Remove From My Forums

Exchange server 2016 Certificate error

Question
0

Sign in to vote

Hi All Exchange expertise... Could someone help me with the exchange server 2016 certificates issue. i installed a brand new Exchange server 2016... Every time when i open outlook it pops up a certificate message and asks me to install...attached screenshot.. I have done certificate checker and cert looks fine to me.. could someone help me to resolve this issue? and do i need to push this cert using GPO?

Monday, January 6, 2020 7:08 AM

Answers

1

Sign in to vote
Hi,

As the replies mentioned above, the issue occurs when the URL that you are trying to access is not listed in either the Subject or the Subject Alternative Name (SAN) of the Secure Sockets Layer (SSL) certificate for the website.

The SAN configured in the certificate can also be checked by the following command

Get-ExchangeCertificate | fl Subject,CertificateDomains,Services

And then check the records in the virtual directories by running the command provided by Sneff, if they do not match, we can change the virtual direrctories like the following command, for example:

Set-OABVirtualDirectory -Identity "Server1\OAB (Default Web Site)" -ExternalUrl "https://www.contoso.com/OAB"

Or apply for a new certificate.

Some additional tips we need to note:

Certificates are server-based, so when there are multiple Exchange servers (installed in different roles) in the environment, after installing or updating a certificate for one server, we need to import the certificate to other servers.
After the IIS service is assigned to the new certificate, we need to run IISReset with administrator privileges in the CMD to force the update of the IIS service.
We need to assign the services on this certificate to other certificates before we can successfully delete the certificate.

Regards,

Joyce Shen

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
- Proposed as answer by Joyce_ShenMicrosoft contingent staff Wednesday, January 8, 2020 1:15 AM
- Marked as answer by Edward van BiljonMVP Sunday, January 12, 2020 5:57 PM
Tuesday, January 7, 2020 6:20 AM

All replies

0

Sign in to vote

Hello

Check exchange urls and compare cert domain list.

sorry my english

Monday, January 6, 2020 7:17 AM
0

Sign in to vote

Thanks for reply.. i Have used same URL for everything. for example.. mail.testing.com.. when i generated the cert i used multiple names as well just in case.

Monday, January 6, 2020 9:40 AM
0

Sign in to vote

attached cert checker results

Monday, January 6, 2020 9:47 AM
0

Sign in to vote

Hello

But error message... check all url like autodiscover etc..

from outlook "test e-mail autoconfiguration" and check urls again.
sorry my english

Monday, January 6, 2020 9:50 AM
0

Sign in to vote

Hi Sneff when i configure outlook on the lan auto discover discovers and auto config on the outlooks works fine.. when i close and re open the outlook thats where i am getting error message.. should i revoke cert and make sure names are correct on the cert? what names should i include apart from mail.testing.com, autodiscover.testing.com names? i am new to exchange server setup.. i have most of things that iu can think before posting in this forum.

Thanks for your help again.

Monday, January 6, 2020 10:08 AM
0

Sign in to vote
Hello

plaese check url again: /if have got empty answare write url.

Get-ExchangeServer | Get-ActiveSyncVirtualDirectory | fl Identity, *ternalurl*
Get-ExchangeServer | Get-ClientAccessServer | fl Identity, *ternaluri*
Get-ExchangeServer | Get-EcpVirtualDirectory | fl Identity, *ternalurl*
Get-ExchangeServer | Get-MapiVirtualDirectory | fl Identity, *ternalurl*
Get-ExchangeServer | Get-OabVirtualDirectory | fl Identity, *ternalurl*
Get-ExchangeServer | Get-OutlookAnywhere | fl Identity, *ternalhost*, *ticationmeth*
Get-ExchangeServer | Get-WebServicesVirtualDirectory | fl Identity, *ternalurl*
Get-ExchangeServer | Get-OwaVirtualDirectory | fl Identity, *ternalurl*

and with Get-ExchangeCertificate check binding for iis. if have got more server check all servers.

sorry my english
Monday, January 6, 2020 10:43 AM
0

Sign in to vote

Check test-emailautoconfiguration output in XML

1)check if any VD is not correctly set from that output

2)Check connection tab and see if getting resolved using SCP

Monday, January 6, 2020 1:20 PM
1

Sign in to vote

Check below url and fix this easily,

https://support.microsoft.com/en-us/help/2772058/the-name-on-the-security-certificate-is-invalid-or-does-not-match-the

https://practical365.com/exchange-server/outlook-certificate-warning-exchange-2016/

Monday, January 6, 2020 6:41 PM
1

Sign in to vote
Hi,

As the replies mentioned above, the issue occurs when the URL that you are trying to access is not listed in either the Subject or the Subject Alternative Name (SAN) of the Secure Sockets Layer (SSL) certificate for the website.

The SAN configured in the certificate can also be checked by the following command

Get-ExchangeCertificate | fl Subject,CertificateDomains,Services

And then check the records in the virtual directories by running the command provided by Sneff, if they do not match, we can change the virtual direrctories like the following command, for example:

Set-OABVirtualDirectory -Identity "Server1\OAB (Default Web Site)" -ExternalUrl "https://www.contoso.com/OAB"

Or apply for a new certificate.

Some additional tips we need to note:

Certificates are server-based, so when there are multiple Exchange servers (installed in different roles) in the environment, after installing or updating a certificate for one server, we need to import the certificate to other servers.
After the IIS service is assigned to the new certificate, we need to run IISReset with administrator privileges in the CMD to force the update of the IIS service.
We need to assign the services on this certificate to other certificates before we can successfully delete the certificate.

Regards,

Joyce Shen

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
- Proposed as answer by Joyce_ShenMicrosoft contingent staff Wednesday, January 8, 2020 1:15 AM
- Marked as answer by Edward van BiljonMVP Sunday, January 12, 2020 5:57 PM
Tuesday, January 7, 2020 6:20 AM
0

Sign in to vote

Hi，

Do suggestions above help? If you have any questions or needed further help on this issue, please feel free to post back. If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.

Regards,

Joyce Shen

Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

Friday, January 10, 2020 6:28 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Exchange server 2016 Certificate error

Question

Answers

All replies