Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 399
  • Last Modified:

Third Party Certificates with no .local

Hello Experts,
I recently renewed our third party cert and found I had to remove all .local references from the certificate.  Now Outlook complains about the certificate "The name on the security certificate is invalid or does not match the name of the site."
As suggested by GoDaddy I have followed this article http://support.microsoft.com/kb/940726 and pointed autodiscover and EWS to servername.domain.com which fixed a few issues but not this one.  

I have also tried Installing a private CA and created a cert for servername.domain.local which did not change anything.

When I run test-outwebservices I get...
RunspaceId : 47f1ba19-2a06-48ae-a888-b200d7f892e5
Id         : 1104
Type       : Error
Message    : The certificate for the URL https://internalserver.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate needs to have a subject of internalserver.domain.local, but the subject that was found is mail.domain.com. Consider correcting service discovery, or installing a correct SSL certificate.

I am not sure where to go from here any help would be greatly appreciated.
0
merritthorn
Asked:
merritthorn
  • 16
  • 9
  • 6
1 Solution
 
becraigCommented:
ok so you can change the autodiscover URL or create a selfsigned certificate, I would just update the url:

Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://internalserver.domain.local/autodiscover/autodiscover.xml
0
 
Simon Butler (Sembee)ConsultantCommented:
Setup a split DNS so that the external URL resolves internally to the internal IP address.
Then change all of the URLs within Exchange to the external host name.

http://semb.ee/hostnames2010

Simon.
0
 
merritthornIT directorAuthor Commented:
I did already change the autodiscover URL and create a self signed cert for internalserver.domainl.local.  When I changed the Autodiscover URL though I switched it to mail.domain.com so I should try switching it back to internalserver.domain.local?

Happy to try that.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
becraigCommented:
Oops I did not notice my post :(

I just pasted your domain back at you.

Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.domain.com/autodiscover/autodiscover.xml

Like Simon said you can simply set internal dns to point to the ip of the server the autodiscover service is actually on.
0
 
merritthornIT directorAuthor Commented:
By setting up a split DNS I would no longer require the self singed cert correct?  I think that sounds like the better long term solution.  Thanks for the link the instructions seem thorough enough.  I will go through them and attempt that as soon as I have an opportunity.  I will report back with my findings.
0
 
Simon Butler (Sembee)ConsultantCommented:
I would still leave the self signed certificate on the server, but don't enable it for anything other than SMTP. Exchange will use it for internal transport use.

Simon.
0
 
merritthornIT directorAuthor Commented:
Thanks Simon will do.  Since I must recycle Exchange services I will need to wait on implementation until after hours.
0
 
Simon Butler (Sembee)ConsultantCommented:
No need to recycle any Exchange services. You can recycle IIS and Transport, but that has no impact on the end users so can be done during the day.

Simon.
0
 
merritthornIT directorAuthor Commented:
Well it seems Outlook is happy now but the test-outlookwebinterface still produces the same error.  What I do not get is when I test outlook the are no references to https://internaleserver.domain.local they are all https://mail.domain.com
0
 
merritthornIT directorAuthor Commented:
RunspaceId : ec20885c-2a10-4db4-8503-98a7ff0adab2
Id         : 1104
Type       : Error
Message    : The certificate for the URL https://internalserver.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate needs to have a subject of servername.domain.local, but the subject that was found is mail.domain.com. Consider correcting service discovery, or installing a correct SSL certificate.

I have a ssl for both I think the local one is the default maybe I need to change that?
0
 
becraigCommented:
If you have the .local certificate simply bind it to the autodiscover endpoint.


That is if the autodiscover endpoint has it's own website.
0
 
Simon Butler (Sembee)ConsultantCommented:
If you have a certificate for mail.domain.com, the  setup a split DNS and then change the URLs within Exchange to match.
http://semb.ee/hostnames2007

Simon.
0
 
merritthornIT directorAuthor Commented:
How would I go about accomplishing that?  I do not think autodiscover has its own website but I am unsure.
0
 
merritthornIT directorAuthor Commented:
@simon I set up DNS so the eternal mail server name maps to the internal IP and it appears all of the worked great.  For some reason though I still get that error.
0
 
becraigCommented:
ok so here is a simple way to verify simply go to:
Run (winkey + R)
inetmgr
expand the server node and look at sites.

you can probably share it here as well.  


Here are the steps to create a new website and point autodiscover to it:
http://technet.microsoft.com/en-us/library/aa995928%28v=exchg.141%29.aspx

Though I would prefer the split dns approach this is just as simple and easy to manage.
0
 
merritthornIT directorAuthor Commented:
I have pretty much already headed down the split DNS route but that did not change the error when I added the Autodiscover service DNS entry.
0
 
becraigCommented:
Can you show the iis site information ?
0
 
Simon Butler (Sembee)ConsultantCommented:
If this is a standard installation then it will not have a separate site for Autodiscover.
Have you changed all of the URLs within Exchange? Including the ones you have to do via PowerShell?

If you have multiple servers, ensure that it is done on all servers.

Simon.
0
 
merritthornIT directorAuthor Commented:
Here is the site info I am hoping this is what you are looking for.  I have changed all of the URL's via powershell via these commands.
Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://mail.example.net/autodiscover/autodiscover.xml

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl https://mail.example.net/ews/exchange.asmx -ExternalUrl https://mail.example.net/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

As well as the properties of owa (default web site), ecp (default web site), Microsoft-Server-ActiveSunc (Default Web Site), and OAB (Default Web Site).  We do not use POP3 or IMAP4.  All of the URL's mentioned above now point to https://mail.domain.com.

The cert error seems to have been resolved as I have not seen it come up in Outlook, of course it is somewhat intermittent anyway.  I still get the error when running the test-OutlookWeServices mentioned above which makes me think there is still an issue.
IIS.JPG
0
 
merritthornIT directorAuthor Commented:
Also in DNS I have it split so there is a Domain.local and a Domain.com Forward Lookup Zone.  Mail.domain.com is specified in the Domain.com Zone and is pointing to the internal IP address of the exchange server.
0
 
Simon Butler (Sembee)ConsultantCommented:
Run IISRESET on the Exchange server, so that the IIS metabase is reloaded. That should ensure that the configuration is seen by Exchange.

Simon.
0
 
merritthornIT directorAuthor Commented:
I did run the IISreset again just now.  No change in the error code.
0
 
becraigCommented:
Which error are you still getting ?


The error above should have been resolved by:
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.domain.com/autodiscover/autodiscover.xml

Which should now be pointing the url to mail.domain.com which should match the certificate bound to that service.
0
 
merritthornIT directorAuthor Commented:
RunspaceId : ec20885c-2a10-4db4-8503-98a7ff0adab2
Id         : 1104
Type       : Error
Message    : The certificate for the URL https://internalserver.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate needs to have a subject of servername.domain.local, but the subject that was found is mail.domain.com. Consider correcting service discovery, or installing a correct SSL certificate.

Is what I get when I run the Test-OutlookWebServices.  Maybe this is not something to worry about though???
0
 
Simon Butler (Sembee)ConsultantCommented:
That suggests that you haven't changed the value that has been outlined above, so you should check again.

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

Simon.
0
 
merritthornIT directorAuthor Commented:
The result of the above query is https://mail.domain.com/autodiscover/autodiscover.xml

Should I be pointing that one to the internal address https://servername.domain.local/autodiscover/autodiscover.xml?
0
 
Simon Butler (Sembee)ConsultantCommented:
No. The internal name needs to be replaced with the external name.
Do you get the same result when you test Autodiscover through Outlook?

This is a single server environment? No other Exchange servers in the forest at all?

Simon.
0
 
merritthornIT directorAuthor Commented:
Right no other servers in the forest at all.  When I test Autodiscover in Outlook everything points to the external address except the reference to the RPC server.
protocol: Exchange RPC
Server: Servername.domain.local

Everywhere else is Mail.domail.com
0
 
Simon Butler (Sembee)ConsultantCommented:
You are still getting the same error, even with replication time?
If that is the case, then I can only guess the server isn't publishing the information to the domain correctly or you have a replication problem so the change isn't being seen on all domain controllers.

Simon.
0
 
merritthornIT directorAuthor Commented:
This article provided the steps required to resolve the original issue.
0
 
merritthornIT directorAuthor Commented:
I will have to look at the replication but that is a different question.  Thanks so much for all of the help!
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 16
  • 9
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now