locked
Exchange Certificate error RRS feed

  • Question

  • Hi ,

    Need some help on an exchange certificate error . Outlook users receive this error "The name on the security certificate is invalid or does not match the name of the site : when they launch outlook .

    This means the FQDN of server is not included in the Subject Alternate Names SAN property of certificate. When we got to the properties of the certificate and see the Subject ALternate Name it has these enteries
    DNS Name=remote.abc.com
    DNS Name=www.remote.abc.com
    DNS Name=www.remote.abc.com
    DNS Name=autodiscover.abc.com
    DNS Name=autodiscover.abc.net.au 

    On  checking the details of the certificate It is found that the Issued to : remote.abc.com , Issued by Go daddy secure certificate Authority , valid from : 27/04/2015 to 01/05/2016 . 

    Also on the exchnage management console I can see the an wildcard certificate with name *.abc.com but the exchange connector has mail.abc.com . As I understand this is a wild card certificate and it should resolve all the FQDN before *.abc.com

    Any thoughts ? 

    Regards,
    Israr


    Saturday, April 2, 2016 2:15 AM

Answers

  • Post your real domain name and I'll look.

    If you have an MX record that points to mail.abc.com, then that's a problem because that name isn't in your certificate.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by IMK_eps Sunday, April 3, 2016 11:59 PM
    Sunday, April 3, 2016 3:07 AM

All replies

  • If the wildcard certificate is valid, you could use it for all purposes where the host name is something.abc.com.  For autodiscover.abc.net.au, you could use an SRV record, which means you could dispense with the certificate.

    Having said all that, I'd guess that the certificate is probably valid and not your real issue.

    Certificate errors are caused when URLs point to names other than what's in the certificate.  Outlook uses Autodiscover, Exchange Web Services, the OAB, and Outlook Anywhere.  Make sure that all URLs and hostnames are configured properly for those services.

    Outlook will also look first for Autodiscover to URL https://abc.com/Autodiscover/Autodiscover.xml, so if your main website answers that URL, you may get an error or a certificate warning as well.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Saturday, April 2, 2016 2:32 AM
  • Hi Ed, 

    I see this error on the exchange server 

    Log Name:      Application

    Source:        MSExchangeTransport

    Date:          2/04/2016 9:50:51 AM

    Event ID:      12014

    Task Category: TransportService

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      exch.abc.local

    Description:

    Microsoft Exchange could not find a certificate that contains the domain name mail.abc.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default EXCH-01 with a FQDN parameter of mail.abc.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="MSExchangeTransport" />

        <EventID Qualifiers="49156">12014</EventID>

        <Level>2</Level>

        <Task>12</Task>

        <Keywords>0x80000000000000</Keywords>

        <TimeCreated SystemTime="2016-04-01T23:50:51.000000000Z" />

        <EventRecordID>580775</EventRecordID>

        <Channel>Application</Channel>

        <Computer>exch.abc.local</Computer>

        <Security />

      </System>

      <EventData>

        <Data>exch.abc.local</Data>

        <Data>Default EXCH-01</Data>

      </EventData>

    </Event>

    When I access the  OWA

    internal url : https://remote.abc.com/owa

    external url : https://remote.abc.com/owa

    I do not see any certificate error

    Below mentioned are the settings on the Exchange control panel

    ECP (default Website)

    internal: https://remote.abc.com/ecp

    external url : https://remote.abc.com/ecp

    Microsoft-Server-Active-Sync

    internal url: https://remote.abc.com/Microsoft-Server-ActiveSync

    external url: https://remote.abc.com/Microsoft-Server-ActiveSync

    OAB:

    internal url : https://remote.abc.com/OAB

    external url : https://remote.abc.com/OAB

    IMAP4 Properties Authentication

    Secure login: A TLS connection is required for the clients to athenticate to the server

    X509 certificate name: remote.abc.com

    Please advise 


    Saturday, April 2, 2016 8:53 AM
  • Hi,

    The error indicates that somewhere the mail.abc.com is still assigned and you need to change it to remote.abc.com

    Check the following parameters too and if the mail.abc.com still exsists change those too using set cmdlet and restart transport services

    Get-ClientAccessServer | FL AutoDiscoverServiceInternalUri
    Get-WebServicesVirtualDirectory |Select name, *url* | fl
    Get-ActiveSyncVirtualDirectory



    Regards From: Exchange Online | Windows Administrator's Area

    Saturday, April 2, 2016 9:08 AM
  • That means someone is trying to connect to your server over SMTP with the hostname mail.abc.com.  If your MX record is pointed to mail.abc.com, then you might need to make changes in DNS to the MX and corresponding A records to use a name in the certificate, or add mail.abc.com to the certificate.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Saturday, April 2, 2016 4:44 PM
  • Hi Ed,

    I found that remote.abc.com and mail.abc.com both have a CNAME record mx-01.abc.net.au on the Public DNS server



    Sunday, April 3, 2016 2:37 AM
  • Post your real domain name and I'll look.

    If you have an MX record that points to mail.abc.com, then that's a problem because that name isn't in your certificate.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Marked as answer by IMK_eps Sunday, April 3, 2016 11:59 PM
    Sunday, April 3, 2016 3:07 AM
  • Hi Ed,

    Due to security reasons and company policies I will not be able to post the domain name in Public. 

    I will mark your reply as answer. Is there a way I could email you the details in private and we can take it from there. 

    Regards,

    Israr

    Sunday, April 3, 2016 11:59 PM
  • Sorry, no, but the answer is in the one you marked as an answer.  Point your MX record to an A record that's in your certificate, or add mail.abc.com to your certificate.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Proposed as answer by jim-xu Monday, April 4, 2016 5:45 AM
    Monday, April 4, 2016 5:07 AM