Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 565
  • Last Modified:

Exchange 2010 “Name on Certificate does not match site” error from Outlook 2007 clients

We had one 2007 exchange server on a virtual 2003 box.  We have upgraded to Exchange 2010 and now have two 2008 R2 virtual servers (one with the mailbox role and the other with CAS & Hub roles).  We are planning to implement an edge-server later.  All the mailboxes have been moved to the 2010 box along with firewall routing, DNS pointers and a new SSL certificate (not self signed).  We have 42 mailboxes.

On our user’s machines (all users are using Outlook 2007) we are having the Security Alert window pop up with the “The name on the security certificate is invalid or does not match the name of the site” message.  It shows the name it is looking for as ServerName.Domain.Local.  I was going to add the .Local name to the certificate (as I did when we had this problem with our exchange 2007 upgrade) but .local is going away as far as CA certs are concerned and would just postpone the problem. Not to mention making my 2 year certificate only good for 11 months.

I also have a self-signed cert that lists server.domain.local and I assigned to imap and pop and we still get the error box.

I have gone through all the options in the EMC that I could find and changed all incidences of .local to .com, which we have matching DNS entries for and still no joy.  If we click on YES outlook runs normally but will re-display the error one more time.  I do not want users to get used to clicking YES on these errors for obvious reasons.  With the .local URLs going away, surely there should be is a fix for this?
0
dosdet2
Asked:
dosdet2
  • 4
  • 2
  • 2
  • +1
3 Solutions
 
ktaczalaCommented:
On the exchange server, export the certificate.  Then install it in trusted root certification authorities (local Computer) on each PC.
To get to the correct place on each PC, goto Start > Run > MMC > File > Add/Remove Snap-in > Select Certificates > Add > Computer Account > Next >Local Computer > Finish
0
 
dosdet2Author Commented:
Thanks ktaczala, I'm sure this would work.
 
However since many exchange organizations have thousands of users, I can't imagine that they would manually Import certificates to each PC every time the certificate expires.  I'm thinking there must be a better alternative.  
I will do this if I am left with no other solution.
0
 
ktaczalaCommented:
I had the same issue when I went from SBS 2003 / Exchange 2003 to Exchange 2010.  Only solution I found was either purchase or install it locally. Fortunately it was a small customer 20 PC's.

How about thru a GPO?

See here: http://technet.microsoft.com/en-us/library/cc738131.aspx
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
dosdet2Author Commented:
I don't think that I have been clear enough.  I have a purchased SAN certificate from GoDaddy. The problem is that the certificate authorities have to discontinue including any intranet domain names (ie: ending in .Local) from their SSL - SAN-type certificates.  

See Here:  https://support.godaddy.com/help/article/6935/phasing-out-intranet-names-and-ip-addresses-in-ssls

Outlook is looking for server.domain.local, which is not part of the SAN certificate list.  The name server,domain.com is there but Outlook / exchange does not look for that.  
This is the problem I am trying to resolve.  The self signed certificate (that does contain server.domain.local) would be the one I would have to import to local PCs.  I am trying to find a way that to avoid that and use the CA certificate.  Does that make sense?
0
 
Jessie Gill, CISSPCommented:
So you have a disjoint name space.  What I did is internally I created DNS records for my external URLs, and I made the Exchange urls for internal and external the same.  That way your clients are looking for autodiscover.domain.com, instead of autodiscover.domain.local.  This would however cause you to change all your internal URLS and create DNS zone for all the urls.
0
 
MASTechnical Department HeadCommented:
You need only below names in your certificate.
1.commonname.Externaldomain.com (mail.contoso.com)
2.autodiscover.Externaldomain.com (autodiscover.contoso.com)

Please check my articles, it may help to sort out your issues
EE
Technet

Please use this tool to generate CSR easily
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f
0
 
dosdet2Author Commented:
Jessie Gill, CISSP -  This was what I thought also but is kind of a problem too.  I have the DNS records all set up and working, but I can't seem get Outlook on the workstations to look for the external URL.  It seem that no matter what I try, they still keep looking for autodiscover.domain.local instead of autodiscover.domain.com or mail.domain.com or server.domain.com - any of which would point them properly and are all named in the certificate.  
I'm wondering if the old exchange 2007 server is causing a problem.  It is no longer being used except it is a DC (not the PDC though).  It will eventually going away once I can verify everything else is working properly.  Any help here would be appreciated
0
 
MASTechnical Department HeadCommented:
Hi dosdet2,
You are supposed to get a result like below. Your autodiscover.externaldomain.com and common name(mail.externaldomain.com) should point to the active server. (This is explained in my article)
[PS] C:\Windows\system32>Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri

Name                           : Server1
AutoDiscoverServiceInternalUri : https://mail.externaldomain.com/autodiscover/autodiscover.xml

Name                           : Server2
AutoDiscoverServiceInternalUri : https://mail.externaldomain.com/autodiscover/autodiscover.xml

Open in new window


Please configure split DNS or pin point DNS as well
Split DNS
http://exchange.sembee.mobi/network/split-dns.asp
Pin Point is explained in my article above
0
 
dosdet2Author Commented:
I ran several of the  get- commands (for ClientAccessServer, virtual directories & internal / external URLs) and saw that some of my earlier commands (URLs) didn't work ??  I reran all of the set- commands and rechecked.  Everything is as it should be now and the problem seems to be corrected (no more security messages).  Thanks for help.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now