locked
Exchange server 2016 Certificate error RRS feed

  • Question

  • Hi All Exchange expertise... Could someone help me with the exchange server 2016 certificates issue. i installed a brand new Exchange server 2016... Every time when i open outlook it pops up a certificate message and asks me to install...attached screenshot.. I have done certificate checker and cert looks fine to me..  could someone help me to resolve this issue? and do i need to push this cert using GPO?  
    Monday, January 6, 2020 7:08 AM

Answers

  • Hi,

    As the replies mentioned above, the issue occurs when the URL that you are trying to access is not listed in either the Subject or the Subject Alternative Name (SAN) of the Secure Sockets Layer (SSL) certificate for the website.

    The SAN configured in the certificate can also be checked by the following command

    Get-ExchangeCertificate | fl Subject,CertificateDomains,Services

    And then check the records in the virtual directories by running the command provided by Sneff, if they do not match, we can change the virtual direrctories like the following command, for example:

    Set-OABVirtualDirectory -Identity "Server1\OAB (Default Web Site)" -ExternalUrl "https://www.contoso.com/OAB"

    Or apply for a new certificate.

    Some additional tips we need to note:

    • Certificates are server-based, so when there are multiple Exchange servers (installed in different roles) in the environment, after installing or updating a certificate for one server, we need to import the certificate to other servers.
    • After the IIS service is assigned to the new certificate, we need to run IISReset with administrator privileges in the CMD to force the update of the IIS service.
    • We need to assign the services on this certificate to other certificates before we can successfully delete the certificate.

    Regards,

    Joyce Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, January 7, 2020 6:20 AM

All replies

  • Hello

    Check exchange urls and compare cert domain list.


    sorry my english

    Monday, January 6, 2020 7:17 AM
  • Thanks for reply.. i Have used same URL for everything. for example.. mail.testing.com.. when i generated the cert i used multiple names as well just in case.
    Monday, January 6, 2020 9:40 AM
  • attached cert checker results
    Monday, January 6, 2020 9:47 AM
  • Hello

    But error message... check all url like autodiscover etc..

    from outlook "test e-mail autoconfiguration" and check urls again.


    sorry my english

    Monday, January 6, 2020 9:50 AM
  • Hi Sneff when i configure outlook on the lan auto discover discovers and auto config on the outlooks works fine.. when i close and re open the outlook thats where i am getting error message.. should i revoke cert and make sure names are correct on the cert? what names should i include apart from mail.testing.com, autodiscover.testing.com names? i am new to exchange server setup.. i have most of things that iu can think before posting in this forum.

    Thanks for your help again.

    Monday, January 6, 2020 10:08 AM
  • Hello

    plaese check url again: /if have got empty answare write url.

    Get-ExchangeServer | Get-ActiveSyncVirtualDirectory | fl Identity, *ternalurl*
    Get-ExchangeServer | Get-ClientAccessServer | fl Identity, *ternaluri*
    Get-ExchangeServer | Get-EcpVirtualDirectory | fl Identity, *ternalurl*
    Get-ExchangeServer | Get-MapiVirtualDirectory | fl Identity, *ternalurl*
    Get-ExchangeServer | Get-OabVirtualDirectory | fl Identity, *ternalurl*
    Get-ExchangeServer | Get-OutlookAnywhere | fl Identity, *ternalhost*, *ticationmeth*
    Get-ExchangeServer | Get-WebServicesVirtualDirectory | fl Identity, *ternalurl*
    Get-ExchangeServer | Get-OwaVirtualDirectory | fl Identity, *ternalurl*

    and with Get-ExchangeCertificate check binding for iis. if have got more server check all servers.


    
    
    
    


    sorry my english

    Monday, January 6, 2020 10:43 AM
  • Check test-emailautoconfiguration output in XML

    1)check if any VD is not correctly set from that output

    2)Check connection tab and see if getting resolved using SCP

    

    Monday, January 6, 2020 1:20 PM
  • Hi,

    As the replies mentioned above, the issue occurs when the URL that you are trying to access is not listed in either the Subject or the Subject Alternative Name (SAN) of the Secure Sockets Layer (SSL) certificate for the website.

    The SAN configured in the certificate can also be checked by the following command

    Get-ExchangeCertificate | fl Subject,CertificateDomains,Services

    And then check the records in the virtual directories by running the command provided by Sneff, if they do not match, we can change the virtual direrctories like the following command, for example:

    Set-OABVirtualDirectory -Identity "Server1\OAB (Default Web Site)" -ExternalUrl "https://www.contoso.com/OAB"

    Or apply for a new certificate.

    Some additional tips we need to note:

    • Certificates are server-based, so when there are multiple Exchange servers (installed in different roles) in the environment, after installing or updating a certificate for one server, we need to import the certificate to other servers.
    • After the IIS service is assigned to the new certificate, we need to run IISReset with administrator privileges in the CMD to force the update of the IIS service.
    • We need to assign the services on this certificate to other certificates before we can successfully delete the certificate.

    Regards,

    Joyce Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, January 7, 2020 6:20 AM
  • Hi,

    Do suggestions above help? If you have any questions or needed further help on this issue, please feel free to post back. If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.

    Regards,

    Joyce Shen


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, January 10, 2020 6:28 AM