locked
Certificate help please RRS feed

  • Question

  • Currently migrating from Exchange 2003 to 2010

    everything seems to be going fine except whenever anyone with a migrated mailbox opens Outlook, they are met with the following certificate error

    "The name of the security certificate is invalid or does not match the name of the site"

    At the moment even upon clicking YES, it appears again and users again have to click yes before getting to their inbox properly.

    I am fully aware this is a name mismatch error but having trouble resolving the issue.

    A self signed certificate with the FQDN for the exchange server was automatically put in place when installing exchange 2010.

    I then exported our external url certificate from exchange 2003 and imported it to the exchange 2010 server. This certificate has our addresses on it which are used to access Outlook Anywhere, OWA and Activesync. (all of which are working perfectly fine by the way)

    The problem being that when a user locally connected to the exchange on the lan open outlook they are met with the certificate error.

    FQDN of exchange server 2010: exc10.*domain*.local

    External URL's being used for owa, activesync etc: www.*domain*mail.org

    with a secondary name on the above (SAN): mail.*domain*mail.org

    If the above is hard to get around with the way i have explained the domain names please use the following example

    lets say we are using the contoso domain name then our local fqdn would be "exc10.contoso.local" and the external urls we are using would be "www.contosomail.org" and SAN "mail.contosomail.org"

    Any ideas? Will i have to get back intouch with the certificate provider and generate new certificates? (which i would rather not have to do btw)

    When i previously switched from our old exchange 2003 box to a new one, it was just a case of exporting the certificates from old box and importing to new box.

    thanks in advance for your help.

    Thursday, September 26, 2013 2:12 PM

Answers

  • I ran into this problem when switching OWA certificates over to a 3rd party (StartSSL Free) that did not support wildcard certs (*.YourDomain.com).

    It took me a while to sort out, including some Powershell commands, IIS modifications but I eventually resolved it. I recall using the link provided by Darren to help fix this issue along with this one:-

    http://www.sembee.co.uk/archive/2007/01/21/34.aspx

    A few things that might also help:-

    With regards to Outlook prompting for log in details:

    Your Outlook clients could now be trying to connect to your exchange server using a domain name that is not registered within the local intranet zone. Check to ensure your clients have your exchange/OWA/Outlook Anywhere domains (intranet.YOURDOMAIN.com) listed within Internet Explorers Local Intranet Zone (IE > Tools > Internet Options > (Security Tab) Select, Local Intranet > Click Sites button > Advanced  then add your domains (https://www.contosomail.org, https://intranet.YourDomain.com, https://owa.YourDomain.com etc).


    If applying the above settings fixes your pc, you can roll out these settings using group policy to all on the network.

    Check your Internal DNS server settings:-

    http://social.technet.microsoft.com/Forums/exchange/en-US/fdf38f02-fb9f-4305-a7ca-f73511c92230/the-name-on-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site

    When I had these SSL certificate warnings, I also had Outlook Send Receive errors relating to the offline address book (only showed when hitting send/Receive and showing the detailed info during send/receive process in Outlook) - this was fixed by tinkering around with the PowerShell commands and Exchange Management Console (2007) to set Internal and external exchange access URL's (Server Config > Client Access). 

    Hope some of the above helps!

    -Si.

    Friday, September 27, 2013 9:39 AM

All replies

  • Thursday, September 26, 2013 3:38 PM
  • Hi and thanks for your post.

    I have previously looked at a very similar solution and tried to implement it.

    Problem then being that when i changed all the internal and external url's within exchange shell on our exchange 2010 server, Next time i opened outlook i was prompted for username and password, Even though i was connected to the domain over our LAN

    i.e. as if it was trying to use Outlook anywhere to connect even when on the Domain network.

    Main issue i am noticing is that (something i did not explain thoroughly enough in the initial question i reckon) the external domain that is on our certificate and the internal domain are different.

    i.e. using contoso as an example again our Internal domain for the exchange server is exc10.contoso.local but external domain on our certificates is www.contosomail.org

    internal = contoso, external=contosomail

    In the post you have linked to and the one i saw previously the internal and external domains are referred to as the same domain.

    e.g. Internal name= casnetbiosname.shudnow.net, External name=mail.shudnow.net

    The "shudnow" being constant on internal and external domains

    which is different that the way we are doing it. Please do not ask why lol, seeminly always used these domains for external mail connections such as OWA etc.

    The above also leads me to my next point of HOW DO I ADD THIS TO DNS?

    everytime i try and add a DNS record it obviously always wants to stick ".contoso.local" on the end of it for FQDN but obviously i need to add a DNS record for "www.contosomail.org" with no "contoso.local" on the end of it.


    • Edited by mindofdude Friday, September 27, 2013 8:52 AM
    Friday, September 27, 2013 8:39 AM
  • I ran into this problem when switching OWA certificates over to a 3rd party (StartSSL Free) that did not support wildcard certs (*.YourDomain.com).

    It took me a while to sort out, including some Powershell commands, IIS modifications but I eventually resolved it. I recall using the link provided by Darren to help fix this issue along with this one:-

    http://www.sembee.co.uk/archive/2007/01/21/34.aspx

    A few things that might also help:-

    With regards to Outlook prompting for log in details:

    Your Outlook clients could now be trying to connect to your exchange server using a domain name that is not registered within the local intranet zone. Check to ensure your clients have your exchange/OWA/Outlook Anywhere domains (intranet.YOURDOMAIN.com) listed within Internet Explorers Local Intranet Zone (IE > Tools > Internet Options > (Security Tab) Select, Local Intranet > Click Sites button > Advanced  then add your domains (https://www.contosomail.org, https://intranet.YourDomain.com, https://owa.YourDomain.com etc).


    If applying the above settings fixes your pc, you can roll out these settings using group policy to all on the network.

    Check your Internal DNS server settings:-

    http://social.technet.microsoft.com/Forums/exchange/en-US/fdf38f02-fb9f-4305-a7ca-f73511c92230/the-name-on-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site

    When I had these SSL certificate warnings, I also had Outlook Send Receive errors relating to the offline address book (only showed when hitting send/Receive and showing the detailed info during send/receive process in Outlook) - this was fixed by tinkering around with the PowerShell commands and Exchange Management Console (2007) to set Internal and external exchange access URL's (Server Config > Client Access). 

    Hope some of the above helps!

    -Si.

    Friday, September 27, 2013 9:39 AM
  • Thanks Si_UK

    Those links really helped. Especially the DNS one.

    Does the url really need added to the intranet zone within internet settings on all clients aswell? Have never had to do this in the past with exchange 2003 using the same certs.

    Not that it would be a major issue rolling this out over group policy but still is it necessary?

    thanks for all your help so far though. If the above resolves the issue after i have made the other relevant changes will get back to you and let you know.

    cheers,

    Friday, September 27, 2013 11:32 AM