetail.com.

Mail.strdetail.com is pointed to the server both internally and externally.

Client Information
Windows 8.1 Pro
Microsoft Outlook 2013

The issue is an error message when creating the outlook profile which says

"The name on the security certificate is invalid or does not match the name of the site."

The site works perfectly from outside the domain.  I only get the error message internally.

I have done about as much Google as I can stand on this issue.  Let me know if any other information would be useful and I will provide it.
0
CyberCorpSoftware
Asked:
CyberCorpSoftware
  • 3
  • 2
1 Solution
 
Simon Butler (Sembee)ConsultantCommented:
You have probably missed Autodiscover.

get-clientaccesserver | select identity, AutodiscoverServiceInternalURI

That needs to be changed as well.

http://semb.ee/hostnames2013

Simon.
0
 
CyberCorpSoftwareAuthor Commented:
ok, I set the AutoDiscover

[PS] C:\Windows\system32>Get-ClientAccessServer |fl identity,autodiscoverserviceinternalur
Identity                       : S-FS
AutoDiscoverServiceInternalUri : https://mail.strdetail.com/autodiscover/autodiscover.xml

Now I am getting the following error when I try to create the account in outlook

"The action cannot be completed.  The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action."

I found that in IIS I can check HTTP Redirect and point the autodiscover to
https://mail.strdetail.com/autodiscover/autodiscover.xml

This resolves the issue but creates a new one.  

"Cannot start Microsoft Outlook.  Cannot open the outlook window.  The set of folders cannot be opened.  You must connect to Microsoft Exchange with the current profile before you can synchronize your folders with your Outlook data file (.ost)."

At this point I think my issue is still  with Autodiscover.  

C:\Windows\system32>Test-OutlookWebServices -clientaccessserver mail.strdetail.com -identity mperrigon@strdetail.com -MailboxCredential (get-credential sd\mperrigon)

Returns
Source                              ServiceEndpoint                     Scenario                       Result  Latency
                                                                                                                  (MS)
------                              ---------------                     --------                       ------  -------
S-FS.sd.com     mail.strdetail.com      Autodiscover: Outlook Provider  Failure      48
S-FS.sd.com     mail.strdetail.com      Exchange Web Services                Success     176
S-FS.sd.com     mail.strdetail.com      Availability Service                        Success      44
S-FS.sd.com     mail.strdetail.com      Offline Address Book                   Success      77
0
 
Simon Butler (Sembee)ConsultantCommented:
"I found that in IIS I can check HTTP Redirect and point the autodiscover to
https://mail.strdetail.com/autodiscover/autodiscover.xml"

Why are you using a HTTP redirect?
That shouldn't be required at all.

Change the URL to one that matches the SSL certificate and resolves to the Exchange server. Job done. The only reason I can think you have to do anything else is that there is something non-standard about the configuration of the server.

Simon.
0
 
CyberCorpSoftwareAuthor Commented:
I did end up unchecking that HTTP Redirect.  

The only thing I can think of that would make this a non-standard configuration would be

1. I do have this running on the Global Catalog Server
2. The local domain is sd.com and not strdetail.com.local which is what I see in most examples.
0
 
Simon Butler (Sembee)ConsultantCommented:
The internal domain doesn't matter as long as you have the DNS configured correctly.
That means whatever you have on the SSL certificate resolves internally and the host names match.

Running Exchange on a domain controller is not recommended and there is almost no good reason for doing so. If you use Windows 2012 or higher as your OS, then you have two virtual licences, allowing you to install two VMs on the same machine, one being a domain controller and one being the Exchange server. Having Exchange on a domain controller significantly complicates matters, particularly around recovery.

Simon.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now