Exchange 2013 Certificate Errors
Hi guys,
We are having issues with our new Exchange 2013 environment when Outlook is being opened we are being prompted for credentials and a certificate error "The name on the security certificate is invalid or does not match the name of the site"
The thing that I think makes it complicated is we already have a 2007 Exchange environment and we are wanting to migrate to 2013 so at present it is still in test.
Exchange 2007 - 1 Server (CAS/Mailbox)
Exchange 2013 - 4 Servers, 2 CAS and 2 Mailbox Servers
I've got NLB set up on the CAS servers to a DNS record "CAS" and this works perfectly.
All virtual directories have been amended and a new certificate containing the new CAS Servers with the virtual NLB record is in the certificate too and installed and enabled with the IIS,POP,IMAP services.
When launching Outlook though when actually viewing the certificate it is pointing to 1 issued by the actual CAS itself with only the CAS server in the list of records which I'm guessing why it isn't working.
Totally confused as I cannot find this certificate anywhere on the CAS server even in the Cert Manager, I don't want that CAS server issuing the certificate I'd like it to send out the one I've generated and enabled in Exchange which has the CAS servers and also the virtual NLB record too. Please assist its massively appreciated.
Thanks
We are having issues with our new Exchange 2013 environment when Outlook is being opened we are being prompted for credentials and a certificate error "The name on the security certificate is invalid or does not match the name of the site"
The thing that I think makes it complicated is we already have a 2007 Exchange environment and we are wanting to migrate to 2013 so at present it is still in test.
Exchange 2007 - 1 Server (CAS/Mailbox)
Exchange 2013 - 4 Servers, 2 CAS and 2 Mailbox Servers
I've got NLB set up on the CAS servers to a DNS record "CAS" and this works perfectly.
All virtual directories have been amended and a new certificate containing the new CAS Servers with the virtual NLB record is in the certificate too and installed and enabled with the IIS,POP,IMAP services.
When launching Outlook though when actually viewing the certificate it is pointing to 1 issued by the actual CAS itself with only the CAS server in the list of records which I'm guessing why it isn't working.
Totally confused as I cannot find this certificate anywhere on the CAS server even in the Cert Manager, I don't want that CAS server issuing the certificate I'd like it to send out the one I've generated and enabled in Exchange which has the CAS servers and also the virtual NLB record too. Please assist its massively appreciated.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It depends on how your Outlook clients authenticate to Exchange server.
Are these clients joined to the domain?
Does the problem occur when they're accessing Exchange from internal or external network?
Are these clients joined to the domain?
Does the problem occur when they're accessing Exchange from internal or external network?
ASKER
Hi Phillip,
Yep joined to the domain, Office 2010 SP2 installed. OWA works fine, only happens from internal as we do not allow external access for mail.
Yep joined to the domain, Office 2010 SP2 installed. OWA works fine, only happens from internal as we do not allow external access for mail.
ASKER
Does the same with Outlook 2013 too. Authentication is set to Negotiate and when you check connection status in Outlook it shows as NTLM
Are those Windows XP or Windows 7/8?
Do you have NTLM or Basic authentication configured? Does this appear after your cert problem is resolved?
Do you have NTLM or Basic authentication configured? Does this appear after your cert problem is resolved?
ASKER
Combination of XP and 7, on the Server it is configured as Negotiate but when checking connection status in Outlook it says NTLM
ASKER
The cert issue is resolved thanks to you but the password issue still remains.
Are you using Autodiscover internally?
If yes - I'd recommend forcing NTLM onto the clients using following command:
Also please make sure that in ECP for Outlook Anywhere settings external URL is different from those, which you're using internally.
Even though you're not using external access, I'd still recommend setting the same setting for OutlookAnywhere:
After it settings will be propagated to Auto discover.
But I've seen this issue happen and not go away on Win XP. You can try using Basic authentication then (just change ntlm to basic in the code). You're still using SSL, so data will be encrypted.
If yes - I'd recommend forcing NTLM onto the clients using following command:
Set-OutlookAnywhere -Identity “<Server>\RPC (Default Web Site)” -InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl $trueAlso please make sure that in ECP for Outlook Anywhere settings external URL is different from those, which you're using internally.
Even though you're not using external access, I'd still recommend setting the same setting for OutlookAnywhere:
Set-OutlookAnywhere -Identity “<Server>\RPC (Default Web Site)” -ExternalHostname “<external URL> ” -ExternalClientAuthenticationMethod ntlm -ExternalClientsRequireSsl $trueAfter it settings will be propagated to Auto discover.
But I've seen this issue happen and not go away on Win XP. You can try using Basic authentication then (just change ntlm to basic in the code). You're still using SSL, so data will be encrypted.
ASKER
Hi Phillip,
Yep using autodiscover and that works fine, Not sure what I can set the external name to really as we don't use it :-/
I've set the internal stuff but still being prompted on XP for password, working fine on 7. So would you recommend just changing the authentication method to basic to get round that?
Yep using autodiscover and that works fine, Not sure what I can set the external name to really as we don't use it :-/
I've set the internal stuff but still being prompted on XP for password, working fine on 7. So would you recommend just changing the authentication method to basic to get round that?
ASKER
Well I've changed to basic and it works thank you SO MUCH!!!!!!!
ASKER
Hi Phillip, for some reason the XP clients are being prompted for password again even though the method is Basic? Any idea? Thanks for your help
I recommend cleaning XPs credential store to make sure that there are no saved settings.
Are clients being prompted even after you create a new Outlook profile?
Are clients being prompted even after you create a new Outlook profile?
ASKER
HI Phillip,
Yep even after a new Outlook profile has been created so I even deleted the local Windows profile but still the same, when going through the Outlook wizard of setting a new profile up it prompts for password and then on launch it prompts for password.
Yep even after a new Outlook profile has been created so I even deleted the local Windows profile but still the same, when going through the Outlook wizard of setting a new profile up it prompts for password and then on launch it prompts for password.
ASKER
I actually can't believe it was that simple, there is me in Powershell checking everything over!
Okay 1 more question then :-) I'm being prompted for password every time I go into Outlook any idea? :-(