I am haveing an issue with SSL certs that is getting to be a nightmare.
For reasons not discussed our wildcard SSL was rekeyed. (Please don't make me go there) I have a new wildcard cert properly installed / updated all servers. Almost everything is working - except - now clients are getting a Security Alert message that says "The name on the security certificate is invalie or does not match the name of the site". This happens on only about 10% of the users 34 of 350. One user gets the "Cert Alert" on one computer but not on a second desktop.
once the user hits any of the checkboxes on the alert dialog popup outlooks works fine and gives them a new popup the next time they open outlook.
For many of the users simply installing the new cert did the trick.
the remaining clients I have done the following and am left with about 10% of the workstations that will not cooperate.
checked usual suspects:
ran IPconfig /flushdns to clean DNS cache
Went to powershell and ran Test-ComputerSecureChannel
-r (results = true)
Reboot and then open outlook and reinstall cert.
Taken Outlook out of exchange mode then try to install the cert.
Opened a MMC console and searched for all %MyDomain% SSL certs - deleted ceerts -installed new cert
Confirmed that the new cert Serial number matches the one on the server.
confirmed that the certificates thumbprint matches the serverConfirmed that Autodiscovery DNS records were correct
Confirmed that Certificates SCP object is correct.
Created and confirmed that SRV record for autodiscover is correct.
confirmed SRV in cert is correct.
server name/ip is correct in local DNS and outside DNS
nslookup shows correct server IP
ran the following comdlts on server:
Set-ClientAccessServer -Identity %myserever% -AutodiscoverServiceIntern
ctory -Identity "%myserver%\EWS (Default Web Site)" –InternalUrl https://mail.%mydomain%/EWS/Exchange.asmx
Set-OABVirtualDirectory -Identity “%myserver%\OAB (Default Web Site)” -InternalURL https://mail.%mydomain%/OAB
tory -Identity “%myserver\Microsoft-Serve
nc (Default Web Site)” -InternalURL https://mail.%mydomain%/Microsoft-Server-Activesync
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.%mydomain%
- each stop resolved the issue on a few but not all (left me with the 10%)