?
Solved

Exchange 2010 Outlook Certificate Error

Posted on 2015-02-04
13
Medium Priority
?
82 Views
Last Modified: 2016-06-03
I recently migrated to Exchange 2010 from Exchange 2003, following all of the needed migration steps and finally cleanly removing Exchange 2003 per the following article: http://www.petenetlive.com/KB/Article/0000234.htm

I realized I made one mistake on the way and that is my Exchange 2003 server operates off of the domain mail.domain.com. When doing the installation wizard for Exchange 2010, the step which asks what domain to use for the Client Access Server, I put domain.com instead of mail.domain.com.

So after the installation I had to go in and change the internal and external URLs for Outlook Web App, Active Sync, Exchange Control Panel, OAB, Outlook Anywhere and even did autodiscover internal and external via powershell.

However, even after fully removing Exchange 2003 and correcting the domain on all of the URLs, I'm still getting an Outlook certificate error that there's a name mismatch. Specifically "The name on the security certificate is invalid or does not match the name of the site."

I have created a self signed certificate that has the domain mail.domain.com and a subject alternative of autodiscover.domain.com. All DNS for mail and autodiscover is pointing to the correct server. The server's internal name is EX2.office.domain.com.

See attached images of Outlook Autoconfiguration Test, all domains point to "mail.domain.com".

I don't know what next step to take to fix this Certificate Error.

I read somewhere about an Active Directory Service Connection Point for Autodiscover but I'm not sure where to find that or if that will fix the issue or not.

Outlook Cert Error
Outlook AutoConfig test first 1/2
Outlook AutoConfig second 1/2
0
Comment
Question by:RFVDB
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 4

Expert Comment

by:Manoj Bojewar
ID: 40590483
This is known issue with outlook 2007. Please check outlook 2010 and 2013 and let me know the status.
0
 
LVL 19

Expert Comment

by:R--R
ID: 40590510
Check autodiscoveruri by running get-clientaccessserver | fl

Set-ClientAccessServer -Identity "server" -AutoDiscoverServiceInternalUri https://mail.domain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "server\EWS (Default Web Site)" -InternalUrl https://mail.domain.com/EWS/Exchange.asmx -ExternalUrl https://mail.domain.com/EWS/Exchange.asmx
Configure all the virtual directories internal/external with mail.domain.com
Configure outlook anywhere using mail.domain.com
Create a DNS forward lookup zone in internal DNS as domain.com
Create host A record named mail.domain.com and point it to Exchange server IP.
Also check if the third party certificate is configured on IIS default web site. If it is self-signed certificate then install it on all workstation.
0
 

Author Comment

by:RFVDB
ID: 40591654
Thanks. All that's already been done.

All internal and external URLs for everything are mail.domain.com.

Outlook anywhere is configured with mail.domain.com.

There is an internal DNS forward lookup zone for domain.com and "mail" is pointed at internal exchange IP.

self signed certificate is bound to 443 on IIS website. I have a GPO that installs this certificate on all client workstations. Initially I was getting the first error on the Outlook error that the certificate is not from a trusted source but now that is gone. Just get the third error about an SSL certificate mismatch.

Also ran test-outlookwebservices -identity username. All came out well (see attached). There is a section in the output that is an error and it mentions the certificate for EX2.OFFICE.DOMAIN.COM/Autodiscover is incorrect. However I checked this output at another client with the same setup and they also had this error on this same command, however they don't have the constant Outlook certificate error mismatch.

I'm lost. Please let me know if you need any powershell outputs or screen shots in case I'm reading things wrong.
get-commands.txt
autodiscover-test.txt
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:RFVDB
ID: 40591664
Also this happens with Outlook 2007 and 2010 which is what the client has in the environment.
0
 

Author Comment

by:RFVDB
ID: 40592746
If only the error would tell you which hostname its wanting an SSL Cert for that is not listed on the the SAN Cert. Thank you microsoft for being so specific...

I even tried creating the _autodiscover SVR record and deleting the local A record for autodiscover and the error still comes up.

I'm wondering if its either stuck on the domain I entered when I ran the Exchange 2010 install wizard as "domain.com" instead of "mail.domain.com" or if it thinks it needs the hostname of the server as part of the SSL Cert - EX2.office.domain.com.

Something is awry... and its not telling me what it is.
0
 

Author Comment

by:RFVDB
ID: 40596689
I'm lost on this. I went ahead and created a new self sign cert and added the server name, EX2.office.domain.com and the actual domain name "domain.com" as subject alternatives. Still had the same problem.

I used the command:

New-ExchangeCertificate -FriendlyName "SelfSigned Cert" -SubjectName "c=US, o=company, cn=mail.domain.com" -DomainName autodiscover.domain.com, ex2.office.domain.com, domain.com -PrivateKeyExportable $True

I just can't figure out what domain it is looking for!

This has got to be something other's have run into.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40604924
I really would recommend staying away from self-signed certificates for Exchange and only using a certificate from a trusted 3rd-party CA. Its going to save you a lot of time and headaches. So its worth the cost of the cert.

Check out my article here on how to configure split-dns, certificates and all the URLs with a 3rd party cert.
https://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
0
 

Author Comment

by:RFVDB
ID: 40629221
Hi Gareth,

Thanks for the and answer link.

I've successfully set it up with a third party cert many a time. Just wondering how to get it to properly work with a self signed cert without getting into setting up a whole CA and all.

This is the link I followed in creating the cert: https://marckean.wordpress.com/2009/10/09/install-self-signed-exchange-2010-ssl-certificate/

I then setup a GPO to import the Cert into all workstations.

Another interesting datum is when going to https://mail.domain.com/owa it comes up with a certificate error on in viewing the certificate error in Internet Explorer: "Mismatched Address" "The security certificate presented by this website was issued for a different website's address".


MisMatched-Address.PNG
That's weird, the certificate does match the domain in "https://mail.domain.com/owa". So what am I doing wrong here?
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 2000 total points
ID: 40629266
If the certificate matches, have you checked to verify all your external and internal URLs? Make sure all internal and external URLs are mail.domain.com.

Also, does your self signed cert have autodiscover.domain.com on it? Or are you doing SRV records for autodiscover? Otherwise you will need autodiscover.domain.com on your cert.
0
 

Author Comment

by:RFVDB
ID: 40734587
Yes, all internal and external URLs have been checked.

It does have autodiscover.domain.com on it as a subject alternative name. This wasn't working so I then tried to use SRV records. This also didn't work.

What's strange is if you look at my post above when opening up owa in Internet Explorer, IE is complaining of a "mismatched address". It says "The security certificate presented by this website was issued for a different website's address."

However the address I typed into the web browser is EXACTLY what's on the certificate when viewing the property of the certificate. SO IE IS COMPLAINING OF A MISMATCHED ADDRESS EVEN WHEN THE CERTIFICATE MATCHES THE ADDRESS TYPED INTO IE!!!

Weird. This seems more like a weird certificate issue than the URLs in Exchange being correct.....
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40743124
Can you go to www.exrca.com and do the autodiscover test and post the results here. Sounds like it is picking up another cert. Possibly your public websites cert.
0
 

Author Comment

by:RFVDB
ID: 40797459
OK, I'll do this shortly and post the results.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You need to know the location of the Office templates folder, so that when you create new templates, they are saved to that location, and thus are available for selection when creating new documents.  The steps to find the Templates folder path are …
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses
Course of the Month8 days, 20 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question