mrpaologatto
asked on
Outlook 2010: problems with certificate
Hello, I already read the Exchange Expert articles but have failed to resolve. My problem has originated in the notice that appears in Outlook after a few seconds that I use it, tells me that the certificate name does not match the name of the site. My customer has a public exchange 2010 server named "mail.dominio.com" to which I renewed the certificate. The outlook client pointing to "05-posta.dominio.local server". I remain available for further clarifications, thank you. Regards Paolo
Can you add ALT names to your SSL? if you can add 05-posta.dominio.local. It was working fine before you renewed the SSL?
ASKER
yes, outlook worked well before renewal. what ALT names?
If you have a Multiple SSL cert you can add extra names to it but i dont think they actually let you use .local now
https://www.digicert.com/subject-alternative-name.htm
Maybe when you had your old one it had it in it. You may have to create a new zone in DNS that matches your External Common name of SSL.
So for instance - create a internal DNS zone for dominio.com and then create a A record Mail pointing to your internal exchange server. If you have external website also though you will need to add the records for that as well, like www as you internal clients will use internal DNS for dominio.com
https://www.digicert.com/subject-alternative-name.htm
Maybe when you had your old one it had it in it. You may have to create a new zone in DNS that matches your External Common name of SSL.
So for instance - create a internal DNS zone for dominio.com and then create a A record Mail pointing to your internal exchange server. If you have external website also though you will need to add the records for that as well, like www as you internal clients will use internal DNS for dominio.com
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
-MAS explains it better then me, very nice article
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Dear user,
I found a similar thread on expert exchange. You can refer to it related to your thread.
https://www.experts-exchan ge.com/que stions/271 87692/outl ook-proble m-the-name -of-the-se curity-cer tificate-i s-invalid- or-does-no t-match-th e-name-of- the-site.h tml.
In addition to this, I want to refer you an additional link of solved query I found on Exchange Expert but it's related to Outlook 2013. Altough it will work.
https://www.experts-exchan ge.com/que stions/284 06011/outl ook-2013-t he-name-on -the-secur ity-certif icate-is-i nvalid-or- does-not-m atch-the-n ame-of-the -site.html
Thanks & Regards
Edwin Hoffer
I found a similar thread on expert exchange. You can refer to it related to your thread.
https://www.experts-exchan
In addition to this, I want to refer you an additional link of solved query I found on Exchange Expert but it's related to Outlook 2013. Altough it will work.
https://www.experts-exchan
Thanks & Regards
Edwin Hoffer
When you click on certificate information which prompt on outlook, please verify the details are the same as certificate that you renew or not? Does the owa also show same symptoms? Verify owa on machine that outlook prompt for certificate
ASKER
Thank you all for suggestions. Sorry for the delay unfortunately I can verify not before Monday morning. Have a nice weekend
ASKER
Following the article by Mumbai Tech I verified that this is not the _discover service between those proposed in the list when creating the record (SRV). How do I proceed?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
attached dns after configuring SRV records, the alert message on the certificate and display the certificate ...
C--Users-Administrator-Desktop-Excha.png
C--Users-Administrator-Desktop-Excha.png
C--Users-Administrator-Desktop-Excha.png
C--Users-Administrator-Desktop-Excha.png
C--Users-Administrator-Desktop-Excha.png
C--Users-Administrator-Desktop-Excha.png
Are you using self signed certificate or third party ?
Just checked your screenshot and found the certificate does not have the domain name some thing like mail.contoso.com.
Have you installed certificate after renew ?
Just checked your screenshot and found the certificate does not have the domain name some thing like mail.contoso.com.
Have you installed certificate after renew ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In the Exchange server also has a self signed certificate and it was installed prior to the date of the certification authority. The problem does not occur with OWA. I'm monitoring the client and after adding the SVR records in some no longer see the message
Self signed certificate use for exchange server authentication and it is not for user.
Public certificate is use by user to authenticate with server.
Can you can post a screenshot of accessing OWA on the machine that outlook always prompt for certificate error,
Public certificate is use by user to authenticate with server.
Can you can post a screenshot of accessing OWA on the machine that outlook always prompt for certificate error,
ASKER
In attached access OWA and alert message generated by outlook
C--Users-Administrator-Desktop-Excha.png
C--Users-Administrator-Desktop-Excha.png
HI,
Please post the result of these commands
Get-clientAccessServer | fl Name,AutoDiscoverServiceIn ternalUri
Get-OabVirtualDirectory | fl Server,Name,internalurl,ex ternalurl
Get-WebServicesVirtualDire ctory | fl name,internalurl,externalu rl
Get-ExchangeCertificate | fl issuer,services,notafter,C ertificate Domains
All these explained in this article.
https://www.experts-exchange.com/articles/13676/Out-Of-office-not-working.html
Please post the result of these commands
Get-clientAccessServer | fl Name,AutoDiscoverServiceIn
Get-OabVirtualDirectory | fl Server,Name,internalurl,ex
Get-WebServicesVirtualDire
Get-ExchangeCertificate | fl issuer,services,notafter,C
All these explained in this article.
https://www.experts-exchange.com/articles/13676/Out-Of-office-not-working.html
Try 2 things on this problematic machine:
1. Delete the existing outlook profile and re-create it
2. Export the renew certificate from exchange server and import into machine. Makes sure the certificate path on machine is ok. Then try to recreate outlook profiles
1. Delete the existing outlook profile and re-create it
2. Export the renew certificate from exchange server and import into machine. Makes sure the certificate path on machine is ok. Then try to recreate outlook profiles
ASKER
commands executed with the exchange shell ...
C--Users-Administrator-Desktop-Excha.png
C--Users-Administrator-Desktop-Excha.png
From your get-exchangexerrificate, i beliew you had renew the certificate with thawte CA. This certificate is a Subject Alternative Name for your mail.domainname.com and it is be last until 2018.
I believe this certificate you install on exchange server, however only "imap" services is enable. The certificate shall enable with "iis and smtp" at least. In my environment, i enable for "iis,smtp,pop,imap"
Run get-exchange certificate | fl to get the thumbprints.
To enable service, run Enable-ExchangeCertificate -Thumprint <Thumprint > -Services "iis,smtp,imap"
Run to all exchange client access role and restart MsExchangeTransport services
I believe this certificate you install on exchange server, however only "imap" services is enable. The certificate shall enable with "iis and smtp" at least. In my environment, i enable for "iis,smtp,pop,imap"
Run get-exchange certificate | fl to get the thumbprints.
To enable service, run Enable-ExchangeCertificate
Run to all exchange client access role and restart MsExchangeTransport services
Adding to the above
You have to change your autodiscover to mail.emaildomain.com or autodiscover.emaildomain.c om
Set-ClientAccessServer -Identity server1 -AutoDiscoverServiceIntern alUri "https://mail.domain.com/autodiscover/autodiscover.xml"
Yuo have to add SAN "autodiscover.emaildomain. com" to the Thawte certificate and enable IIS,SMTP services.
Explained in this article
You have to change your autodiscover to mail.emaildomain.com or autodiscover.emaildomain.c
Set-ClientAccessServer -Identity server1 -AutoDiscoverServiceIntern
Yuo have to add SAN "autodiscover.emaildomain.
Explained in this article
ASKER
I realized that first of all I have to delete certificates that has nothing to do, created in previous operations. Then check on clients such certificates have been imported to internet explorer. As soon as I finish the tests I'll tell you the results
ASKER
Hello everyone, after removing unnecessary certificates and you apply the suggestions of expert-exchange the problem to date no longer appears.
Thanks for the support.
Paolo Gatto
Thanks for the support.
Paolo Gatto
ASKER
I will keep monitoring the outlook client and exchange server in the next few days, the occurrence of another anomaly will recontact expert-exchange. Thank you