Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2010: Outlook anywhere/Outlook 20XX/ and OWA certificate error

Posted on 2016-08-15
7
Medium Priority
?
39 Views
Last Modified: 2016-09-07
Running Exchange 2010 SP3 on windows server 2008 R2 SP1
This is a single server exchange environment.
Exchange server name:  exchange.gpr.com
Default website:  webmail.grandpacificresorts.com


I recently renewed our exchange SSL certificate, because although Outlook Anywhere is configured there was no SAN for autodiscover.  The new certificate request was created using the EMC and installed the same way.  Lastly IMAP, POP, IIS, and SMTP services were assigned to the certificate.  FYI no virtual directories have been set/changed via powershell since installing the new certificate and IIS has not been reset.  Finally the website defined in the certificate is webmail.grandpacificresorts.com with a SAN of autodiscover.grandpacificresorts.com.

Since installing the new certificate running Outlook Connectivity and Outlook Autodiscover tests on https://testconnectivity.microsoft.com/ now pass, but internal outlook clients and OWA generate the following error:

gpresorts.com  The name on the security certificate is invalid or does not match the name of the site

I can't figure out why Outlook would be referencing gpresorts.com and not grandpacificresorts.com.  I also can't figure out if this an autodiscover virtual directory configuration problem, a DNS issue, or other.

Autodiscover:  see attached results for get-autodiscovervirtual directory | fl

DNS:  below are the exchange related entries in each scope
         
               -Scope gpresorts.com
  • (same as parent folder)               Mail Exchanger (MX)                    gprmail1.gpr.com
  •        webmail                                         Host(A)                                           webmail
             -Scope grandpacificresorts.com
  • (same as parent folder)              Mail Exchanger (MX)                    gprmail1.gpr.com
  •        autodiscover                                Host(A)                                           192.168.0.37
  •        webmail                                        Host(A)                                           192.168.0.37
autodiscover.png
0
Comment
Question by:Ryan Mignosa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 32

Expert Comment

by:Scott C
ID: 41756887
Check your cert.

Get-ExchangeCertificate | fl

Look through this list and get rid of any certs that are expired.  Also look for any "pending" certs.  I've come across before where a pending wasn't showing up in the GUI, but it did show up in the PS command.  Once I got rid of it, everything started working.
0
 
LVL 27

Assisted Solution

by:MAS
MAS earned 400 total points (awarded by participants)
ID: 41756909
0
 

Author Comment

by:Ryan Mignosa
ID: 41757113
Scott,

I actually have 3 SSL certs listed.  I have my new cert with IMAP,POP,IIS,SMTP.  I have the one that I just replaced, but is still active with IMAP,POP,SMTP.  Lastly I have an expired SSL cert.

Are you saying that you've seen a bug in exchange that if you have multiple certificates you can have some certificate errors in your environment?  I ask because when I get security alert and view the certificate it's the correct certificate.

Thank you
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:Ryan Mignosa
ID: 41757142
MAS,

I checked your article and a couple items stood out.  The part that keeps bothering me is why is the security alert for gpresorts.com?  The certificate is for grandpacificresorts.com.

Items 1-4: I have 2 forward lookup zones containing the common name webmail.  Why does a client choose one or the other?  Only 1 has an autodiscover entry.

Item 5: I'm wondering if the below address needs to be changed.  The autodiscover address in the exchange certificate is autodiscover.grandpacificresorts.com not webmail...

[PS] C:\Windows\system32>get-clientaccessserver | fl name,autodiscoverserviceinternaluri


Name                           : EXCHANGE
AutoDiscoverServiceInternalUri : https://webmail.grandpacificresorts.com/autodiscover/autodiscover.xml
0
 
LVL 42

Accepted Solution

by:
Adam Brown earned 1600 total points (awarded by participants)
ID: 41757176
Two questions:

1. What is the email address you are using when configuring Outlook?
2. Is GPResorts.com your internal domain name?

If #1, configure a SRV record in DNS for gpresorts.com that points to mail.grandpacificresorst.com. Instructions here: http://wp.me/pUCB5-l

If #2 is true, then you need to change your Exchange Autodiscover SCP to accurately reflect the server address. http://wp.me/pUCB5-7X has instructions.
0
 

Author Comment

by:Ryan Mignosa
ID: 41763231
Adam,

Both 1+2 are true.

I implemented the SRV record in DNS and I checked the autodiscover SCP.  The SCP was accurate, but the SRV record appears to have fixed my problem.  I've configured a number of outlook clients tested Email Auto-configuration.  I'm not receiving the security alert anymore when previously it happened with every test.  I still have some testing to do with Outlook Anywhere, but right now things look great.

Thank you
0
 
LVL 27

Expert Comment

by:MAS
ID: 41787469
I believe Adam's comment helped to resolve the issue the same can be done on the article in my post.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question