none
Unable to receive external emails after renewing self signed certificate Exchange 2007 - NEED HELP FAST! RRS feed

  • Question

  • We  unable to receive any external emails since we renewed our self signed certificates via the Get-ExchangeCertificate and enable commands in powershell. The Best Pactises Aanalyzer says that there is a certificate SANS mismatch: 

    The subject alternative name (SAN) of SSL certificate for https://MAILSERVERNAME.DOMAIN.NAME/Microsoft-Server-ActiveSync does not appear to match the host address. Host address: MAILSERVERNAME.DOMAIN.NAME. Current SAN: DNS Name=WMSvc-MAILSERVERNAME.

    We have the following Certificates and everything was working fine until we renewed.

    Thumbprint                                Services   Subject
    ----------                                --------   -------
    474EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  ...WS      CN=WMSvc-MAILSERVERNAME
    0A9EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  .....      CN=MAILSERVERNAME.DOMAIN.NAME
    723EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  IP..S      CN=MAILSERVERNAME

    How can I fix this issue? Internal email is fine, sending out emails is fine, just cant receive.

    Saturday, September 20, 2014 6:52 PM

Answers

All replies

  • Hi,

    Get the Outlook provide name:

    Get-OutlookProvider

    If it looks like server.domain.com, change it as follows:

    Set-OutlookProvider EXPR -CertPrincipalName:"msstd:<FQDN the certificate is issued to>"

    Restart IIS, Transport service and see again with BPA


    Regards from ExchangeOnline.in|Windows Administrator Area | Skype:manuphilip@outlook.com

    Saturday, September 20, 2014 7:01 PM
  • Thank you for responding! Stick with me! When I run Get-OutlookPovider in exchange management shell, all I get is:

    Name                                                                       Server
    ----                                                                       ------
    EXCH
    EXPR
    WEB

    Up until cert renewal everything was working fine, so should I be putting something in here?

    Saturday, September 20, 2014 7:14 PM
  • Set-OutlookProvider EXPR -CertPrincipalName:"msstd:<FQDN the certificate is issued to>"

    This will correct the EXPR name. It is generally like mail.domain.com

    Regards from ExchangeOnline.in|Windows Administrator Area | Skype:manuphilip@outlook.com

    Saturday, September 20, 2014 7:19 PM
  • I tried the following command: (If our mailserver name was exchange1 and our domain name was tricounty.local and our email was bob@tricountynh.com

    Set-OutlookProvider EXPR -CertPrincipalName:"msstd:exchange1.tricounty.local" 

    but it is all still blank after restarting the services. I think I have my syntax wrong...

    Saturday, September 20, 2014 7:37 PM
  • It should be like Set-OutlookProvider EXPR -CertPrincipalName:"msstd:mail.tricounty.com" if your external dns name is mail.tricounty.com

    Regards from ExchangeOnline.in|Windows Administrator Area | Skype:manuphilip@outlook.com

    Saturday, September 20, 2014 7:45 PM
  • OK, so if our mailserver was named exchange1 and our dns had a FQDN as exchange1.tricounty.local I would just use that as follows correct?

    Set-OutlookProvider EXPR -CertPrincipalName:"msstd:exchange1.tricounty.local"

    It should match whatever the FQDN is in the DNS entry for the mailserver IP correct? We don't end with a .com, we have a .local or should I put .com anyway?

    ** When I ran it this time I got the following warning:

    Set-OutlookProvider EXPR -CertPrincipalName:"msstd:exchange1.tricounty.local"

    WARNING: The command completed successfully but no settings of 'EXPR' have been modified.

    Also, will this cause issues with autodiscovery since we also have the 
    474EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  ...WS      CN=WMSvc-MAILSERVERNAME

    as well.

    • Edited by crazz2323 Saturday, September 20, 2014 8:29 PM
    Saturday, September 20, 2014 7:56 PM
  • The idea is whatever name you substitute for EXPR, should be available from outside. .local is not available from outside. So it should be mail.domain.com (the A or MX record for your email domain)

    Regards from ExchangeOnline.in|Windows Administrator Area | Skype:manuphilip@outlook.com

    Sunday, September 21, 2014 5:24 AM
  • Hi,

    Please run the following command to check your Exchange certificate:

    Get-ExchangeCertificate | FL

    We need to check some parameters for the certificate. Please make sure SMTP service has been assigned to this renewed self-signed certificate. Then restart IIS service and Microsoft Exchange Transport service.

    Regards,


    Winnie Liang
    TechNet Community Support

    Wednesday, September 24, 2014 12:50 PM
    Moderator