Exchange 2013 Security Cert Issues

Outlook anywhere or Outlook client show Security Alert or certificate error , you need to read this article before

http://www.shudnow.net/2013/07/26/outlook-certificate-error-and-autodiscover-domain-com-not-working/?fbclid=IwAR1GWW23YnX17xLa2wnYyCfyfMXWZ47gQ7xZ4Axv7f3eomEsEBlHRBoicHo

Have you updated all the virtual directories on exchange server to new cert i.e. mail.comany.com if not then please do it and do an IIS reset.

Also make sure you have a host A record in internal DNS for mail.comany.com.

You can create a new zone for mail.comany.com in the internal DNS.

Hi, I have done as above as you have mentioned and still the cert miss match happens, is there something i am missing? and now mobile mail is not working?

mail.comany.com host A record in your public DNS should point to exchange server public IP. Also do you have an autodiscover.domain.com entry in the new certificate. Then host A record for autodiscover.domain.com must also point to exchange server public IP.

On the client machine do an ipconfig /flushdns and ipconfig/registerdns or try to repair the old profile.

Also you can check the connection status on the outlook machine and run test-emailautoconfiguration to validate if autodiscover passes and provides all virtual directories information for mai.domain.com correctly.

What you have done for now ?

mobile mail is not working?  

all issues about SSL Cert & IIS

Please post the result of the below
ping commonname.email.com from internet and intranet
ping autodiscover.email.com from internet and intranet
and result of below commands as well.

Get-ExchangeCertificate | fl Issuer,CertificateDomains
Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri
Get-OabVirtualDirectory |  fl Server,Identity,internalurl,externalurl
Get-WebServicesVirtualDirectory | fl Server,Identity,internalurl,externalurl

Select allOpen in new window

[PS] C:\>Get-ExchangeCertificate | fl Issuer,CertificateDomains
Creating a new session for implicit remoting of "Get-ExchangeCertificate" command...


Issuer             : CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater
                     Manchester, C=GB
CertificateDomains : {mail.mymaildomain.com, www.mail.mymaildomain.com}

Issuer             : CN=mail.mymaildomain.com
CertificateDomains : {mail.mymaildomain.com, wdsrv01.rswd.local, AutoDiscover.RSWD.local,
                     AutoDiscover.mymaildomain.com, RSWD.local, mymaildomain.com}

Issuer             : CN=mail.mymaildomain.com
CertificateDomains : {mail.mymaildomain.com, wdsrv01.rswd.local, AutoDiscover.RSWD.local,
                     AutoDiscover.mymaildomain.com, RSWD.local, mymaildomain.com}

Issuer             : CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater
                     Manchester, C=GB
CertificateDomains : {mail.mymaildomain.com, www.mail.mymaildomain.com}

Issuer             : CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, S=Greater
                     Manchester, C=GB
CertificateDomains : {mail.mymaildomain.com, www.mail.mymaildomain.com}

Issuer             : CN=Microsoft Exchange Server Auth Certificate
CertificateDomains : {}



[PS] C:\>Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri


Name                           : WDSRV01
AutoDiscoverServiceInternalUri : https://mail.mymaildomain.com/autodiscover/autodiscover.xml



[PS] C:\>Get-OabVirtualDirectory |  fl Server,Identity,internalurl,externalurl


Server      : WDSRV01
Identity    : WDSRV01\OAB (Default Web Site)
InternalUrl : https://mail.mymaildomain.com/oab
ExternalUrl : https://mail.mymaildomain.com/oab



[PS] C:\>Get-WebServicesVirtualDirectory | fl Server,Identity,internalurl,externalurl


Server      : WDSRV01
Identity    : WDSRV01\EWS (Default Web Site)
InternalUrl : https://mail.mymaildomain.com/ews/exchange.asmx
ExternalUrl : https://mail.mymaildomain.com/ews/exchange.asmx



[PS] C:\>

ping commonname.email.com from internet and intranet - works fine from intranet/internet
ping autodiscover.email.com from internet and intranet - does not work from internet, but works ok from intranet

Please check step3 in my article. i.e. You  need 2 names mail.domain.com and autodiscover.domain.com in your certificate.  Maybe you have to buy multidomain certificate (SAN certificate) to add 2 names.
https://www.secureserver.net/ssl/ssl-certificate.aspx?ci=1790&prog_id=525449 


-->ping autodiscover.email.com from internet and intranet - does not work from internet, but works ok from intranet
You need to add autodiscover.domain.com (A record) in your external DNS server

what do you mean by "external DNS server" outside of our office network? the only DNS i am aware of is on our local server, apologies if it doesn't sound correct

when creating the csr for certificate i added in the autodiscover.mymaildomain.com, but for some reason it does not come back on  the issue cert, all that comes back is mymaildomain.com, i have tried this twice and it is still the same

Did you buy a multidomaincertificate from Comodo?
If not you need a multidomain certificate.
https://www.secureserver.net/ssl/ssl-certificate.aspx?ci=1790&prog_id=525449

Again Set-ClientAccessServer

Set-ClientAccessServer -Identity DOMAIN NAME   -AutoDiscoverServiceInternalUri https://webmail.yourdomain.com/Autodiscover/Autodiscover.xml

no it seems not, i am in process of re ordering one

-->what do you mean by "external DNS server" outside of our office network? the only DNS i am aware of is on our local server, apologies if it doesn't sound correct
This is the server you created A record to resolve your name in Internet .