none
Exchange 2010/Outlook 2010 Security Alert (...there is a problem with the site's security certificate.)

    Question

  • I've been looking to resolve this issue for a while now and was hoping someone could help me understand my options.

    We have Exchange 2010 & Outlook 2010 in our environment. I've created a SSL cert for our ActiveSync from a reputable CA and unfortunately, as you may not be surprised, we are seeing an alert each time we open Outlook that states:

    "Security Alert; Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. The name on the security certificate is invalid or does not match the name of the site."

    Of course my internal server name does not match my external server name. So the SSL I had created for use with OWA and ActiveSync is rejected by my internal Outlook clients.

    After doing some research I believe this is related to the Autodiscover service being configured with my internal server name and not my external name. 

    I've found some info about adding New-AutodiscoverVirtualDirectory and Set-ClientAccessServer commands and then found this article that might help.  (Configure Outlook Anywhere to Use Multiple SSL Certificates) but nothing is specific to my configuration and I'm concerned about what will happen to my existing configuration if this fails. 

    What happens when you run Set-ClientAccessServer? Does it retain and keep the old server config in place and add a new one or does it wipe it out? Will all of my devices need to be reconfigured?

    Same with New-AutodiscoverVirtualDirectory.  Does this simply add another virtual directory or is it going to overwrite my existing config?

    Then there is the question of whether or not any of this will actually address my issue at all.


    absolutezero273c

    Friday, July 12, 2013 8:21 PM

Answers

  • A little more digging and I've found an interesting thread that mentions the Set-WebServicesVirtualDirectory cmdlet.

    I ran this:

    "Set-WebServicesVirtualDirectory -Identity "MailInt\EWS (Default Web Site)" -InternalUrl https:
    //MailExt.contoso.com/EWS/Exchange.asmx -BasicAuthentication:$true

    With this I was able to modify the Virtual Directory:

    Get-WebServicesVirtualDirectory | fl identity, internalurl, externalurl


    Identity    : MailInt\EWS (Default Web Site)
    InternalUrl : https://MailExt.contoso.com/EWS/Exchange.asmx
    ExternalUrl : https://MailExt.contoso.com/ews/exchange.asmx

    Since I had already ran the cmdlet Set-ClientAccessServer above and modified my CAS all I needed to do was restart IIS on the exchange server and this cleared my SSL Cert warning.

    Ed, thanks for following up with me each time.


    absolutezero273c



    Friday, July 19, 2013 4:22 PM

All replies

  • Why do you say "of course my internal server name does not match"?  It doesn't have to be that way.

    Deploy split-brain DNS so that your external domain has a zone internally with internal addresses for resources that can be reached internally like your Exchange server and use the same FQDNs for internal and external access.  Then change your InternalURL properties to match your ExternalURL settings, and change the CAS's AutodiscoverServiceInternalUri as well.  Then your authentication warnings should go away.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Saturday, July 13, 2013 12:57 AM
  • Hello,

    This is a blog and kb for your reference.

    The Name on the security certificate is invalid or does not match the name of the site

    http://blogs.technet.com/b/danielkenyon-smith/archive/2010/05/13/the-name-on-the-certificate-is-invalid-or-does-not-match-the-name-of-the-site-part-2.aspx

    http://support.microsoft.com/kb/940726


    Cara Chen
    TechNet Community Support

    Monday, July 15, 2013 7:54 AM
    Moderator
  • Thanks Ed. I had the DNS part done but I wasn't sure about the impacts of changing the
    CAS's AutoDiscoverServiceInternalUri. But I went ahead and changed all the internalURLs to match the externalURLs.  I also ran Set-ClientAccessServer but it tells me the object doesn't exist. I've created an alias in DNS for the object. Do I need to create a new CAS with the new object name before I can use the Set command?

    absolutezero273c

    Monday, July 15, 2013 7:45 PM
  • Please post the command and the error; I can't guess what it is you're saying is failing.  Before changing a domain name for a CAS array, be sure that there's a DNS entry for it.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, July 16, 2013 12:12 AM
  • Sorry.

    "[PS] C:\Windows\system32>Set-ClientAccessServer -Identity MailExt -AutoDiscoverServiceInternalUri "https://MailExt
    .contoso.com/autodiscover/autodiscover.xml"
    The operation couldn't be performed because object 'MailExt' couldn't be found on 'DomainController2.contoso.local'.
        + CategoryInfo          : NotSpecified: (0:Int32) [Set-ClientAccessServer], ManagementObjectNotFoundException
        + FullyQualifiedErrorId : 4D980455,Microsoft.Exchange.Management.SystemConfigurationTasks.SetClientAccessServer"...is the error I get.

    I've created the split zones and populated the Forward Lookup Zones as follows:

    CONTOSO.COM

    MailExt(CNAME)MailInt.contoso.local

    _tcp _autodiscover(SRV)MailExt.contoso.com

    CONTOSO.LOCAL

    MailInt(A)192.168.1.10

    MailExt(CNAME)MailInt.contoso.com

    One thing I did notice is that there isn't a _tcp _autodiscover entry for MailInt in my Forward Lookup Zones.  It was recommended that I make that entry for _tcp _autodiscover(SRV)MailExt.contoso.com in another post I read somewhere.

    I believe what I am trying to do is create a new autodiscover object as is shown here:

    I see there is a Get-ClientAccessServer & Set-ClientAccessServer command but I need to add a CAS. Does the Set-ClientAccessServer add or simply modify?

    Or would that require the New-AutodiscoverVirtualDirectory command? I read this page that discussed creating new virtual directories but that seemed a little risky without knowing all the ins and outs of how this service functions and to what degree this would affect the existing configuration.

    I was able to use the Set-ClientAccessServer command and change the actual internal autodiscoverUri to https://MailExt.contoso.com/autodiscover/autodiscover.xml but the name still says MailInt and I continue to get the SSL cert warnings because it is looking at MailInt.contoso.local.


    absolutezero273c




    Tuesday, July 16, 2013 4:35 PM
  • That error says that there is no CAS named MailExt.

    You don't need a SRV record for Autodiscover.  A CNAME for autodiscover in your e-mail domain is enough, but that isn't used for domain-joined machines connecting internally, the SCP record is, and that is created automatically based on the command you are trying to run.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Wednesday, July 17, 2013 1:55 AM
  • I assumed the error that it couldn't find the object on my domain controller was due to a DNS issue.  So the error that the object couldn't be found on 'DomainController2.contoso.local' does not reflect a DNS issue but a missing AD Exchange related record that would reside in the AD schema on the DC?

    If I'm getting this error when trying to run the command that is supposed to actually create the SCP object in the schema what is the best way to resolve this?

    I am able to run Set-ClientAccessServer and modify the -AutoDiscoverServiceUri properties between the 'MailInt.contoso.local' & 'MailExt.contoso.com' but I get the error when trying to modify the -Identity properties from 'MailInt' to 'MailExt'.


    absolutezero273c

    Wednesday, July 17, 2013 6:30 PM
  • The server name property in the cmdlet is the name of the server.  It's not a DNS entry.  Is MailExt the server name?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Wednesday, July 17, 2013 10:36 PM
  • MailExt, or MailExt.contoso.com, is the external name used for OWA, and for which I have created the SSL cert.  The internal name of the server, the actual server name, is MailInt.contoso.local

    absolutezero273c


    Thursday, July 18, 2013 12:21 PM
  • And that's the name you use in the Identity parameter, MailInt, because that is the name of the server.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Friday, July 19, 2013 5:52 AM
  • A little more digging and I've found an interesting thread that mentions the Set-WebServicesVirtualDirectory cmdlet.

    I ran this:

    "Set-WebServicesVirtualDirectory -Identity "MailInt\EWS (Default Web Site)" -InternalUrl https:
    //MailExt.contoso.com/EWS/Exchange.asmx -BasicAuthentication:$true

    With this I was able to modify the Virtual Directory:

    Get-WebServicesVirtualDirectory | fl identity, internalurl, externalurl


    Identity    : MailInt\EWS (Default Web Site)
    InternalUrl : https://MailExt.contoso.com/EWS/Exchange.asmx
    ExternalUrl : https://MailExt.contoso.com/ews/exchange.asmx

    Since I had already ran the cmdlet Set-ClientAccessServer above and modified my CAS all I needed to do was restart IIS on the exchange server and this cleared my SSL Cert warning.

    Ed, thanks for following up with me each time.


    absolutezero273c



    Friday, July 19, 2013 4:22 PM
  • Hi,

    Running SBS 2011, Exchange 2010

    I was using self Cert with address domain.tzo.com

    I just purchased SSL Cert from GoDaddy and as you might know .local cannot be added to the Certificate.
    Externally everything works just fine. Internally we are getting Security Alert every time clients open outlook.
    the following was added to the Certificate
    remote.domain.com
    autodiscover.domain.com
    Webmail.domain.com
    All the internal and external addresses points to remote.domain.com
    When I hold down Ctrl and right click on outlook icon then run the "test email auto configuration" I can confirm that outlook is seeing remote.domain.com but on the security alert it refers to domain.tzo.com

    What have I missed?

      

    Thursday, January 02, 2014 3:45 PM
  • BruceR80, I recommend that you implement split-brain DNS, which means publish the Internet zone internally and use that for all URLs.  It's much easier on you and your users once you have it set up.  There should be no reason for you to need to maintain separate internal and external namespaces.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Thursday, January 02, 2014 11:52 PM
  • Ed, I already have split DNS. One of them domain.local and the other remote.domain.com which points to the server.domain.local address. I have checked all the addresses on our server and all seems to be correct. I just can't figure out why outlook is giving security alert based on the old address (domain.tzo.com). that address does not exist anywhere on the server (at lease I can't find it). Any other help would be greatly appreciated

    Friday, January 03, 2014 1:28 PM
  • Ed,

    Also when using SBS 2011 Console wizard (Set up your Internet address) it automatically creates DNS and changes all the internal and external URL's to remote.domain.com

    Friday, January 03, 2014 1:32 PM
  • That's not split-brain DNS.  Look it up.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Friday, January 03, 2014 4:28 PM
  • You have control of the settings of all URLs.  Perhaps you might consider posting in the SBS forum if you don't like what I'm telling you. 

    http://social.technet.microsoft.com/Forums/en/smallbusinessserver/threads


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Friday, January 03, 2014 4:30 PM
  • I do appreciate your help, maybe I don't understand the correct setup of Split-DNS in my network.

    Can you maybe explain further or give a short example. 

    Currently under Forward Lookup Zones I have

    _msdcs.internal domain.local

    internal domain.local

    remote.external domain.com

    The external domain has a Host (A) value that points to the internal server IP.


    • Edited by BruceR80 Friday, January 03, 2014 5:51 PM update
    Friday, January 03, 2014 5:18 PM
  • In a split-brain DNS configuration, you publish the same zone, the Internet zone, both externally and internally.  Users then use the same URL internally and externally.  

    In the internal DNS, you assign he host names internal IP addresses when appropriate or Internet addresses when there is no internal server.  For example, you would publish your Exchange server with an internal address in the internal DNS, and an Internet address in the external DNS.  If you have a hosting company for your company website, your internal DNS would have an external address since there is no internal resource.

    When users use the same public hostname internally and externally, there is no need for the certificate to have a .local name.  The CAS array name can be an internal name because it is used only from inside the network and it does not need to be in the certificate, just the hostnames used in web URLs, like for OWA, ECP, Autodiscover, ActiveSync, Exchange Web Services and OAB.

    I hope this better explains the concept.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Friday, January 03, 2014 10:16 PM
  • Ed, This was the fix for my issue:

    1. Delete the outlook user profile
    2. Delete Outlook Data File
    3. Recreate User Profile
    4. Start outlook and reconnect to exchange

    After this fix the security alert was gone.

    I had to do the same for all the computers on the network. Still don't know why but luckily we only have 14 computers in our office.

     

    Monday, January 06, 2014 3:00 PM