Troubles with security certificates, exchange 2013, GoDaddy and internet/intranet invalid names

Hi Experts,
          As the title suggests, I'm having issues getting my SSL security certificates in Exchange 2013 validating Outlook from both internal and external connections. I can't seem to make the certificate accepted for internal (servername.domainname.local) and external (mail.domainname.com) outlook connections. On one certificate with servername.domainname.local as the primary address the internal Outlook clients connect just fine but external clients refuse to connect via Outlook Anywhere, then when I change the certificate to have mail.domainname.com as the primary, Outlook anywhere connects fine but internal clients complain that the certificate name is invalid but still allow the connection. The certificate is a single domain certificate issued via GoDaddy.

Help me Experts-Exchange, you're my only hope.
Dougj182Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
You need to have your internal and external URLs the same if you're using a single-name certificate.  So, you need to change the internal URL of your Exchange server to match the external URL (i.e., "mail.domain.com").

Here's an article that will explain:

http://support.microsoft.com/en-us/kb/940726

The article refers to Exchange 2007 and 2010, but also applies to 2013.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simon Butler (Sembee)ConsultantCommented:
From November 2015 you cannot have an SSL certificate with internal names on it.
You will need to use a split DNS system to ensure the external name resolves internally, then configure Exchange with the external name for both internal and external URLs.
http://semb.ee/hostnames2013

Simon.
0
Aaron TomoskySD-WAN SimplifiedCommented:
agree with hypercat, use the external name only. For internal workstations, I assume you run your own dns, just put in an entry for mail.domain.com with the internal ip address.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Berkson WeinTech FreelancerCommented:
Agree with the other posters.

You can use a single certificate, mail.yourdomain.com for example

Then you need to set the names that are used:



-- change owa
Set-OwaVirtualDirectory -Identity "servername\owa (default web site)" -ExternalUrl https://mail.yourdomain.com/owa -InternalUrl https://mail.yourdomain.com/owa

confirm: Get-OwaVirtualDirectory | Select Server,ExternalURL,InternalURL | fl


-- change ecp
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl https://mail.yourdomain.com/ecp -InternalUrl https://mail.yourdomain.com/ecp

confirm : Get-EcpVirtualDirectory | select server,externalurl,internalurl | fl

-- change activesync
Set-ActiveSyncVirtualDirectory -Identity "ServerName\Microsoft-Server-Activesync (Default Web Site)" -ExternalUrl https://mail.yourdomain.com/Microsoft-Server-ActiveSync -InternalUrl https://mail.yourdomain.com/Microsoft-Server-ActiveSync

confirm: Get-ActiveSyncVirtualDirectory | select server,externalurl,internalurl | fl

-- change exchange web services
Set-WebServicesVirtualDirectory -Identity "ServerName\EWS (Default Web Site)" -ExternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx -InternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx

OR FOR ALL Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx -InternalUrl https://mail.yourdomain.com/EWS/Exchange.asmx
confirm: Get-WebServicesVirtualDirectory | Select Server,ExternalURL,InternalURL | fl
iis

--      change oab
Set-OabVirtualDirectory -Identity "ServerName\oab (default web site)" -ExternalUrl https://mail.yourdomain.com/OAB -InternalUrl https://mail.yourdomain.com/OAB
confirm: Get-OabVirtualDirectory | Select Server,ExternalURL,InternalURL | fl


-- change autodiscover
Set-ClientAccessServer -Identity "ServerName" -AutoDiscoverServiceInternalUri https://mail.yourdomain.com/Autodiscover/Autodiscover.xml

confirm: Get-ClientAccessServer | Select Name,AutoDiscoverServiceInternalURI


Keep in mind that the autodiscover rename requires a workaround.  THe alternative is to have a multiple name (SAN) certificate that has autodiscover in it.  We use a _SRV record in DNS to tell the client to look to mail.yourdomain.com

Hope this helps.
0
Dougj182Author Commented:
OK, so if I understand correctly, I need to change all the internal and external URL's in the virtual directory entries to https://mail.domainname.com/<type> next to the red arrows? is that correct?
Capture.JPG
0
Berkson WeinTech FreelancerCommented:
That's right, but if I'm remembering correctly, not all can be changed using ECP.  The commands I gave will change them for you in powershelll.  I assume Godaddy gives you powershell access.
0
Dougj182Author Commented:
Oh no, the exchange server is hosted in house, just the certificate comes from GoDaddy. Thnaks, I'll use PS to change the config and report. Thanks fory our help
0
Berkson WeinTech FreelancerCommented:
OH, misunderstood that originally.   In general, I find powershell to be much better than the gui, and you get set your settings and then quickly test if they're set right with the equivalent get command
0
Dougj182Author Commented:
So, I've made all the changes, autodiscover. and mail. have been added to the DNS pointing to the exchange server both internally and externally but I'm still getting this error from outlook..? Suggestions?

Capture2.PNG
0
Berkson WeinTech FreelancerCommented:
Your certificate likely only has mail.yourdomain.com hence the complaining about autodiscover not matching.  You would need a SAN certificate (subject alternate name) that also has autodiscover in it if you want to have to look to autodiscover.yourdomain.com.  Or you could use a wildcard certificate.

Here's what we generally do instead:
1) Certificate with only mail.yourdomain.com

2) Change the autodiscover URL
Set-ClientAccessServer -Identity "ServerName" -AutoDiscoverServiceInternalUri https://mail.yourdomain.com/Autodiscover/Autodiscover.xml

3) Remove and A record in DNS for autodiscover.yourdomain.com

4) Create a SRV record for _autodiscover._tcp.yourdomain.com
and have it point tcp 443 to mail.yourdomain.com

More info:
https://exchangemaster.wordpress.com/tag/autodiscover/
0
Dougj182Author Commented:
Thanks, let me try it.
0
Berkson WeinTech FreelancerCommented:
You likely need to do an iisreset after all settings are done fyi.

And note that https://testconnectivity.microsoft.com/ is your friend!
0
Berkson WeinTech FreelancerCommented:
checking in...  how'd it go?
0
Dougj182Author Commented:
Just picked this up again from being on vacation, thanks for checking in. I'll let you know how it goes.
0
Dougj182Author Commented:
Oh God, I just figured it out. There was an SRV record already inserted the the DNS settings pointing to the wrong place. All working now.

@ Weinberk, thank you so much for your help!
0
Dougj182Author Commented:
I figured out the final part of the problem myself.
0
Clark20ryCommented:
I was having the same issue. I added the SRV Record and no longer get the warning.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Outlook

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.