locked
Exchange 2007 Certificate Error RRS feed

  • Question

  • Hi All,

    I have 2 Hub Transport with NLB and 2 Mailbox Server for our Exchange 2007. It's working fine recently, until we decided to purchase a Public Cert using Symantec SSL Certificate. Before on our internal cert, we include the server hostname to the SAN of the certificate for example NLB01, HUB01, HUB02, etc. But as we purchase public certificate, the vendor said we cannot include this on our Public Cert, for some privacy they said. What we did is create a "A" host DNS Record pointing to NLB01 virtual IP Address to assume it will work even hostnames are not included in the Public Certificate. But once we use the certificate, all users receiving certificate error pointing to NLB01 "Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate". 

    What I think causing this is that when we create those profile, we setup the server to NLB01 and not NLB01.domain.com, do you think this is the error? If not what do you think causing this error? My manager don't want me to recreate those profile and point it to NLB01.domain.com it would be a lot of work. Do we have misconfiguration on the DNS Record side?

    Any help is appreciated. 

    Thanks!

    Wednesday, August 24, 2016 12:52 AM

Answers

  • If a client is connecting using a URL with a hostname that isn't in the certificate, you will get a certificate error.  If the load balancer is configured to do SSL unloading, you'll need to install the certificate in the load balancer.  It doesn't really matter whether the name is the common name or CN (not URL) or a SAN.  Seriously, this isn't really complicated; too many people overcomplicate things by trying to introduce too many names.  In most installations, there's no reason you can't do everything with two names in the certificate, a CN of "webmail" (or "owa", "mail", "outlook" or whatever you want to use) and Autodiscover as a SAN.  A wildcard certificate will work fine as well.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    • Edited by Ed CrowleyMVP Thursday, September 1, 2016 4:28 AM
    • Marked as answer by spideynok Friday, September 2, 2016 3:37 AM
    Thursday, September 1, 2016 4:27 AM

All replies

  • There is no requirement that your server name be in the certificate.  In most cases, you can get by with a certificate that has two names, the name you use for your services, like "mail.company.com" or "webmail.company.com", and "autodiscover.company.com".  Set all your URLs and host names in all virtual directories to use the service name.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, August 24, 2016 7:08 AM
  • Hi Ed,

    I found a URL earlier, is this the one your talking? https://blogs.technet.microsoft.com/danielkenyon-smith/2010/05/13/the-name-on-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site-part-2/

    Thank you.

    Wednesday, August 24, 2016 8:07 AM
  • That's relevant but not exactly what I'm saying.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Wednesday, August 24, 2016 6:37 PM
  • Hi Ed,

    Do you have any URL contains exactly your saying? Or somehow almost the same?

    Or this one is the one? Here

    I'm almost new to this one. Sorry. Please understand :)

    Thank you.



    • Edited by spideynok Thursday, August 25, 2016 12:11 AM URL added
    Thursday, August 25, 2016 12:08 AM
  • What I posted is complete, if terse.  Please reread it and ask specifically about what you don't understand.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, August 25, 2016 3:26 AM
  • Hi Ed,

    Sorry for late revert.

    I think the problem might be on the Exchange 2007 users, client configuration in Outlook when creating profile, because the admin is creating and when looking for Server, they just put the NLB hostname on the client side. Do you think this is the reason why this error on certificate is showing?

    Clarification on :  "mail.company.com" or "webmail.company.com", and "autodiscover.company.com".  Set all your URLs and host names in all virtual directories to use the service name.

    All virtual directories will be pointed on the URL or SAN included on the Certificate? Am I right?

    Thanks

    Thursday, September 1, 2016 3:40 AM
  • If a client is connecting using a URL with a hostname that isn't in the certificate, you will get a certificate error.  If the load balancer is configured to do SSL unloading, you'll need to install the certificate in the load balancer.  It doesn't really matter whether the name is the common name or CN (not URL) or a SAN.  Seriously, this isn't really complicated; too many people overcomplicate things by trying to introduce too many names.  In most installations, there's no reason you can't do everything with two names in the certificate, a CN of "webmail" (or "owa", "mail", "outlook" or whatever you want to use) and Autodiscover as a SAN.  A wildcard certificate will work fine as well.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    • Edited by Ed CrowleyMVP Thursday, September 1, 2016 4:28 AM
    • Marked as answer by spideynok Friday, September 2, 2016 3:37 AM
    Thursday, September 1, 2016 4:27 AM
  • Hi Ed,

    Additional, yesterday I troubleshoot this error, but still no luck, I point both Internal URL and External URL on the SAN in Certificate. But the certificate error is still showing. Am I missing something?

    BTW its only a Network Load Balancing not HLB.

    • Edited by spideynok Monday, September 5, 2016 3:12 AM
    Monday, September 5, 2016 3:10 AM
  • Check the following:

    Get-ClientAccessServer | FL Name,AutodiscoverServiceInternalUri
    Get-OwaVirtualDirectory | FL Server,*Url
    Get-EcpVirtualDirectory | FL Server,*Url
    Get-OabVirtualDirectory | FL Server,*Url
    Get-ActiveSyncVirtualDirectory | FL Server,*Url
    Get-WebServicesVirtualDirectory | FL Server,*Url
    Get-OutlookAnywhere | FL Server,*Hostname
    If you're using separate internal and external URLs, seriously you should consider deploying split-brain DNS and using the same names both internally and externally.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, September 6, 2016 12:04 AM
  • Hi Ed,

    As per checking everything is on the same URL, because as what I did, I change the internal URL to external URL because that's where the SAN is.

    But the result on Test email configuration is that the :

    Availability Service URL : http://ex01/EWS/Exchange.asmx

    same with OOF URL

    But the extrernal clients are connecting to

    Availability Service URL : http://ex01.contoso.com/EWS/Exchange.asmx

    Friday, September 9, 2016 1:42 AM
  • Look at all the URLs again.  That's where Autodiscover gets values.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, September 9, 2016 2:57 AM