locked
The certificate common name doesn't validate against the mutual authentication string that was provided RRS feed

  • Question

  • I just got a spanking new UCC from CertificatesForExchange.

    It was based on a CSR created using the EMC cert request wizard. In the request, I asked for the following names:

    contoso.com
    autodiscover.contoso.com
    mail.comtoso.com
    EXCHSVR.contoso.com
    EXCHSVR

    They sent me a cert with common name = contoso.com, and with the following Subject Alternative Names:
    contoso.com
    autodiscover.contoso.com
    mail.comtoso.com
    EXCHSVR.contoso.com
    EXCHSVR
    www.contoso.com

    However, when I tried doing an ExRCA test, it failed because the common name (contoso.com) is not the "msstd:mail.contoso.com" expected when ExRCA does an RPC over HTTP test using autodiscovery. The exact message was:

    "The certificate common name contoso.com doesn't validate against the mutual authentication string that was provided: msstd:mail.contoso.com"

    I assumed that based on their name "CertificatesForExchange" that they were experts at providing certs for Exchange, that amongst other things would would work with ExRCA.

    What do I do now?

    TIA,
    mlavie 

    Friday, May 4, 2012 3:55 PM

Answers

All replies

  • Yes unfortunately the common name (first name you add on the cert) should be mail.contoso.com. I would just get it re-issued if possible.

    http://terenceluk.blogspot.com/2010/07/common-name-matters-for-outlook.html

    If you cant get it re-issued most CA's dont let you , you can set the outlook anywhere externalhostname to contoso.com

    Configure an External Host Name for Outlook Anywhere

    http://technet.microsoft.com/en-us/library/aa996902.aspx


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com


    • Edited by Jamestechman Friday, May 4, 2012 7:09 PM
    • Marked as answer by mlavie Friday, May 4, 2012 11:33 PM
    Friday, May 4, 2012 7:08 PM
  • James,

    Thanks for the explanation. CertificatesForExchange were wonderful on the phone and authorized the revocation and refund for the cert with no problem. I then ordred a new cert as per the article you mentioned.

    Thanks!

    mlavie

    Friday, May 4, 2012 11:36 PM