locked
Invalid Certificate Name RRS feed

  • Question

  • Background:

    The Exchange Certificate expired in August, so I purchased a new Thawte Certificate for mail.xyz.com.

    After installing the new Certificate all was good on the OWA. However, when the clients logged into MS Outlook 2007-2010, they are presented with the Pop up that the Certificate name is invalid, continue etc.. All clients are able to get their email etc., but if they exit and restart MS Outlook the Certificate name is invalid popup appears again. So looking back through the settings that I inherited by the previous employee, I found that there are two names for the Exchange Mail.

    mail.xyz.com = The Thawte purchased certificate

    abc.xyc.com  = The local self assigned certificate.

    I contacted Thawte and of course I was asked for more money to include the second name. However after some research I heard that it may be possible to use Auto Discovery to include the abc.xyc.com and this will eliminate the Invalid Certificate Popup

    So how would a person go about to do this?

    Thank you.

    Sunday, November 10, 2013 5:12 PM

Answers

All replies

  • You're probably referring to the use of SRV records in DNS. Does this explain it for you?

    http://support.microsoft.com/kb/940881/en-us


    --- Rich Matheisen MCSE&I, Exchange MVP

    Sunday, November 10, 2013 8:01 PM
  • Rich:

    Thank you for the response and link.  It was worth reviewing.  The article pertains somewhat to outside domain exchange.  Which after looking in DNS we do not support.  We are a in-house shop. 

    I feel pretty confident that the Auto Discovery settings are within Exchange, but I am not certain what the path is.

    Thank you


    • Edited by CFSD6 Sunday, November 10, 2013 10:41 PM
    Sunday, November 10, 2013 10:41 PM
  • The virtual directory information is here:

    Get-AutodiscoverVirtualDirectory

    When you look at results of Outlook's "Test E-Mail AutoConfiguration" (on the "Log" tab), you'll see the URL that's being used.

    If your e-mail domain is @xyz.com then it should try https://xyz.com/autodiscover/autodiscover.xml, and it should find that name through the Service Connection Point (SCP). It shouldn't have to resort to looking in DNS unless the SCP is wrong (of course DNS will be used to translate xyz,com to an IP address).

    http://blogs.technet.com/b/exchdxb/archive/2012/05/10/troublshooting-autodiscover-exchange-2007-2010.aspx

    If the SCP has the "wrong" name you can change that with the set-clientaccessserver cmdlet.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Monday, November 11, 2013 3:19 AM
  • Hi,

    If it is just for internal environment, we can try to set all InternalURLs to match the certificate name which you have purchased, just like:

    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https:// mail.xyz.com/autodiscover/autodiscover.xml

    Here is a reference that may be helpful to you:

    http://support.microsoft.com/kb/940726/en-us

    Thanks,


    Winnie Liang
    TechNet Community Support

    • Marked as answer by CFSD6 Wednesday, January 15, 2014 11:48 PM
    Monday, November 11, 2013 4:03 PM
  • Here is another option and Probably an easier way of dealing with the multiple domain issue, is to enroll into a SAN (Subject Alternative Name) certificate.

    In exchange 2010 environments when you are creating your CSR you are actually creating the protocols you want to use pop, imap, owa... etc... Unlike 2003 exchange systems where everything is funneled though 1 domain, 2010 system associates all those different protocols with different domains, at the end of the CSR creation process in 2010 exchange systems it will actually tell you what all those SANS are.

    When you go to a certificate authority enroll into a SAN certificate to validate all those domains on 1 certificate that should get rid of any trust issues you are facing.

    Thursday, November 14, 2013 9:31 PM
  • A SAN/UCC certificate would have been my answer except the original posting said:

    "I contacted Thawte and of course I was asked for more money to include the second name. However after some research I heard that it may be possible to use Auto Discovery to include the abc.xyc.com and this will eliminate the Invalid Certificate Popup"

    I'm assuming that either the certificate in use is a regular SSL cert, or it's a SAN/UCC cert and he's unwilling to spend the money to deal with the problem.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Thursday, November 14, 2013 10:14 PM
  • Winnie - I apoloize for the delayed response, been out of the office.

    I like your idea, which sounds like it would save this poor School District some money. 

    So do you have an example for the input command line for powershell?

    Thank you.

    Friday, November 22, 2013 12:01 AM
  • Rich:

    "I'm assuming that either the certificate in use is a regular SSL cert, or it's a SAN/UCC cert and he's unwilling to spend the money to deal with the problem".

    Yes it is a regular SSL Cert.  However I am not unwilling to spend the money to deal with the problem. 

    Being in a rural school district, money is limited, so I try my hardest to find a 0 $ fix if at all possibile.

    Your above statement is insulting, and I would think that you would have some sort of customer support training with your 37,730 points and the Flash of MCC-Partner-MVP.

    "Nothing is ever lost by courtesy. It is the cheapest of pleasures, costs nothing, and conveys much".

    Friday, November 22, 2013 12:09 AM
  • My observation was based on your statement:

    "I contacted Thawte and of course I was asked for more money to include the second name."

    I'm insulted by your insensitive statements about me. So much for courtesy, eh?

    If you want a 0 $ fix, read the suggestions already made.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Friday, November 22, 2013 2:19 AM
  • Thank you for your assistance.  I was able to get rid of one of the 2 certificate errors.  What happens is that 1 pops up, then you okay it, then a 2nd pops up.

    After following your instructions, I was able to get rid of one of the invalid certificate pop ups.  But the 2nd pop continues.  I have looked through the server and see nothing that is catching my eye.  Any help?

    Wednesday, January 15, 2014 11:51 PM