Third Party Certificates with no .local
Hello Experts,
I recently renewed our third party cert and found I had to remove all .local references from the certificate. Now Outlook complains about the certificate "The name on the security certificate is invalid or does not match the name of the site."
As suggested by GoDaddy I have followed this article http://support.microsoft.com/kb/940726 and pointed autodiscover and EWS to servername.domain.com which fixed a few issues but not this one.
I have also tried Installing a private CA and created a cert for servername.domain.local which did not change anything.
When I run test-outwebservices I get...
RunspaceId : 47f1ba19-2a06-48ae-a888-b2
Id : 1104
Type : Error
Message : The certificate for the URL https://internalserver.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate needs to have a subject of internalserver.domain.loca
I am not sure where to go from here any help would be greatly appreciated.
I recently renewed our third party cert and found I had to remove all .local references from the certificate. Now Outlook complains about the certificate "The name on the security certificate is invalid or does not match the name of the site."
As suggested by GoDaddy I have followed this article http://support.microsoft.com/kb/940726 and pointed autodiscover and EWS to servername.domain.com which fixed a few issues but not this one.
I have also tried Installing a private CA and created a cert for servername.domain.local which did not change anything.
When I run test-outwebservices I get...
RunspaceId : 47f1ba19-2a06-48ae-a888-b2
Id : 1104
Type : Error
Message : The certificate for the URL https://internalserver.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate needs to have a subject of internalserver.domain.loca
I am not sure where to go from here any help would be greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did already change the autodiscover URL and create a self signed cert for internalserver.domainl.loc
Happy to try that.
Happy to try that.
Oops I did not notice my post :(
I just pasted your domain back at you.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceIntern
Like Simon said you can simply set internal dns to point to the ip of the server the autodiscover service is actually on.
I just pasted your domain back at you.
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceIntern
Like Simon said you can simply set internal dns to point to the ip of the server the autodiscover service is actually on.
ASKER
By setting up a split DNS I would no longer require the self singed cert correct? I think that sounds like the better long term solution. Thanks for the link the instructions seem thorough enough. I will go through them and attempt that as soon as I have an opportunity. I will report back with my findings.
I would still leave the self signed certificate on the server, but don't enable it for anything other than SMTP. Exchange will use it for internal transport use.
Simon.
Simon.
ASKER
Thanks Simon will do. Since I must recycle Exchange services I will need to wait on implementation until after hours.
No need to recycle any Exchange services. You can recycle IIS and Transport, but that has no impact on the end users so can be done during the day.
Simon.
Simon.
ASKER
Well it seems Outlook is happy now but the test-outlookwebinterface still produces the same error. What I do not get is when I test outlook the are no references to https://internaleserver.domain.local they are all https://mail.domain.com
ASKER
RunspaceId : ec20885c-2a10-4db4-8503-98
Id : 1104
Type : Error
Message : The certificate for the URL https://internalserver.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate needs to have a subject of servername.domain.local, but the subject that was found is mail.domain.com. Consider correcting service discovery, or installing a correct SSL certificate.
I have a ssl for both I think the local one is the default maybe I need to change that?
Id : 1104
Type : Error
Message : The certificate for the URL https://internalserver.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate needs to have a subject of servername.domain.local, but the subject that was found is mail.domain.com. Consider correcting service discovery, or installing a correct SSL certificate.
I have a ssl for both I think the local one is the default maybe I need to change that?
If you have the .local certificate simply bind it to the autodiscover endpoint.
That is if the autodiscover endpoint has it's own website.
That is if the autodiscover endpoint has it's own website.
If you have a certificate for mail.domain.com, the setup a split DNS and then change the URLs within Exchange to match.
http://semb.ee/hostnames2007
Simon.
http://semb.ee/hostnames2007
Simon.
ASKER
How would I go about accomplishing that? I do not think autodiscover has its own website but I am unsure.
ASKER
@simon I set up DNS so the eternal mail server name maps to the internal IP and it appears all of the worked great. For some reason though I still get that error.
ok so here is a simple way to verify simply go to:
Run (winkey + R)
inetmgr
expand the server node and look at sites.
you can probably share it here as well.
Here are the steps to create a new website and point autodiscover to it:
http://technet.microsoft.com/en-us/library/aa995928%28v=exchg.141%29.aspx
Though I would prefer the split dns approach this is just as simple and easy to manage.
Run (winkey + R)
inetmgr
expand the server node and look at sites.
you can probably share it here as well.
Here are the steps to create a new website and point autodiscover to it:
http://technet.microsoft.com/en-us/library/aa995928%28v=exchg.141%29.aspx
Though I would prefer the split dns approach this is just as simple and easy to manage.
ASKER
I have pretty much already headed down the split DNS route but that did not change the error when I added the Autodiscover service DNS entry.
Can you show the iis site information ?
If this is a standard installation then it will not have a separate site for Autodiscover.
Have you changed all of the URLs within Exchange? Including the ones you have to do via PowerShell?
If you have multiple servers, ensure that it is done on all servers.
Simon.
Have you changed all of the URLs within Exchange? Including the ones you have to do via PowerShell?
If you have multiple servers, ensure that it is done on all servers.
Simon.
ASKER
Here is the site info I am hoping this is what you are looking for. I have changed all of the URL's via powershell via these commands.
Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceIntern
Get-WebServicesVirtualDire
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
As well as the properties of owa (default web site), ecp (default web site), Microsoft-Server-ActiveSun
The cert error seems to have been resolved as I have not seen it come up in Outlook, of course it is somewhat intermittent anyway. I still get the error when running the test-OutlookWeServices mentioned above which makes me think there is still an issue.
IIS.JPG
Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceIntern
Get-WebServicesVirtualDire
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
As well as the properties of owa (default web site), ecp (default web site), Microsoft-Server-ActiveSun
The cert error seems to have been resolved as I have not seen it come up in Outlook, of course it is somewhat intermittent anyway. I still get the error when running the test-OutlookWeServices mentioned above which makes me think there is still an issue.
IIS.JPG
ASKER
Also in DNS I have it split so there is a Domain.local and a Domain.com Forward Lookup Zone. Mail.domain.com is specified in the Domain.com Zone and is pointing to the internal IP address of the exchange server.
Run IISRESET on the Exchange server, so that the IIS metabase is reloaded. That should ensure that the configuration is seen by Exchange.
Simon.
Simon.
ASKER
I did run the IISreset again just now. No change in the error code.
Which error are you still getting ?
The error above should have been resolved by:
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceIntern
Which should now be pointing the url to mail.domain.com which should match the certificate bound to that service.
The error above should have been resolved by:
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceIntern
Which should now be pointing the url to mail.domain.com which should match the certificate bound to that service.
ASKER
RunspaceId : ec20885c-2a10-4db4-8503-98
Id : 1104
Type : Error
Message : The certificate for the URL https://internalserver.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate needs to have a subject of servername.domain.local, but the subject that was found is mail.domain.com. Consider correcting service discovery, or installing a correct SSL certificate.
Is what I get when I run the Test-OutlookWebServices. Maybe this is not something to worry about though???
Id : 1104
Type : Error
Message : The certificate for the URL https://internalserver.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate needs to have a subject of servername.domain.local, but the subject that was found is mail.domain.com. Consider correcting service discovery, or installing a correct SSL certificate.
Is what I get when I run the Test-OutlookWebServices. Maybe this is not something to worry about though???
That suggests that you haven't changed the value that has been outlined above, so you should check again.
get-clientaccessserver | select identity, autodiscoverserviceinterna
Simon.
get-clientaccessserver | select identity, autodiscoverserviceinterna
Simon.
ASKER
The result of the above query is https://mail.domain.com/autodiscover/autodiscover.xml
Should I be pointing that one to the internal address https://servername.domain.local/autodiscover/autodiscover.xml?
Should I be pointing that one to the internal address https://servername.domain.local/autodiscover/autodiscover.xml?
No. The internal name needs to be replaced with the external name.
Do you get the same result when you test Autodiscover through Outlook?
This is a single server environment? No other Exchange servers in the forest at all?
Simon.
Do you get the same result when you test Autodiscover through Outlook?
This is a single server environment? No other Exchange servers in the forest at all?
Simon.
ASKER
Right no other servers in the forest at all. When I test Autodiscover in Outlook everything points to the external address except the reference to the RPC server.
protocol: Exchange RPC
Server: Servername.domain.local
Everywhere else is Mail.domail.com
protocol: Exchange RPC
Server: Servername.domain.local
Everywhere else is Mail.domail.com
You are still getting the same error, even with replication time?
If that is the case, then I can only guess the server isn't publishing the information to the domain correctly or you have a replication problem so the change isn't being seen on all domain controllers.
Simon.
If that is the case, then I can only guess the server isn't publishing the information to the domain correctly or you have a replication problem so the change isn't being seen on all domain controllers.
Simon.
ASKER
This article provided the steps required to resolve the original issue.
ASKER
I will have to look at the replication but that is a different question. Thanks so much for all of the help!
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceIntern