• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1168
  • Last Modified:

Exchange 2013 Certificate Errors

Hi guys,

We are having issues with our new Exchange 2013 environment when Outlook is being opened we are being prompted for credentials and a certificate error "The name on the security certificate is invalid or does not match the name of the site"

The thing that I think makes it complicated is we already have a 2007 Exchange environment and we are wanting to migrate to 2013 so at present it is still in test.

Exchange 2007 - 1 Server (CAS/Mailbox)
Exchange 2013 - 4 Servers, 2 CAS and 2 Mailbox Servers

I've got NLB set up on the CAS servers to a DNS record "CAS" and this works perfectly.

All virtual directories have been amended and a new certificate containing the new CAS Servers with the virtual NLB record is in the certificate too and installed and enabled with the IIS,POP,IMAP services.

When launching Outlook though when actually viewing the certificate it is pointing to 1 issued by the actual CAS itself with only the CAS server in the list of records which I'm guessing why it isn't working.

Totally confused as I cannot find this certificate anywhere on the CAS server even in the Cert Manager, I don't want that CAS server issuing the certificate I'd like it to send out the one I've generated and enabled in Exchange which has the CAS servers and also the virtual NLB record too. Please assist its massively appreciated.

Thanks
0
Terellion
Asked:
Terellion
  • 9
  • 5
1 Solution
 
Philip PortnoyCommented:
For Exchange 2013 this is configured using ECP (https://webmail.domain.com/ecp).
Go to Servers -> Certificates and select your CAS server(s).
From there you can actually create a new request to Certification Authority, use CA response to install the certificate and then, by selecting the cert, clicking "Edit" and assigning it to proper services in "Services" tab you can avoid this error.
0
 
TerellionAuthor Commented:
Ha ha WOW what an absolute GENIUS!!!!!!!!!!!!!!!!!!!!!!!!

I actually can't believe it was that simple, there is me in Powershell checking everything over!

Okay 1 more question then :-) I'm being prompted for password every time I go into Outlook any idea? :-(
0
 
Philip PortnoyCommented:
It depends on how your Outlook clients authenticate to Exchange server.
Are these clients joined to the domain?
Does the problem occur when they're accessing Exchange from internal or external network?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
TerellionAuthor Commented:
Hi Phillip,

Yep joined to the domain, Office 2010 SP2 installed. OWA works fine, only happens from internal as we do not allow external access for mail.
0
 
TerellionAuthor Commented:
Does the same with Outlook 2013 too. Authentication is set to Negotiate and when you check connection status in Outlook it shows as NTLM
0
 
Philip PortnoyCommented:
Are those Windows XP or Windows 7/8?
Do you have NTLM or Basic authentication configured? Does this appear after your cert problem is resolved?
0
 
TerellionAuthor Commented:
Combination of XP and 7, on the Server it is configured as Negotiate but when checking connection status in Outlook it says NTLM
0
 
TerellionAuthor Commented:
The cert issue is resolved thanks to you but the password issue still remains.
0
 
Philip PortnoyCommented:
Are you using Autodiscover internally?
If yes - I'd recommend forcing NTLM onto the clients using following command:

Set-OutlookAnywhere -Identity “<Server>\RPC (Default Web Site)” -InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl $true

Open in new window


Also please make sure that in ECP for Outlook Anywhere settings external URL is different from those, which you're using internally.

Even though you're not using external access, I'd still recommend setting the same setting for OutlookAnywhere:

Set-OutlookAnywhere -Identity “<Server>\RPC (Default Web Site)” -ExternalHostname “<external URL> ” -ExternalClientAuthenticationMethod ntlm -ExternalClientsRequireSsl $true

Open in new window


After it settings will be propagated to Auto discover.

But I've seen this issue happen and not go away on Win XP. You can try using Basic authentication then (just change ntlm to basic in the code). You're still using SSL, so data will be encrypted.
0
 
TerellionAuthor Commented:
Hi Phillip,

Yep using autodiscover and that works fine, Not sure what I can set the external name to really as we don't use it :-/

I've set the internal stuff but still being prompted on XP for password, working fine on 7. So would you recommend just changing the authentication method to basic to get round that?
0
 
TerellionAuthor Commented:
Well I've changed to basic and it works thank you SO MUCH!!!!!!!
0
 
TerellionAuthor Commented:
Hi Phillip, for some reason the XP clients are being prompted for password again even though the method is Basic? Any idea? Thanks for your help
0
 
Philip PortnoyCommented:
I recommend cleaning XPs credential store to make sure that there are no saved settings.

Are clients being prompted even after you create a new Outlook profile?
0
 
TerellionAuthor Commented:
HI Phillip,

Yep even after a new Outlook profile has been created so I even deleted the local Windows profile but still the same, when going through the Outlook wizard of setting a new profile up it prompts for password and then on launch it prompts for password.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 9
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now