none
Exchange 2010 AutoDiscover Certificate Error

    Question

  • Hi everyone,

    My users are getting certificate errors when they open Outlook 2007 or use AutoDiscover to create new Outlook profiles. The error specifically states: "The name on the security certificate is invalid or does not match the name of the site." This error is causing messages to appear in cached mode users' Sync Issues folders and other problems. Plus it is just plain annoying to see it pop up every few minutes.

    I have an Exchange 2010 (RTM) environment setup with two CAS/HT servers and two mailbox servers CCR-replicating in a DAG. AutoDiscover on the CAS/HT servers is setup using the single certificate redirect method per this article . (Created a new site called AutoDiscover that points to a folder called AutoDiscover_redirect with a folder called AutoDiscover under that and a file called AutoDiscover.xml under that folder, selected the AutoDiscover.xml file in IIS7 manager and set it to 302 redirect to the autodiscover.xml on the default website with my certificate.) The only difference in the article and my environment is I have the AutoDiscover IP address applied as a secondary IP address of my CAS/HT NLB cluster and the steps in the article were applied to both CAS/HT servers so that AutoDiscover can be load-balanced. My certificate is a single name (read; cheap) certificate from a public certification authority (GeoTrust) and has always worked when we were on Exchange 2007. I also have IIS set to redirect 403 errors on the default websites of both CAS/HT servers to the https:// site using this method rather than using the HTML redirection method described here . (I'm not sure if that part is relevant or not but thought I might include it just to be thorough)

    I can run the AutoDiscover test from http://www.testexchangeconnectivity.com and it passes with a green check mark when it gets to the part about using the redirect method. There is a public A-record for my AutoDiscover site that points to an additional public IP we use for that site. I'm not sure what else to try as it seems everything should be working but isn't.

    Help!
    Monday, January 18, 2010 12:16 AM

All replies

  • It should also be noted that I have run all the following commands:

    Set-OABVirtualDirectory -Identity "EXCHFE01\oab (Default Web Site)" -InternalUrl https://secure.mydomain.com/oab
    Set-OABVirtualDirectory -Identity "EXCHFE01\oab (Default Web Site)" -externalURL https://secure.mydomain.com/oab
    Set-OABVirtualDirectory -Identity "EXCHFE02\oab (Default Web Site)" -InternalUrl https://secure.mydomain.com/oab
    Set-OABVirtualDirectory -Identity "EXCHFE02\oab (Default Web Site)" -externalURL https://secure.mydomain.com/oab

    Set-WebServicesVirtualDirectory -Identity "EXCHFE01\EWS (Default Web Site)" -InternalUrl https://secure.mydomain.com/ews/exchange.asmx
    Set-WebServicesVirtualDirectory -Identity "EXCHFE01\EWS (Default Web Site)" -externalurl https://secure.mydomain.com/ews/exchange.asmx
    Set-WebServicesVirtualDirectory -Identity "EXCHFE02\EWS (Default Web Site)" -InternalUrl https://secure.mydomain.com/ews/exchange.asmx
    Set-WebServicesVirtualDirectory -Identity "EXCHFE02\EWS (Default Web Site)" -externalurl https://secure.mydomain.com/ews/exchange.asmx

    Set-ClientAccessServer -Identity EXCHFE01 -AutodiscoverServiceInternalUri https://secure.mydomain.com/autodiscover/autodiscover.xml
    Set-ClientAccessServer -Identity EXCHFE02 -AutodiscoverServiceInternalUri https://secure.mydomain.com/autodiscover/autodiscover.xml

    Set-ActiveSyncVirtualDirectory -Identity “EXCHFE01\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://secure.mydomain.com/Microsoft-Server-Activesync
    Set-ActiveSyncVirtualDirectory -Identity “EXCHFE02\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://secure.mydomain.com/Microsoft-Server-Activesync
    Monday, January 18, 2010 12:18 AM
  • Hi,

    What type of the users were encountering this issue? Domain-connected user or non-domain-connected? Whether all the users had this issue?

    Additionally, please run test-outlookwebservices |fl command in EMS, then post the information on the forum.

    Thanks

    Allen
    Thursday, January 21, 2010 6:57 AM
    Moderator
  • HI,

    How about your host names and domain names configuration of the certificate. As your post i assume you have this problem only for the internal clients. Normally you should add internal host names, internal domain names and External domain name information to the requesting certificate. If you missing internal domain name or internal host name, you may experience this issues. So please check your certificate request Cmdlet with below Cmdlet. 

    New-ExchangeCertificate -generaterequest -subjectname "C=NL,DC=Organisationname,O=Org description,CN=domain.com" -domainname webmail.domain.com,autodiscover.domain.com, cas1.domain.local, cas1 -path c:\certrequest.txt

     Btw:- As allen asked, Please let us know this issues experiencing only either domain connected users or non-domain connected users.

    Regards


    Chinthaka Shameera | MCITP: EA | MCSE: M | http://howtoexchange.wordpress.com/
    Thursday, January 21, 2010 8:11 AM
  • I am having the same problem using a Network Solutions Single Name SSL certificate.  Internal domain users using Outlook 2007 are receiving the error.  The certificate name is for the external URL.  I, like Jason, have run all the commands I thought I needed to run and created the DNS records.  I can ping the external FQDN internally and receive the internal ip address of the Exchange 2010 server.  Any ideas?  Thanks.
    Tuesday, February 16, 2010 9:47 PM
  • I ended up fixing this by rebuilding both of my frontend CAS/HT servers from scratch. No idea what the cause was but they are working now.
    Tuesday, February 16, 2010 11:54 PM
  • How about your host names and domain names configuration of the certificate. As your post i assume you have this problem only for the internal clients. Normally you should add internal host names, internal domain names and External domain name information to the requesting certificate. If you missing internal domain name or internal host name, you may experience this issues.


    This isn't eccessary if you're connecting to a load balanced IP & hostname internally, which judging by his commands above he is. I wouldn't want my internal hostnames displayed to the world for anyone who happens to load my OWA page. :)
    Brian Day, Overall Exchange & AD Geek
    MCSA 2000/2003, CCNA
    MCTS: Microsoft Enterprise Server 2010, Configuration
    MCITP: Enterprise Messaging Administrator 2010
    LMNOP
    Wednesday, February 17, 2010 12:01 AM
  • if this is from internal, I have seen where the SCP point does not update correctly and still holds the old URL. If this happens both inside and outside then it is a different issue.
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Wednesday, February 17, 2010 1:00 AM