Installed New Exchange Certificate now getting Pop up Errors on all Desktops

Joseph Salazar
Joseph Salazar used Ask the Experts™
on
What would be causing this and how can I fix it.

Please see attached.

Cjoego
Certificate-error.JPG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
It means that the name of the certificate does not match the name of the site as the error says. An example of this happening would be. Does the certificate common name match the FQDN the clients are connecting to? Are there any alternate names that need to be added to the certificate? Check the Subject Alternate Name attribute on the previous certificate and make sure you've covered off the names.

A different but real world example of this occurring would be https://www.news.com.au. They have SSL enabled but the certificate common name is pointing to their CDN address and there is no alternate names for www.news.com.au.
Indeed you need a "valid" certificate, it must have the names by which it is being access on in the Subject Alternative Names (SAN) field of the certificate.  It cannot be expired or otherwise invalid either.  You must make sure it's activated for the IIS services too, simply importing it isn't enough.  After importing, which I'm assuming has already been done I would usually use a command like:

Enable-ExchangeCertificate -Thumbprint <VeryLongThumprintNumber> `
 -Services IIS,POP,IMAP,SMTP -Force

Open in new window


A typical Exchange certificate would have at least 2 names:
1) mail.company.com
2) autodiscover.company.com

Make sure to set internal & external url properties for the various virtual directories.  Just which ones to do may depend on your design.  But I would at least check EWS and OAB.

Also important to make sure the AutoDiscoverServiceInternalUri property on your CAS servers is set to match the name on the cert.  This URL is stored in AD and used by Outlook for the autodiscover process.  Make sure that property is set to match the name on the cert.  so in our example it should be:

https://mail.company.com/autodiscover/autodiscover.xml

Get-ClientAccessServer | ft Name,AutoDiscoverServiceInternalUri

Open in new window


Namespace design is actually a pretty big topic area, so I'm sure I'm not doing it justice above.  Let me know how it goes.

https://technet.microsoft.com/en-us/library/dd351198(v=exchg.141).aspx

https://technet.microsoft.com/en-us/library/bb310763(v=exchg.141).aspx
Joseph SalazarVice President - Senior IT Consultant

Author

Commented:
I will try it out
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017
Commented:
Joseph SalazarVice President - Senior IT Consultant

Author

Commented:
I will try Yours Tonight MAS
Joseph SalazarVice President - Senior IT Consultant

Author

Commented:
Ended up hiring an Exchange pro to fix it for me

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial