Cian Dev
asked on
Exchange 2013 Security Cert Issues
Hi folks
i have an issue with MS Exchange 2013, that i cant seem to resolve, the issue is with security certs, i purchased one for our external domain "mail.comany.com" installed it and it works fine, the issue is that when users are on the internal network using Outlook 2013/2016, i keep getting a security alert for "server01.domain.local" saying the name on the security cert in invalid or does not match the name of the site
Where do i need to start to fix this
My experience level with exchange is at at a novice level, so any help much appreciated
thanks
Cian
i have an issue with MS Exchange 2013, that i cant seem to resolve, the issue is with security certs, i purchased one for our external domain "mail.comany.com" installed it and it works fine, the issue is that when users are on the internal network using Outlook 2013/2016, i keep getting a security alert for "server01.domain.local" saying the name on the security cert in invalid or does not match the name of the site
Where do i need to start to fix this
My experience level with exchange is at at a novice level, so any help much appreciated
thanks
Cian
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you updated all the virtual directories on exchange server to new cert i.e. mail.comany.com if not then please do it and do an IIS reset.
Also make sure you have a host A record in internal DNS for mail.comany.com.
You can create a new zone for mail.comany.com in the internal DNS.
You can create a new zone for mail.comany.com in the internal DNS.
ASKER
Hi, I have done as above as you have mentioned and still the cert miss match happens, is there something i am missing? and now mobile mail is not working?
mail.comany.com host A record in your public DNS should point to exchange server public IP. Also do you have an autodiscover.domain.com entry in the new certificate. Then host A record for autodiscover.domain.com must also point to exchange server public IP.
On the client machine do an ipconfig /flushdns and ipconfig/registerdns or try to repair the old profile.
Also you can check the connection status on the outlook machine and run test-emailautoconfiguratio n to validate if autodiscover passes and provides all virtual directories information for mai.domain.com correctly.
On the client machine do an ipconfig /flushdns and ipconfig/registerdns or try to repair the old profile.
Also you can check the connection status on the outlook machine and run test-emailautoconfiguratio
What you have done for now ?
mobile mail is not working?
all issues about SSL Cert & IIS
Please post the result of the below
ping commonname.email.com from internet and intranet
ping autodiscover.email.com from internet and intranet
and result of below commands as well.
ping commonname.email.com from internet and intranet
ping autodiscover.email.com from internet and intranet
and result of below commands as well.
Get-ExchangeCertificate | fl Issuer,CertificateDomains
Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri
Get-OabVirtualDirectory | fl Server,Identity,internalurl,externalurl
Get-WebServicesVirtualDirectory | fl Server,Identity,internalurl,externalurl
ASKER
[PS] C:\>Get-ExchangeCertificat e | fl Issuer,CertificateDomains
Creating a new session for implicit remoting of "Get-ExchangeCertificate" command...
Issuer : CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater
Manchester, C=GB
CertificateDomains : {mail.mymaildomain.com, www.mail.mymaildomain.com}
Issuer : CN=mail.mymaildomain.com
CertificateDomains : {mail.mymaildomain.com, wdsrv01.rswd.local, AutoDiscover.RSWD.local,
AutoDiscover.mymaildomain. com, RSWD.local, mymaildomain.com}
Issuer : CN=mail.mymaildomain.com
CertificateDomains : {mail.mymaildomain.com, wdsrv01.rswd.local, AutoDiscover.RSWD.local,
AutoDiscover.mymaildomain. com, RSWD.local, mymaildomain.com}
Issuer : CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater
Manchester, C=GB
CertificateDomains : {mail.mymaildomain.com, www.mail.mymaildomain.com}
Issuer : CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater
Manchester, C=GB
CertificateDomains : {mail.mymaildomain.com, www.mail.mymaildomain.com}
Issuer : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
[PS] C:\>Get-clientAccessServer | fl Name,AutoDiscoverServiceIn ternalUri
Name : WDSRV01
AutoDiscoverServiceInterna lUri : https://mail.mymaildomain.com/autodiscover/autodiscover.xml
[PS] C:\>Get-OabVirtualDirector y | fl Server,Identity,internalur l,external url
Server : WDSRV01
Identity : WDSRV01\OAB (Default Web Site)
InternalUrl : https://mail.mymaildomain.com/oab
ExternalUrl : https://mail.mymaildomain.com/oab
[PS] C:\>Get-WebServicesVirtual Directory | fl Server,Identity,internalur l,external url
Server : WDSRV01
Identity : WDSRV01\EWS (Default Web Site)
InternalUrl : https://mail.mymaildomain.com/ews/exchange.asmx
ExternalUrl : https://mail.mymaildomain.com/ews/exchange.asmx
[PS] C:\>
Creating a new session for implicit remoting of "Get-ExchangeCertificate" command...
Issuer : CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater
Manchester, C=GB
CertificateDomains : {mail.mymaildomain.com, www.mail.mymaildomain.com}
Issuer : CN=mail.mymaildomain.com
CertificateDomains : {mail.mymaildomain.com, wdsrv01.rswd.local, AutoDiscover.RSWD.local,
AutoDiscover.mymaildomain.
Issuer : CN=mail.mymaildomain.com
CertificateDomains : {mail.mymaildomain.com, wdsrv01.rswd.local, AutoDiscover.RSWD.local,
AutoDiscover.mymaildomain.
Issuer : CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater
Manchester, C=GB
CertificateDomains : {mail.mymaildomain.com, www.mail.mymaildomain.com}
Issuer : CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater
Manchester, C=GB
CertificateDomains : {mail.mymaildomain.com, www.mail.mymaildomain.com}
Issuer : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}
[PS] C:\>Get-clientAccessServer
Name : WDSRV01
AutoDiscoverServiceInterna
[PS] C:\>Get-OabVirtualDirector
Server : WDSRV01
Identity : WDSRV01\OAB (Default Web Site)
InternalUrl : https://mail.mymaildomain.com/oab
ExternalUrl : https://mail.mymaildomain.com/oab
[PS] C:\>Get-WebServicesVirtual
Server : WDSRV01
Identity : WDSRV01\EWS (Default Web Site)
InternalUrl : https://mail.mymaildomain.com/ews/exchange.asmx
ExternalUrl : https://mail.mymaildomain.com/ews/exchange.asmx
[PS] C:\>
ASKER
ping commonname.email.com from internet and intranet - works fine from intranet/internet
ping autodiscover.email.com from internet and intranet - does not work from internet, but works ok from intranet
ping autodiscover.email.com from internet and intranet - does not work from internet, but works ok from intranet
Please check step3 in my article. i.e. You need 2 names mail.domain.com and autodiscover.domain.com in your certificate. Maybe you have to buy multidomain certificate (SAN certificate) to add 2 names.
https://www.secureserver.net/ssl/ssl-certificate.aspx?ci=1790&prog_id=525449
-->ping autodiscover.email.com from internet and intranet - does not work from internet, but works ok from intranet
You need to add autodiscover.domain.com (A record) in your external DNS server
https://www.secureserver.net/ssl/ssl-certificate.aspx?ci=1790&prog_id=525449
-->ping autodiscover.email.com from internet and intranet - does not work from internet, but works ok from intranet
You need to add autodiscover.domain.com (A record) in your external DNS server
ASKER
what do you mean by "external DNS server" outside of our office network? the only DNS i am aware of is on our local server, apologies if it doesn't sound correct
ASKER
when creating the csr for certificate i added in the autodiscover.mymaildomain. com, but for some reason it does not come back on the issue cert, all that comes back is mymaildomain.com, i have tried this twice and it is still the same
Did you buy a multidomaincertificate from Comodo?
If not you need a multidomain certificate.
https://www.secureserver.net/ssl/ssl-certificate.aspx?ci=1790&prog_id=525449
If not you need a multidomain certificate.
https://www.secureserver.net/ssl/ssl-certificate.aspx?ci=1790&prog_id=525449
Again Set-ClientAccessServer
Set-ClientAccessServer -Identity DOMAIN NAME -AutoDiscoverServiceIntern alUri https://webmail.yourdomain.com/Autodiscover/Autodiscover.xml
Set-ClientAccessServer -Identity DOMAIN NAME -AutoDiscoverServiceIntern
ASKER
no it seems not, i am in process of re ordering one
-->what do you mean by "external DNS server" outside of our office network? the only DNS i am aware of is on our local server, apologies if it doesn't sound correct
This is the server you created A record to resolve your name in Internet .
This is the server you created A record to resolve your name in Internet .
Outlook anywhere or Outlook client show Security Alert or certificate error , you need to read this article before
http://www.shudnow.net/2013/07/26/outlook-certificate-error-and-autodiscover-domain-com-not-working/?fbclid=IwAR1GWW23YnX17xLa2wnYyCfyfMXWZ47gQ7xZ4Axv7f3eomEsEBlHRBoicHo