locked
Installed 3rd party certificate for external access. Now internal Outook access has errors. RRS feed

  • Question

  • Hey all, at the request of my GM I purchased and installed a 3rd party certificate on my Exchange 2007 server (he wasn't getting some of his secure emails). Now all of our Outlook connections are popping up a security alert because "The name on the security certificate is invalid or does not match the name on the certificate." I was going to generate a cert request and do a self-signed cert but I was concerned that it would cause a problem with the 3rd party cert. Can I have multiple certificates for the same Exchange services without causing problems for my users?

    Thanks,

    Joe B

    Tuesday, April 11, 2017 9:14 PM

Answers

  • Seriously, deploying split-brain DNS would solve so many of your problems and it's quite easy and safe to do it.  I really don't understand why there is so much resistance to the use of split-brain DNS among so many organizations.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by JBruyet Saturday, November 24, 2018 6:17 PM
    Sunday, April 23, 2017 6:56 AM

All replies

  • All names used in all (e.g., OWA, OAB, ActiveSync, EWS) virtual directories and the AutodiscoverServiceInternalUri in Set-ClientAccessServer must be in the certificate.  It's as simple as that.  I can't tell you more without you sharing what names are in your certificate and what names you use in your various URLs.  The easiest thing to do is to change your URLs to match names in the certificate and ensure that they point to your Exchange server.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Proposed as answer by Lynn-Li Wednesday, April 12, 2017 8:24 AM
    Tuesday, April 11, 2017 11:39 PM
  • Hi,

    Check the URL for virtual directories according to this blog:

    https://blogs.technet.microsoft.com/danielkenyon-smith/2010/05/13/the-name-on-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site-part-2/


    Best Regards,

    Lynn-Li
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 12, 2017 8:26 AM
  • Hi Ed,

    There is one name in the certificate and it's our external name for the Exchange server. That part works fine -- people are able to connect through OWA and they aren't getting any error messages. Since this is a new cert I'm going to contact my vendor and see what they'll do about getting our internal name on it too.

    Thanks,

    Joe B

    Wednesday, April 12, 2017 5:34 PM
  • Hi Lynn,

    The certificate works fine for the way it's configured -- external access works great. My issue is that my internal Exchange server name isn't on the certificate and Outlook doesn't like that.

    I've only done a few certificates over the years and I went ahead and had the new cert overwrite the old one thinking that would work. I'll contact my vendor and see how flexible they are about including one more name.

    Thanks,

    Joe B

    Wednesday, April 12, 2017 5:36 PM
  • Your internal Exchange server doesn't need to be in the certificate.  Just don't use that name in any of the virtual directories or the Autodiscover URI as I said in my earlier post.

    Be sure that you do have the self-signed certificate in place and enabled for SMTP, though.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, April 13, 2017 5:44 AM
  • Good morning Ed,

    I do have the self-signed certificate in place and it only has SMTP enabled.

    When we connect to the server with Outlook and we get the error popup the only certificate option that's available is our 3rd party certificate. I think I found a way to use Group Policy to get the self-signed certificate into my computers so I'm heading that direction.

    Thanks,

    Joe B

    Thursday, April 13, 2017 2:27 PM
  • Hi Lynn,

    The certificate works fine for the way it's configured -- external access works great. My issue is that my internal Exchange server name isn't on the certificate and Outlook doesn't like that.


    Hi,

    "internal Exchange server name isn't on the certificate" That's the problem. Internal URL for virtual directories and autodiscover doesn't match names in certificates. As Ed said in his first reply, the easiest thing is to change your internal URLs to match names in the certificate.

    For example, if the name "nlb.nwtraders.msft" is in that certificate, but your AutodiscoverServiceInternalUri in Get-ClientAccessServer is https://ServerName/Autodiscover/Autodiscover.xml, then you need to change this to match the name in certificate. Do the same for other virtual directories.

    Set-ClientAccessServer -Identity "ServerName" –AutodiscoverServiceInternalURI https://nlb.nwtraders.msft/autodiscover/autodiscover.xml

    Set-WebServicesVirtualDirectory -Identity "servername\EWS (Default Web Site)" –InternalUrl  https://nlb.nwtraders.msft/EWS/Exchange.asmx

    Set-OABVirtualDirectory -Identity “ServerName\OAB (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/OAB

    Enable-OutlookAnywhere -Server ServerName -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”

    Set-ActiveSyncVirtualDirectory -Identity “ServerName\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/Microsoft-Server-Activesync

    Another way is to change internal URL to be the same as external URL.


    Best Regards,

    Lynn-Li
    TechNet Community Support


    Please remember to mark the replies as answers.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 19, 2017 7:18 AM
  • I see. Unfortunately, changing our internal URL is not an option. I contacted our certificate vendor and was told that certificates have to be for registered domains.

    As I stated in my previous post I re-created a self-signed certificate but I can't find it as an option when I connect to the server internally. Time to go hit up Google again.

    Thanks,

    Joe B

    Wednesday, April 19, 2017 3:48 PM
  • Seriously, deploying split-brain DNS would solve so many of your problems and it's quite easy and safe to do it.  I really don't understand why there is so much resistance to the use of split-brain DNS among so many organizations.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by JBruyet Saturday, November 24, 2018 6:17 PM
    Sunday, April 23, 2017 6:56 AM
  • Well, I'm not sure how a DNS fix would take care of a certificate issue but I'll look into it.

    Thanks,

    Joe B

    Monday, April 24, 2017 1:06 PM
  • What it would do is allow you to use the same hostnames both internally and externally, names that are in your certificate.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, April 24, 2017 5:16 PM