Link to home
Start Free TrialLog in
Avatar of jplatt1
jplatt1

asked on

Exchange 2010 security certificate mismatch

Hello folks,
                    Got a head scratcher here, hoping you all can help. Since 2010, when Exchange 2010 came out, I have been using third-party single name cert to run my exchange servers. I change all the virtual directories to mail.domain.com, the name on the cert, and set up a split horizon internally that points this public fqdn to the mail server. I also create a SVC record for autodiscover on the public DNS. This has worked like a charm for years.
                    As of this year, recently mind you, some of my clients for no apparent reason, have started to get certificate errors internally referencing the mail.domain.local name and stating that the name on the certificate does not match when opening outlook. This is happening with Outlook 2007, 2010 and 2013. This has never happened in the pass and has never been an issue before, nothing on these mail servers have been changed or modified. After opening outlook it connects like normal and then will be fine for about 1 to 2 minutes, the the security alert pops up. Wether I accept or decline outlook functions fine.
                    I believe there must be a simple way to fix this issue and am hoping that I am just over looking it.

Thank you in advance
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image

If you just changed the virtual directories then you haven't covered everything - specifically the Autodiscover entry.

get-clientaccessserver | select identity, AutodiscoverServiceInternalURI

If that value isn't set correctly to match the SSL certificate then it will generate the prompts that you are seeing.

Simon.
Avatar of jplatt1
jplatt1

ASKER

Thank you for the response. So, autodiscover, client access server, webservices, oab, owa, ecp, activesync have all had there internal and external urls/uris changed to https://mail.domain.com and this popup just started recently. The server has been in service for about 2 years. That is the head scratcher .
Something has to have changed - this is not a problem that occurs on its own UNLESS the SSL certificate has expired.
When you get the SSL error, if you look at the certificate is it yours?
If you do an Autodiscover test in Outlook, does it return the correct information and URLs? You need to check the log field as well.

Simon.
Avatar of jplatt1

ASKER

User generated image
So the domain was the public mail.domain.com, that I set in the exchange server for all of the external and internal fields. The client connects to exchange and functions correctly with the exception of the the certificate alert.
ASKER CERTIFIED SOLUTION
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jplatt1

ASKER

Will Look deep into this. I will let you know what I find. Thank you for the help so far.
Avatar of jplatt1

ASKER

So, There is definitely a dns issue with autodiscover. It seems to be internal, though we have not tranked it down as of yet. What changed, we are not sure, but thank you for pointing us in the right direction.