Solved

Exchange 2010 “Name on Certificate does not match site” error from Outlook 2007 clients

Posted on 2015-01-13
9
466 Views
Last Modified: 2015-01-19
We had one 2007 exchange server on a virtual 2003 box.  We have upgraded to Exchange 2010 and now have two 2008 R2 virtual servers (one with the mailbox role and the other with CAS & Hub roles).  We are planning to implement an edge-server later.  All the mailboxes have been moved to the 2010 box along with firewall routing, DNS pointers and a new SSL certificate (not self signed).  We have 42 mailboxes.

On our user’s machines (all users are using Outlook 2007) we are having the Security Alert window pop up with the “The name on the security certificate is invalid or does not match the name of the site” message.  It shows the name it is looking for as ServerName.Domain.Local.  I was going to add the .Local name to the certificate (as I did when we had this problem with our exchange 2007 upgrade) but .local is going away as far as CA certs are concerned and would just postpone the problem. Not to mention making my 2 year certificate only good for 11 months.

I also have a self-signed cert that lists server.domain.local and I assigned to imap and pop and we still get the error box.

I have gone through all the options in the EMC that I could find and changed all incidences of .local to .com, which we have matching DNS entries for and still no joy.  If we click on YES outlook runs normally but will re-display the error one more time.  I do not want users to get used to clicking YES on these errors for obvious reasons.  With the .local URLs going away, surely there should be is a fix for this?
0
Comment
Question by:dosdet2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 12

Expert Comment

by:ktaczala
ID: 40547097
On the exchange server, export the certificate.  Then install it in trusted root certification authorities (local Computer) on each PC.
To get to the correct place on each PC, goto Start > Run > MMC > File > Add/Remove Snap-in > Select Certificates > Add > Computer Account > Next >Local Computer > Finish
0
 
LVL 8

Author Comment

by:dosdet2
ID: 40547133
Thanks ktaczala, I'm sure this would work.
 
However since many exchange organizations have thousands of users, I can't imagine that they would manually Import certificates to each PC every time the certificate expires.  I'm thinking there must be a better alternative.  
I will do this if I am left with no other solution.
0
 
LVL 12

Expert Comment

by:ktaczala
ID: 40547155
I had the same issue when I went from SBS 2003 / Exchange 2003 to Exchange 2010.  Only solution I found was either purchase or install it locally. Fortunately it was a small customer 20 PC's.

How about thru a GPO?

See here: http://technet.microsoft.com/en-us/library/cc738131.aspx
0
Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

 
LVL 8

Author Comment

by:dosdet2
ID: 40547269
I don't think that I have been clear enough.  I have a purchased SAN certificate from GoDaddy. The problem is that the certificate authorities have to discontinue including any intranet domain names (ie: ending in .Local) from their SSL - SAN-type certificates.  

See Here:  https://support.godaddy.com/help/article/6935/phasing-out-intranet-names-and-ip-addresses-in-ssls

Outlook is looking for server.domain.local, which is not part of the SAN certificate list.  The name server,domain.com is there but Outlook / exchange does not look for that.  
This is the problem I am trying to resolve.  The self signed certificate (that does contain server.domain.local) would be the one I would have to import to local PCs.  I am trying to find a way that to avoid that and use the CA certificate.  Does that make sense?
0
 
LVL 8

Assisted Solution

by:Jessie Gill, CISSP
Jessie Gill, CISSP earned 167 total points
ID: 40548048
So you have a disjoint name space.  What I did is internally I created DNS records for my external URLs, and I made the Exchange urls for internal and external the same.  That way your clients are looking for autodiscover.domain.com, instead of autodiscover.domain.local.  This would however cause you to change all your internal URLS and create DNS zone for all the urls.
0
 
LVL 26

Assisted Solution

by:-MAS
-MAS earned 333 total points
ID: 40548788
You need only below names in your certificate.
1.commonname.Externaldomain.com (mail.contoso.com)
2.autodiscover.Externaldomain.com (autodiscover.contoso.com)

Please check my articles, it may help to sort out your issues
EE
Technet

Please use this tool to generate CSR easily
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f
0
 
LVL 8

Author Comment

by:dosdet2
ID: 40553831
Jessie Gill, CISSP -  This was what I thought also but is kind of a problem too.  I have the DNS records all set up and working, but I can't seem get Outlook on the workstations to look for the external URL.  It seem that no matter what I try, they still keep looking for autodiscover.domain.local instead of autodiscover.domain.com or mail.domain.com or server.domain.com - any of which would point them properly and are all named in the certificate.  
I'm wondering if the old exchange 2007 server is causing a problem.  It is no longer being used except it is a DC (not the PDC though).  It will eventually going away once I can verify everything else is working properly.  Any help here would be appreciated
0
 
LVL 26

Accepted Solution

by:
-MAS earned 333 total points
ID: 40555870
Hi dosdet2,
You are supposed to get a result like below. Your autodiscover.externaldomain.com and common name(mail.externaldomain.com) should point to the active server. (This is explained in my article)
[PS] C:\Windows\system32>Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri

Name                           : Server1
AutoDiscoverServiceInternalUri : https://mail.externaldomain.com/autodiscover/autodiscover.xml

Name                           : Server2
AutoDiscoverServiceInternalUri : https://mail.externaldomain.com/autodiscover/autodiscover.xml

Open in new window


Please configure split DNS or pin point DNS as well
Split DNS
http://exchange.sembee.mobi/network/split-dns.asp
Pin Point is explained in my article above
0
 
LVL 8

Author Closing Comment

by:dosdet2
ID: 40558600
I ran several of the  get- commands (for ClientAccessServer, virtual directories & internal / external URLs) and saw that some of my earlier commands (URLs) didn't work ??  I reran all of the set- commands and rechecked.  Everything is as it should be now and the problem seems to be corrected (no more security messages).  Thanks for help.
0

Featured Post

Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question