Certificate issues after removing internal names from Exchange 2010 certificates...

Hello all,

here's my setup:

servera
netbios name:  servera
fqdn: servera.domain.local

serverb
netbios name:  serverb
fqdn: serverb.domain.local

the two servers are setup in a casarray called mail.domain.com

my external hostname is mail.domain.com

This evening I updated the certificates on my exchange 2010 boxes.  The updated certs no longer contain netbios names or the internal dns fqdn for each server.  I've changed the ecp, owa, ews, oab, and AutodiscoverServiceInternalURI to my external hostname which is on the updated certs.  Everything seems to work fine except that I intermittently get certificate errors when opening Outlook or while doing various operations in Outlook.  The error is:  "The Name on the security certificate is invalid or does not match the name of the site"  and the dialog shows the fqdn of the server.  If I view the certificate it’s showing the new updated cert with all the appropriate external names.  What am I missing?

Thanks in advance for your help.
reuniontitleAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

What about Outlook anywhere is the name of the Oulook anywhere is present on the certificate. Refer the below link please

https://technet.microsoft.com/en-us/library/dd351057(v=exchg.141).aspx

Thanks
Manikandan
reuniontitleAuthor Commented:
My certificate has the following SANs:

DNS Name=domain.com
DNS Name=mail.domain.com
DNS Name=mail2.domain.com
DNS Name=owa.domain.com
DNS Name=autodiscover.domain.com
DNS Name=legacy.domain.com
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

The Autodiscover internal URL should me the internal URL not the external hostname means fully qualified domain name.  Refer the below link

https://technet.microsoft.com/en-us/library/bb125157(v=exchg.160).aspx
http://blogs.technet.com/b/danielkenyon-smith/archive/2010/05/13/the-name-on-the-certificate-is-invalid-or-does-not-match-the-name-of-the-site-part-2.aspx

Thanks
Manikandan
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

EvilKnievelCommented:
Since your certificate only contains 'external' fqdn's, please check that the autodiscover internal url is autodiscover.domain.com (external DNS name). After that, make a new Forward DNS zone named 'autodiscover.domain.com' (external DNS name) and in that zone, add two A records, leave the name blank and add only the ip numbers of your cas servers. Note that you have to make one A record per server.
Hope this helps!
reuniontitleAuthor Commented:
Manikandan Narayanswamy,

I used that article for guidance in changing ecp, owa, ews, oab, and AutodiscoverServiceInternalURI.  I ran the following commands:

Set-ClientAccessServer -Identity "servera" –AutodiscoverServiceInternalURI https://mx.republictitle.com/autodiscover/autodiscover.xml
 

Set-WebServicesVirtualDirectory -Identity "servera\EWS (Default Web Site)" –InternalUrl  https://mx.republictitle.com/EWS/Exchange.asmx
 

Set-OABVirtualDirectory -Identity “servera\OAB (Default Web Site)” -InternalURL https://mx.republictitle.com/OAB
 

Enable-OutlookAnywhere -Server server -ExternalHostname “mx.republictitle.com” -ClientAuthenticationMethod “NTLM”
 

Set-ActiveSyncVirtualDirectory -Identity “servera\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://mx.republictitle.com/Microsoft-Server-Activesync

Set-ClientAccessServer -Identity "serverb" –AutodiscoverServiceInternalURI https://mx.republictitle.com/autodiscover/autodiscover.xml
 

Set-WebServicesVirtualDirectory -Identity "serverb\EWS (Default Web Site)" –InternalUrl  https://mx.republictitle.com/EWS/Exchange.asmx
 

Set-OABVirtualDirectory -Identity “serverb\OAB (Default Web Site)” -InternalURL https://mx.republictitle.com/OAB
 

Enable-OutlookAnywhere -Server serverb -ExternalHostname “mx.republictitle.com” -ClientAuthenticationMethod “NTLM”
 

Set-ActiveSyncVirtualDirectory -Identity “serverb\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://mx.republictitle.com/Microsoft-Server-Activesync

Did I misunderstand the article?  If those commands aren't correct, what should they have been?
reuniontitleAuthor Commented:
EvilKnievel,

I just applied your suggestion and have seen no change after flushing dns cache.

Any other suggestions?
Scott CSenior EngineerCommented:
Try deleting the outlook profile and recreating it.  I've had a few cases where this has resolved cert issues when everything else is set up correctly.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
reuniontitleAuthor Commented:
Holy cow Scott!

I just tried that on my two test accounts that were having issues and that seems to have resolved the error.

I'm gonna leave this open for a few hours today (for me get a larger sample of users), and if this fixes them I'll be marking your answer as the solution.

Thanks.
Scott CSenior EngineerCommented:
I thought it might.  From what you wrote, it looked like you have everything set up correctly.

I ran into this myself a few weeks ago.  I checked and re-checked the cert and all of my settings.  Then I set up a brand new client and everything worked.

That told me things were set up right and it was a client-side issue.

Glad things are looking like they are working.
Scott CSenior EngineerCommented:
Touching base to see how things are going.
reuniontitleAuthor Commented:
We're closed today for Columbus Day so I don't have any thing to report.

If we don't have any repeat users with this issue tomorrow I will mark this as answered.

Thanks for following up.
reuniontitleAuthor Commented:
No repeat customers after 2 business days.  This is the fix for us.

Thanks Scottcha!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.