Link to home
Start Free TrialLog in
Avatar of mrpaologatto
mrpaologatto

asked on

Outlook 2010: problems with certificate

Hello, I already read the Exchange Expert articles but have failed to resolve. My problem has originated in the notice that appears in Outlook after a few seconds that I use it, tells me that the certificate name does not match the name of the site. My customer has a public exchange 2010 server named "mail.dominio.com" to which I renewed the certificate. The outlook client pointing to "05-posta.dominio.local server". I remain available for further clarifications, thank you. Regards Paolo
Avatar of OnlineSupport
OnlineSupport
Flag of United Kingdom of Great Britain and Northern Ireland image

Can you add ALT names to your SSL? if you can add 05-posta.dominio.local. It was working fine before you renewed the SSL?
Avatar of mrpaologatto
mrpaologatto

ASKER

yes, outlook worked well before renewal. what ALT names?
If you have a Multiple SSL cert you can add extra names to it but i dont think they actually let you use .local now

https://www.digicert.com/subject-alternative-name.htm

Maybe when you had your old one it had it in it. You may have to create a new zone in DNS that matches your External Common name of SSL.

So for instance - create a internal DNS zone for dominio.com and then create a A record Mail pointing to your internal exchange server. If you have external website also though you will need to add the records for that as well, like www as you internal clients will use internal DNS for dominio.com
SOLUTION
Avatar of M A
M A
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
-MAS explains it better then me, very nice article
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Dear user,
I found a similar thread on expert exchange. You can refer to it related to your thread.
https://www.experts-exchange.com/questions/27187692/outlook-problem-the-name-of-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site.html.
In addition to this, I want to refer you an additional link of solved query I found on Exchange Expert but it's related to Outlook 2013. Altough it will work.
https://www.experts-exchange.com/questions/28406011/outlook-2013-the-name-on-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site.html

Thanks & Regards
Edwin Hoffer
When you click on certificate information which prompt on outlook, please verify the details are the same as certificate that you renew or not? Does the owa also show same symptoms? Verify owa on machine that outlook prompt for certificate
Thank you all for suggestions. Sorry for the delay unfortunately I can verify not before Monday morning. Have a nice weekend
Following the article by Mumbai Tech I verified that this is not the _discover service between those proposed in the list when creating the record (SRV). How do I proceed?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
attached dns after configuring SRV records, the alert message on the certificate and display the certificate ...
C--Users-Administrator-Desktop-Excha.png
C--Users-Administrator-Desktop-Excha.png
C--Users-Administrator-Desktop-Excha.png
Are you using self signed certificate or third party ?

Just checked your screenshot and found the certificate does not have the domain name some thing like mail.contoso.com.

Have you installed certificate after renew ?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
In the Exchange server also has a self signed certificate and it was installed prior to the date of the certification authority. The problem does not occur with OWA. I'm monitoring the client and after adding the SVR records in some no longer see the message
Self signed certificate use for exchange server authentication and it is not for user.

Public certificate is use by user to authenticate with server.

 Can you can post a screenshot of accessing OWA on the machine that outlook always prompt for certificate error,
In attached access OWA and alert message generated by outlook
C--Users-Administrator-Desktop-Excha.png
HI,
Please post the result of these commands
Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri
Get-OabVirtualDirectory |  fl Server,Name,internalurl,externalurl
Get-WebServicesVirtualDirectory | fl name,internalurl,externalurl
Get-ExchangeCertificate | fl issuer,services,notafter,CertificateDomains

All these explained in this article.
https://www.experts-exchange.com/articles/13676/Out-Of-office-not-working.html
Try 2 things on this problematic machine:

1. Delete the existing outlook profile and re-create it

2. Export the renew certificate from exchange server and import into machine. Makes sure the certificate path on machine is ok. Then try to recreate outlook profiles
commands executed with the exchange shell ...
C--Users-Administrator-Desktop-Excha.png
From your get-exchangexerrificate, i beliew you had renew the certificate with thawte CA. This certificate is a Subject Alternative Name for your mail.domainname.com and it is be last until 2018.

I believe this certificate you install on exchange server, however only "imap" services is enable. The certificate shall enable with "iis and smtp" at least. In my environment, i enable for "iis,smtp,pop,imap"

Run get-exchange certificate | fl to get the thumbprints.

To enable service, run Enable-ExchangeCertificate -Thumprint <Thumprint > -Services "iis,smtp,imap"

Run to all exchange client access role and restart MsExchangeTransport services
Adding to the above
You have to change your autodiscover to mail.emaildomain.com or autodiscover.emaildomain.com
Set-ClientAccessServer -Identity server1 -AutoDiscoverServiceInternalUri "https://mail.domain.com/autodiscover/autodiscover.xml"

Yuo have to add SAN "autodiscover.emaildomain.com"  to the Thawte certificate and enable IIS,SMTP services.

Explained in this article
I realized that first of all I have to delete certificates that has nothing to do, created in previous operations. Then check on clients such certificates have been imported to internet explorer. As soon as I finish the tests I'll tell you the results
Hello everyone, after removing unnecessary certificates and you apply the suggestions of expert-exchange the problem to date no longer appears.
Thanks for the support.

Paolo Gatto
I will keep monitoring the outlook client and exchange server in the next few days, the occurrence of another anomaly will recontact expert-exchange. Thank you