Solved

Exchange 2010 “Name on Certificate does not match site” error from Outlook 2007 clients

Posted on 2015-01-13
9
256 Views
Last Modified: 2015-01-19
We had one 2007 exchange server on a virtual 2003 box.  We have upgraded to Exchange 2010 and now have two 2008 R2 virtual servers (one with the mailbox role and the other with CAS & Hub roles).  We are planning to implement an edge-server later.  All the mailboxes have been moved to the 2010 box along with firewall routing, DNS pointers and a new SSL certificate (not self signed).  We have 42 mailboxes.

On our user’s machines (all users are using Outlook 2007) we are having the Security Alert window pop up with the “The name on the security certificate is invalid or does not match the name of the site” message.  It shows the name it is looking for as ServerName.Domain.Local.  I was going to add the .Local name to the certificate (as I did when we had this problem with our exchange 2007 upgrade) but .local is going away as far as CA certs are concerned and would just postpone the problem. Not to mention making my 2 year certificate only good for 11 months.

I also have a self-signed cert that lists server.domain.local and I assigned to imap and pop and we still get the error box.

I have gone through all the options in the EMC that I could find and changed all incidences of .local to .com, which we have matching DNS entries for and still no joy.  If we click on YES outlook runs normally but will re-display the error one more time.  I do not want users to get used to clicking YES on these errors for obvious reasons.  With the .local URLs going away, surely there should be is a fix for this?
0
Comment
Question by:dosdet2
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 12

Expert Comment

by:ktaczala
ID: 40547097
On the exchange server, export the certificate.  Then install it in trusted root certification authorities (local Computer) on each PC.
To get to the correct place on each PC, goto Start > Run > MMC > File > Add/Remove Snap-in > Select Certificates > Add > Computer Account > Next >Local Computer > Finish
0
 
LVL 8

Author Comment

by:dosdet2
ID: 40547133
Thanks ktaczala, I'm sure this would work.
 
However since many exchange organizations have thousands of users, I can't imagine that they would manually Import certificates to each PC every time the certificate expires.  I'm thinking there must be a better alternative.  
I will do this if I am left with no other solution.
0
 
LVL 12

Expert Comment

by:ktaczala
ID: 40547155
I had the same issue when I went from SBS 2003 / Exchange 2003 to Exchange 2010.  Only solution I found was either purchase or install it locally. Fortunately it was a small customer 20 PC's.

How about thru a GPO?

See here: http://technet.microsoft.com/en-us/library/cc738131.aspx
0
 
LVL 8

Author Comment

by:dosdet2
ID: 40547269
I don't think that I have been clear enough.  I have a purchased SAN certificate from GoDaddy. The problem is that the certificate authorities have to discontinue including any intranet domain names (ie: ending in .Local) from their SSL - SAN-type certificates.  

See Here:  https://support.godaddy.com/help/article/6935/phasing-out-intranet-names-and-ip-addresses-in-ssls

Outlook is looking for server.domain.local, which is not part of the SAN certificate list.  The name server,domain.com is there but Outlook / exchange does not look for that.  
This is the problem I am trying to resolve.  The self signed certificate (that does contain server.domain.local) would be the one I would have to import to local PCs.  I am trying to find a way that to avoid that and use the CA certificate.  Does that make sense?
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 8

Assisted Solution

by:Jessie Gill, CISSP
Jessie Gill, CISSP earned 167 total points
ID: 40548048
So you have a disjoint name space.  What I did is internally I created DNS records for my external URLs, and I made the Exchange urls for internal and external the same.  That way your clients are looking for autodiscover.domain.com, instead of autodiscover.domain.local.  This would however cause you to change all your internal URLS and create DNS zone for all the urls.
0
 
LVL 24

Assisted Solution

by:-MAS
-MAS earned 333 total points
ID: 40548788
You need only below names in your certificate.
1.commonname.Externaldomain.com (mail.contoso.com)
2.autodiscover.Externaldomain.com (autodiscover.contoso.com)

Please check my articles, it may help to sort out your issues
EE
Technet

Please use this tool to generate CSR easily
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f
0
 
LVL 8

Author Comment

by:dosdet2
ID: 40553831
Jessie Gill, CISSP -  This was what I thought also but is kind of a problem too.  I have the DNS records all set up and working, but I can't seem get Outlook on the workstations to look for the external URL.  It seem that no matter what I try, they still keep looking for autodiscover.domain.local instead of autodiscover.domain.com or mail.domain.com or server.domain.com - any of which would point them properly and are all named in the certificate.  
I'm wondering if the old exchange 2007 server is causing a problem.  It is no longer being used except it is a DC (not the PDC though).  It will eventually going away once I can verify everything else is working properly.  Any help here would be appreciated
0
 
LVL 24

Accepted Solution

by:
-MAS earned 333 total points
ID: 40555870
Hi dosdet2,
You are supposed to get a result like below. Your autodiscover.externaldomain.com and common name(mail.externaldomain.com) should point to the active server. (This is explained in my article)
[PS] C:\Windows\system32>Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri

Name                           : Server1
AutoDiscoverServiceInternalUri : https://mail.externaldomain.com/autodiscover/autodiscover.xml

Name                           : Server2
AutoDiscoverServiceInternalUri : https://mail.externaldomain.com/autodiscover/autodiscover.xml

Open in new window


Please configure split DNS or pin point DNS as well
Split DNS
http://exchange.sembee.mobi/network/split-dns.asp
Pin Point is explained in my article above
0
 
LVL 8

Author Closing Comment

by:dosdet2
ID: 40558600
I ran several of the  get- commands (for ClientAccessServer, virtual directories & internal / external URLs) and saw that some of my earlier commands (URLs) didn't work ??  I reran all of the set- commands and rechecked.  Everything is as it should be now and the problem seems to be corrected (no more security messages).  Thanks for help.
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now