UAG2010 - OWA Error - "The specified target common name of the certificate is invalid." RRS feed

  • Question

  • I am trying to add an OWA app (via app wizard Web:MS Exchange Server(all versions)) and am getting the following error "The specified target common name of the certificate is invalid." when launched from the portal.  I have selected the OWA only, (not Outlook Anywhere or ActiveSynch), added the default web URL in the addresses field along with the actual servers, put the app in Evaluate mode and allowed all users access.  I have tried serval variances in the wizard and everytime I get the error.  My UAG server is using a Wildcard certificate for our company and has worked on our existing infrastructure (Whale 3.6.X) for years.  We are upgradeing to UAG2010 and this is our first(of Many) hurdel.  Any help would be appreciated.
    Wednesday, April 21, 2010 4:58 PM


All replies

  • What have have you defined on the 'web server' tab?

    What common name or SAN names are present in the certififcate installed on your Exchange server?

    The error means you are trying to make an SSL connection to a server with a name that does not match anything assigned to the certificate.



    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Proposed as answer by Ran [MSFT] Saturday, April 24, 2010 9:04 AM
    • Marked as answer by Erez Benari Wednesday, May 12, 2010 7:00 PM
    Thursday, April 22, 2010 1:42 PM
  • Hi

    Jason is right.

    For more information, and for a way to disable this certificate verification if you're not interested in it, please check http://technet.microsoft.com/en-us/library/ee921437.aspx


    • Proposed as answer by Ran [MSFT] Saturday, April 24, 2010 9:05 AM
    • Marked as answer by Erez Benari Wednesday, May 12, 2010 7:00 PM
    Thursday, April 22, 2010 2:15 PM
    • Marked as answer by Erez Benari Wednesday, May 12, 2010 7:00 PM
    Saturday, April 24, 2010 7:09 PM
  • On the Web Servers tab, I have the front end server and the first of the redirected servers, I have the following paths,


    I have changed the 2 resistry settings to 0 for the follwoing entries:

    I have deleted and readded the Exchange app several times and now I am simply getting page can not be displayed.  The steps I followed are:
    1) Add..., Next
    2) Web, Microsoft Exchange Server (all versions), Next
    3) Exchange Version: 2007, OWA only, Next
    4) App Name: OWA, Next
    5) Configure an Applicaiton Server, Next
    6) Address: www.server1.com and mailserver.domain.com, Paths are left as is, HTTPS port left, Public Host name: left as is which is the trunkname.domain.com, Next
    7) Use Single sign-on, select domains, 401 request, Next
    8) Portal Link is left as is, which is https://trunkname.domain.com/owa, Next, Next, Finish, Save, Activate

    When I check the trunk settings under the Portal tab, I do not see any Manual URL replacement for this so I am going to assume(I know) that this is a reserved keyword that has some automated process in the background.  Now when I log in to Trunkname.domain.com and click OWA, I get page can not be found. 

    I am at a bit of a loss here.  I managed to get Citrix working, but for some reason, the OWA is giving me a larger headache.  Any help or insight would be appreciated.


    Monday, April 26, 2010 5:25 PM
  • The first place I'd look in case of such errors is the UAG to CAS connectivity.

    Inside the UAG machine, when opening IE and typing https://www.server1.com/owa , do you see OWA appearing ok?

    Also, what exacly is the difference between www.server1.com and mailserver.domain.com ?




    Monday, April 26, 2010 7:53 PM
  • On the inside UAG, I can broowse to https://mail1.domain.com/owa and I get the logon screen but not https://www.server1.com/owa or http://www.server1.com.  I can browse to http://www/server1.com  and get the logon prompt.

    Clients browse to www.server1.com and enter their email.  At this point, the server decides if your mail box resides on one of 3 servers, mail1.doamin.com, mail2.domain.com or mail3.domian.com and directs you the server.  Here, the autologon is enabled and your credentials are passed and in you are logged in. 

    This all works in Whale 3.6 with the OWA wizard, and I am sure it's just something simple, but for some reason it's just not working.

    Tuesday, April 27, 2010 3:13 PM
  • Although I implemented David's suggestion, I feel naked and am starting to believe I saw the emperor wearing clothes.

    In my situation, we are running an Edge Perimeter architecture config with UAG and SharePoint. So outside traffic is not an issue. However, the entire UAG server does not verify certs anymore.

    IMO, MSFT should release a service pack to resolve the issue, add a checkbox to the application tab in UAG  and re-write a few paragraphs in the soon to be released MS-Press book about UAG.

    Resist the Darkside...

    Thursday, October 28, 2010 11:50 PM