none
problem with the proxy server's security certificate after issuing new certificate

    Question

  • Hello,

    I experiencing problems with Outlook non-domain clients. When they start Outlook the error appear:
    "There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site mail.mydomain.com. Outlook is unable to connect to the proxy server"
    Also credentials window appear.

    The problem started to occur after the change of the certificate. Up today I had a wildcard certificate *.mydomain.com but I had to change it to SAN due to multiple domains handling.

    Of course new certificate has different CN which is: mail.mydomain.com (was: *.mydomain.com).
    I have assigned IMAP, POP and IIS services to the new certificate.  When I assign IIS service back to old certificate, the problem
    disappears.

    I also changed the OutlookProvider EXPR CertPrincipalName parameter to mstd:mail.mydomain.com (was mstd:*.mydomain.com). Actually, there is no difference after changing this parameter.

    Can anybody help with this issue?


    Tuesday, February 14, 2012 1:21 PM

Answers

  •  

    Hi ,

    1. Please browse https://mail.MyDomain.org/rpc/rpcproxy.dll, it will return a blank page after you enter the credential.
    2. Try to use Exchange remote connectivity tool to test if we can connect to the proxy server. We may select “Microsoft Office Outlook Connectivity test” .

    https://www.testexchangeconnectivity.com/

    Note: If you get any warning or error, please post the detail information here.

    1. Get-outlookprovider Expr |fl certificatename, server  (post the result here).
    2. Get-Exchangecertificate |fl certificataDomains,services

    Verify if the certificate name is match.

    By the way, how many CAS servers in the network?

    How did you redirect the request to proxy server via firewall? Port mapping or publish rule?

    What is your firewall?


    Wendy

    • Proposed as answer by wendy_liu Monday, February 27, 2012 2:41 AM
    • Marked as answer by wendy_liu Monday, February 27, 2012 2:56 AM
    Friday, February 24, 2012 9:06 AM

All replies

  • Does the new san certificate come from a trusted 3rd party provider or an internal CA? Does the non-domain clients trust the issuer of the certificate?

    Have you restarted IIS etc after changing certificates?


    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com

    • Proposed as answer by Kari Hyvönen Monday, September 10, 2012 5:10 AM
    Tuesday, February 14, 2012 1:42 PM
  • Hi

    If you view the certificate from the error pop-up is the new SAN cert displayed?  Did your certificate come with any Intermediate or Root certificates and if so were those installed correctly?

    Steve

    Tuesday, February 14, 2012 1:44 PM
  • The new certificate comes from my CA, but non-domain clients trust this CA.

    No, I do not restarted IIS but the same non-domain client can access to OWA with NO problems. No certificate problem is displayed in Internet Explorer.


    • Edited by kcerb Tuesday, February 14, 2012 1:56 PM
    Tuesday, February 14, 2012 1:47 PM
  • This error does not show the certificate, only site name: mail.mydomain.com. When I try to connect to OWA, the SAN certificate is displayed correctly. Both certificates (an old one and the new one) was issued by the same internal root CA. All clients have installed my root CA certificate so they trust this CA.
    Tuesday, February 14, 2012 1:54 PM
  • Do you have autodiscover.mydomain.com as an alternate name on your certificate?  If not you need to run this command:

    Set-ClientAccessServer –AutodiscoverServiceInternalUri https://mail.mydomain.com/autodiscover/autodiscover.xml


    Tuesday, February 14, 2012 1:57 PM
  • Yes, I have autodiscover.mydomain.com as an alternate name on the new certificate. I have also correct Uri.
    Tuesday, February 14, 2012 2:01 PM
  • On the Outlook client, what settings is configured for the proxy? Does the entered principal name match (should be msstd:mail.mydomain.com) the one you have specified in Exchange or could it be that these does not match?

    Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com

    Tuesday, February 14, 2012 2:07 PM
  • Proxy URL is set to: mail.mydomain.com, all checkboxes are checked.
    Connect only to proxy servers with this common name in certificate: msstd:mail.mydomain.com
    NTLM authenticasion is enabled.


    • Edited by kcerb Tuesday, February 14, 2012 3:20 PM
    Tuesday, February 14, 2012 2:52 PM
  • Hi There,

    are the non-domain computes accessing outlook through LAN or remotely?

    What kind of proxy are you using? have to updated the certificate on proxy?

    Wednesday, February 15, 2012 2:40 AM
  • Hi,

    The non domain computers are outide my lan and they connect to CAS via firewall which is set to redirect ports. I do not use any proxy.

    Wednesday, February 15, 2012 6:00 AM
  • Any ideas?
    Thursday, February 16, 2012 10:54 AM
  • First can the non-domain computers access OWA without any certificate errors?

    What OS is on the computers? XP by any chance?

    Thursday, February 16, 2012 12:02 PM
  • Yes, the non-domain computers can access OWA with no problems - without certificate errors. As I said earlier: I manually installed my root CA certificate on those computers.

    All remote (non-domain) computers run Win 7 x64. Outlook 2007 (Pro Plus).

    Thursday, February 16, 2012 12:33 PM
  •  

    Hi,

    Do you have any update ?


    Wendy

    Friday, February 17, 2012 9:16 AM
  • What do you mean Wendy?
    • Edited by kcerb Friday, February 17, 2012 9:47 AM
    Friday, February 17, 2012 9:47 AM
  • Is it still has ceritifacate issue after you install your Root CA Certificate ?

    And the users connect to CAS via firewall,  it don't use proxy.

    Does firewall uses NAT Translation ? 

    What version the Exchange Server?


    Wendy

    Friday, February 17, 2012 10:03 AM
  • Yes, the problem still exist. I am sure tha this is NO firewall problem because everything work fine when I use a wildcard certificate (*.mydomain.com). The problem occur only when I assign new SAN certificate to IIS service.

    My Exchange is 2010 (14.2 Build 247.5)

    When I do the testexchangeconnectivity.com autodiscver or anywhere tests, then everything is ok on both certificates (except certificate trust of course).

    • Edited by kcerb Friday, February 17, 2012 10:12 AM
    Friday, February 17, 2012 10:09 AM
  •  

    Hi ,

    Please also try to assign new SAN certificate to SMTP service and test again.

    Is the certificate has single domain name formerly?

    Do you have done Autodiscover redirection ?


    Wendy

    Monday, February 20, 2012 10:16 AM
  • Ewerything work fine from two days.

    I generated new certificate request without POP / SMTP (I dont use it). Then I issued a new certificate, imported and assigned only to IIS service.

    Formerly I used a wildcard certificate.

    I do not use Autodiscover redirection.

    Monday, February 20, 2012 10:58 AM
  •  

    Hi ,

    Glad to hear you resolve the issue.

    If you want to go on.

    You can Test E-mail Autoconfiguration on the Outlook Client when issue occurred. And verify if the certificate which you get is correct.

    You can also test from https://www.testexchangeconnectivity.com .


    Wendy

    Wednesday, February 22, 2012 9:22 AM
  • Yes, Iam usingthis siteoften(I wrote about it). I also know that I can use ctrl+right click on Outllok icon and choose autoconfiguration test.
    Wednesday, February 22, 2012 9:51 AM
  •  

    Hi ,

    1. Please browse https://mail.MyDomain.org/rpc/rpcproxy.dll, it will return a blank page after you enter the credential.
    2. Try to use Exchange remote connectivity tool to test if we can connect to the proxy server. We may select “Microsoft Office Outlook Connectivity test” .

    https://www.testexchangeconnectivity.com/

    Note: If you get any warning or error, please post the detail information here.

    1. Get-outlookprovider Expr |fl certificatename, server  (post the result here).
    2. Get-Exchangecertificate |fl certificataDomains,services

    Verify if the certificate name is match.

    By the way, how many CAS servers in the network?

    How did you redirect the request to proxy server via firewall? Port mapping or publish rule?

    What is your firewall?


    Wendy

    • Proposed as answer by wendy_liu Monday, February 27, 2012 2:41 AM
    • Marked as answer by wendy_liu Monday, February 27, 2012 2:56 AM
    Friday, February 24, 2012 9:06 AM
  • I had this problem as well.

    Turns out in the Outlook Account settings something was setting the "Connect using SSL only -> Only connect to proxy servers that have this principal name in their certificate:" box to the old SSL CN.

    I was able to manually delete it and have it connect...I'm still looking at what is setting that though.

    Friday, June 1, 2012 2:16 PM
  • Had the same problem. Decided to remove certprincipal name in exchange Set-OutlookProvider -Identity EXPR -CertPrincipalName $null.

    VitalB

    • Proposed as answer by PcAidr Sunday, July 14, 2013 3:15 PM
    Thursday, October 18, 2012 1:09 PM
  • Hi Wendy

    I'm having the problem listed above and I'm hoping you can point me in the right direction.

    I'd rather not post the results of those Cmdlets on open forum, suffice to say the CertPrincipalName and Server parameters are unpopulated. CertificateDomains is {domain.suffix, servername.domainname.suffix, autodiscover.domainname.suffix}

    How does one install the certificate for the Mbx Srv onto the server that hosts the RPC/HTTP proxy as Enable-OutlookAnywhere does not achieve that?

    Thanks

    Thursday, December 27, 2012 4:50 PM