Solved

Exchange 2010 “Name on Certificate does not match site” error from Outlook 2007 clients

Posted on 2015-01-13
9
270 Views
Last Modified: 2015-01-19
We had one 2007 exchange server on a virtual 2003 box.  We have upgraded to Exchange 2010 and now have two 2008 R2 virtual servers (one with the mailbox role and the other with CAS & Hub roles).  We are planning to implement an edge-server later.  All the mailboxes have been moved to the 2010 box along with firewall routing, DNS pointers and a new SSL certificate (not self signed).  We have 42 mailboxes.

On our user’s machines (all users are using Outlook 2007) we are having the Security Alert window pop up with the “The name on the security certificate is invalid or does not match the name of the site” message.  It shows the name it is looking for as ServerName.Domain.Local.  I was going to add the .Local name to the certificate (as I did when we had this problem with our exchange 2007 upgrade) but .local is going away as far as CA certs are concerned and would just postpone the problem. Not to mention making my 2 year certificate only good for 11 months.

I also have a self-signed cert that lists server.domain.local and I assigned to imap and pop and we still get the error box.

I have gone through all the options in the EMC that I could find and changed all incidences of .local to .com, which we have matching DNS entries for and still no joy.  If we click on YES outlook runs normally but will re-display the error one more time.  I do not want users to get used to clicking YES on these errors for obvious reasons.  With the .local URLs going away, surely there should be is a fix for this?
0
Comment
Question by:dosdet2
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 12

Expert Comment

by:ktaczala
ID: 40547097
On the exchange server, export the certificate.  Then install it in trusted root certification authorities (local Computer) on each PC.
To get to the correct place on each PC, goto Start > Run > MMC > File > Add/Remove Snap-in > Select Certificates > Add > Computer Account > Next >Local Computer > Finish
0
 
LVL 8

Author Comment

by:dosdet2
ID: 40547133
Thanks ktaczala, I'm sure this would work.
 
However since many exchange organizations have thousands of users, I can't imagine that they would manually Import certificates to each PC every time the certificate expires.  I'm thinking there must be a better alternative.  
I will do this if I am left with no other solution.
0
 
LVL 12

Expert Comment

by:ktaczala
ID: 40547155
I had the same issue when I went from SBS 2003 / Exchange 2003 to Exchange 2010.  Only solution I found was either purchase or install it locally. Fortunately it was a small customer 20 PC's.

How about thru a GPO?

See here: http://technet.microsoft.com/en-us/library/cc738131.aspx
0
 
LVL 8

Author Comment

by:dosdet2
ID: 40547269
I don't think that I have been clear enough.  I have a purchased SAN certificate from GoDaddy. The problem is that the certificate authorities have to discontinue including any intranet domain names (ie: ending in .Local) from their SSL - SAN-type certificates.  

See Here:  https://support.godaddy.com/help/article/6935/phasing-out-intranet-names-and-ip-addresses-in-ssls

Outlook is looking for server.domain.local, which is not part of the SAN certificate list.  The name server,domain.com is there but Outlook / exchange does not look for that.  
This is the problem I am trying to resolve.  The self signed certificate (that does contain server.domain.local) would be the one I would have to import to local PCs.  I am trying to find a way that to avoid that and use the CA certificate.  Does that make sense?
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 
LVL 8

Assisted Solution

by:Jessie Gill, CISSP
Jessie Gill, CISSP earned 167 total points
ID: 40548048
So you have a disjoint name space.  What I did is internally I created DNS records for my external URLs, and I made the Exchange urls for internal and external the same.  That way your clients are looking for autodiscover.domain.com, instead of autodiscover.domain.local.  This would however cause you to change all your internal URLS and create DNS zone for all the urls.
0
 
LVL 25

Assisted Solution

by:-MAS
-MAS earned 333 total points
ID: 40548788
You need only below names in your certificate.
1.commonname.Externaldomain.com (mail.contoso.com)
2.autodiscover.Externaldomain.com (autodiscover.contoso.com)

Please check my articles, it may help to sort out your issues
EE
Technet

Please use this tool to generate CSR easily
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f
0
 
LVL 8

Author Comment

by:dosdet2
ID: 40553831
Jessie Gill, CISSP -  This was what I thought also but is kind of a problem too.  I have the DNS records all set up and working, but I can't seem get Outlook on the workstations to look for the external URL.  It seem that no matter what I try, they still keep looking for autodiscover.domain.local instead of autodiscover.domain.com or mail.domain.com or server.domain.com - any of which would point them properly and are all named in the certificate.  
I'm wondering if the old exchange 2007 server is causing a problem.  It is no longer being used except it is a DC (not the PDC though).  It will eventually going away once I can verify everything else is working properly.  Any help here would be appreciated
0
 
LVL 25

Accepted Solution

by:
-MAS earned 333 total points
ID: 40555870
Hi dosdet2,
You are supposed to get a result like below. Your autodiscover.externaldomain.com and common name(mail.externaldomain.com) should point to the active server. (This is explained in my article)
[PS] C:\Windows\system32>Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri

Name                           : Server1
AutoDiscoverServiceInternalUri : https://mail.externaldomain.com/autodiscover/autodiscover.xml

Name                           : Server2
AutoDiscoverServiceInternalUri : https://mail.externaldomain.com/autodiscover/autodiscover.xml

Open in new window


Please configure split DNS or pin point DNS as well
Split DNS
http://exchange.sembee.mobi/network/split-dns.asp
Pin Point is explained in my article above
0
 
LVL 8

Author Closing Comment

by:dosdet2
ID: 40558600
I ran several of the  get- commands (for ClientAccessServer, virtual directories & internal / external URLs) and saw that some of my earlier commands (URLs) didn't work ??  I reran all of the set- commands and rechecked.  Everything is as it should be now and the problem seems to be corrected (no more security messages).  Thanks for help.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Samba is the de-facto standard program (or, more correctly: suite of programs) that UNIX and Linux systems use to share files with Microsoft Windows (and more recently, Mac OS-X) systems. Currently, there are 2 common versions of Samba available,…
Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now