locked
The target principal name is incorrect on hub server ? RRS feed

  • Question

  • exchange 2010 sp1 update 5 -hub server, mailbox servers and cas server are dedicated VMs.

    all appears to be working, owa, outlook anywhere, howerver,  i have a  pop3 user running outlook 2007 receive the following error"

    "the server you are connected to is using a security certificate that cannot be verified. the target principal name is incorrect"

    when I click view certificate, i noticed issued to and issued by is the name of our hub server, and checking the subject alternative name on the certificate, it displays the hub server netbios name and the FQDN.

    when I click Yes to do you want to continue using this server? everything works  as expected. this repeats each time outlook is opened.

    1. how do I get rid of this pop up box permantenly

    2. why is the certificate pop up with my hub server certificate? hub server does not have certificate assigned nor installed. I have SAN certificate installed on cas server and smtp is not assigned. not understanding how the name of internal hub server and its cert got presented to outlook 2007 user as I looked in the hub server looking for the cert and find none.

     

     

    JOe.

     

     

    Sunday, October 16, 2011 4:22 AM

Answers

  • Hi Joe,
    Every HUB Server should have certificate and I would think that yours is using the one that were created during installation.
    Did you run get-exchangecerticate | fl when your were looking for the certificate?

    You should find a certificate running that command and the thumbprint and is also shown when running
    Get-TransportServer | fl Name,InternalTransportCertificateThumbprint


    With that said, your POP3-User has SMTP configured with SMTP Authentication (at least it should be) on port 587, so it will use the certificate.

    If you have your own Windows CA or any other PKI solution in place, the best thing you can to is to "install" a new certificate that the client will trust. Once done, the certificate warning should go away.


    Martina Miskovic - http://www.nic2012.com/
    • Marked as answer by piloteight Monday, October 17, 2011 6:22 AM
    Sunday, October 16, 2011 5:18 AM
  • Ok. I got this resolved by doing the following:

    if you would like to encrypt your mail for outbound smtp, on outlook, "this server requires an encrypted connection (ssl) outgoing server (SMTP): 587 , use the following type of encrypted connection "auto"  do the following, I use a real SAN certificate not self signed.

     

    1.

     export the SSL certificate from CAS server using ESM , server configuration, click on san certificate , right click, export exchange certificate and follow
        the instructions, make sure to give it a password. save in a location where hub server will have access to as hub will need this, i place it on c:\ExportedCerts.pfx

    2. grab  c:\ExportedCerts.pfx from cas server and placed on hub server.

     

    3. on hub server - 

    Importing your Certificate/Private Key (from .pfx file format)

    http://www.digicert.com/ssl-support/pfx-import-export-exchange-2007.htm

        Start > Run
        Type in MMC and click OK
        Go into the File Tab (or Console) > select Add/Remove Snap-in
        Click on Add > Click on Certificates and click on Add, then close (to close the Add Standalone Snap-in window)
        Click on OK (in the Add/Remove Snap-in window)
        Select Computer Account
        Select Local Computer
        Click the + to Expand the Certificates Consol Tree
        Right click on the Personal Certificates Store (folder)
        Choose > ALL TASKS > Import
        Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
        Close the MMC console. In the case that you are prompted, it is not necessary to save the changes made to the MMC console.

    4. see your current certificates.

    PS] C:\Windows\system32> Get-ExchangeCertificate
    Creating a new session for implicit remoting of "Get-ExchangeCertificate" command...

    Thumbprint                                Services   Subject
    ----------                                --------   -------
    744B7E115200039604B0836742738E503DBB1BDA  ....S.     CN=hub

    199A3D1B14256A12FC4827699A677B475F08B18A  ......     CN=mail.abc.com, OU=Information Technology, O=abc...

     

    5. assign certificate  you just imported and assign it smtp service.

    [PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint 199A3D1B14256A12FC4827699A677B475F08B18B -Services smtp

    Confirm
    Overwrite the existing default SMTP certificate?

    Current certificate: '744B7E115200039604B0836742738E503DBB1BDA' (expires 10/7/2016 12:43:07 AM)
    Replace it with certificate: '199A3D1B14256A12FC4827699A677B475F08B18A' (expires 6/20/2012 5:00:00 AM)
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): A
    [PS] C:\Windows\system32>

     

    hope this will help someone.

     

    JOe.
    • Marked as answer by piloteight Monday, October 17, 2011 6:35 AM
    Monday, October 17, 2011 6:35 AM

All replies

  • Hi Joe,
    Every HUB Server should have certificate and I would think that yours is using the one that were created during installation.
    Did you run get-exchangecerticate | fl when your were looking for the certificate?

    You should find a certificate running that command and the thumbprint and is also shown when running
    Get-TransportServer | fl Name,InternalTransportCertificateThumbprint


    With that said, your POP3-User has SMTP configured with SMTP Authentication (at least it should be) on port 587, so it will use the certificate.

    If you have your own Windows CA or any other PKI solution in place, the best thing you can to is to "install" a new certificate that the client will trust. Once done, the certificate warning should go away.


    Martina Miskovic - http://www.nic2012.com/
    • Marked as answer by piloteight Monday, October 17, 2011 6:22 AM
    Sunday, October 16, 2011 5:18 AM
  • HI Martina,

    thank you for your response.

     

    Is it possible to use the EMC to locate the certificate and how do I assign the certificate to the hub server?

    I was looking for something similiar to how you install certificate on the cas server. apparently this is not the case.

     

     

    JOe.

    Sunday, October 16, 2011 7:24 AM
  • Sunday, October 16, 2011 12:35 PM
  • Ok. I got this resolved by doing the following:

    if you would like to encrypt your mail for outbound smtp, on outlook, "this server requires an encrypted connection (ssl) outgoing server (SMTP): 587 , use the following type of encrypted connection "auto"  do the following, I use a real SAN certificate not self signed.

     

    1.

     export the SSL certificate from CAS server using ESM , server configuration, click on san certificate , right click, export exchange certificate and follow
        the instructions, make sure to give it a password. save in a location where hub server will have access to as hub will need this, i place it on c:\ExportedCerts.pfx

    2. grab  c:\ExportedCerts.pfx from cas server and placed on hub server.

     

    3. on hub server - 

    Importing your Certificate/Private Key (from .pfx file format)

    http://www.digicert.com/ssl-support/pfx-import-export-exchange-2007.htm

        Start > Run
        Type in MMC and click OK
        Go into the File Tab (or Console) > select Add/Remove Snap-in
        Click on Add > Click on Certificates and click on Add, then close (to close the Add Standalone Snap-in window)
        Click on OK (in the Add/Remove Snap-in window)
        Select Computer Account
        Select Local Computer
        Click the + to Expand the Certificates Consol Tree
        Right click on the Personal Certificates Store (folder)
        Choose > ALL TASKS > Import
        Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
        Close the MMC console. In the case that you are prompted, it is not necessary to save the changes made to the MMC console.

    4. see your current certificates.

    PS] C:\Windows\system32> Get-ExchangeCertificate
    Creating a new session for implicit remoting of "Get-ExchangeCertificate" command...

    Thumbprint                                Services   Subject
    ----------                                --------   -------
    744B7E115200039604B0836742738E503DBB1BDA  ....S.     CN=hub

    199A3D1B14256A12FC4827699A677B475F08B18A  ......     CN=mail.abc.com, OU=Information Technology, O=abc...

     

    5. assign certificate  you just imported and assign it smtp service.

    [PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint 199A3D1B14256A12FC4827699A677B475F08B18B -Services smtp

    Confirm
    Overwrite the existing default SMTP certificate?

    Current certificate: '744B7E115200039604B0836742738E503DBB1BDA' (expires 10/7/2016 12:43:07 AM)
    Replace it with certificate: '199A3D1B14256A12FC4827699A677B475F08B18A' (expires 6/20/2012 5:00:00 AM)
    [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): A
    [PS] C:\Windows\system32>

     

    hope this will help someone.

     

    JOe.
    • Marked as answer by piloteight Monday, October 17, 2011 6:35 AM
    Monday, October 17, 2011 6:35 AM