"Name on the Security Certificate is Invalid or Does not Match..." using Outlok 2007 w/ Exchange 200

  • Thread starter Craig Regester
  • Start date Views 6,283
C

Craig Regester

#1
Good afternoon!

We just completed our Exchange 2007 implementation (migration from Exchange 2003... a fun romp of 24 straight hours for the final push) and noticed an error that only occurs on Outlook 2007 clients connecting to the Exchange 2007 server: " Name on the Security Certificate is Invalid or Does Not Match the Name on the Certificate" .

Now, I've done my reading into this and have determined that due to how Outlook 2007 clients managed their OAB, it is essentially through a web virtual directory now, no longer through Public Folders and this is essentially the base of our issue. See, our mail server has an internal FQDN of mail.ourdomain-domain.com whereas it has an external FQDN (which is what the SSL Cert is tied to) of owa.ourdomain.com.

So, essentially what I'm seeing is our internal Outlook 2007 clients (limited to I.S. employees only right now, thankfully) are seeing this SSL error because Outlook 2007 is trying to pick up the OAB using the internal FQDN instead of the external FQDN (which would work as well, due to some internal DNS trickery we have configured).

My question is (finally), is there a way to circumvent this internally so we never see this SSL error prompt or a way to force Outlook 2007 to use the external FQDN? I have made sure all the settings in Exchange Management Console for OAB and the like have both the internal and external FQDN set to owa.ourdomain.com (the valid SSL name), but it does not appear to have made a difference. Granted, I have not rebooted... but I do not think that is necessary in this instance.

Any suggestions would be appreciated. Thanks!!
 
S

Shawn Westerhoff

#2
We have a similar problem in that our SSL certificate shows secure.domainname.com rather than the hostname of the Exhchange server. As we have SSL enabled applications OTHER THAN EXHCNAGE, we do not want Exhcnage 07 to redirect to the machine name but instead to a relative path UNDER the URL specified by the client request:

https://secure.domainname.com/exchange is how a user would get to OWA, and we want any redirection to go to https://secure.domainname.com/owa and so on. So far we can not see where in IIS we would make that change.

Also, messages work to Palm 700p devices but we get a failure on other content, like appointments and contacts. The error is related to the SSL certificate not matching the Exhcange server. I will post the error in a while.

Does anyone know how to tell IIS/OWA to redirect to a relative path?
 
S

Shawn Westerhoff

#3
Following up, the Palm 700p error message when trying to use ActiveSync is:

There was a problem syncing events. Can't connect to server. Please check your network or server settings and try again: AirSAMStateMachine.c 530 3

And we have a valid SSL Cert from a root CA. The error is ONLY on non-email items, so we assume when the app goes to a specific application on the web server, it is redirected using the hostname of the server, not a relative path.
 
S

Scott Frazer

#5
We're seeing htis issue as well.. Server name is mail02b.{domainname.net} but externally is accessed at exchange.{domainname.com} so we got the SSL cert for exchange.{domainname.com} and set IIS up to redirect the website users appropriately. That all works fine, but Outlook 2007 is apparently stuck with accessing the server at mail02b.{domainname.net} and as such pops a cert not valid error when starting up.
 
E

Ex2K7User

#6
Have you found a solution to this issue yet? I'm having the same problem. If there is no fix for this, Microsoft needs to create one as more and more companies switch to 2007.
 
J

jbush812

#8
As all of you, I have the same issue, and I'm sure that will be many more. Luckily, I only have a handful of users on Outlook 2007, and they have just been dealing with it for about a month now. The best answer I have gotten from anyone is to get a wildcard cert of *.domainname.com. I have not tried this yet, so it's still theory to me whether Exchange 2007 will let it fly or not. On top of that...wildcard certs cost a good bit more than the typical certificate. :(

I agree that a better solution should come from Microsoft about how to deal with their new changes.

jb
 
M

Manu_it

#9
Hello Guys,

after few days of research, I found the matter of this problem, and I wanted to post this, because I hope you won't waste the time as myself.

the problem is much simple as you think, because exchange autogenerate the certificate even if a CA in not present in the AD.

then when you would like to use outlook anywhere, you have to generate a certificate with an external name, otherwise rpc over https won't work. but if you do this outlook 2007 got the certificate error appear when you open it.

to solve the problem we need to generate a certificate with multiple server name. you must generate the request directly from the exchange management shell.

follow the instruction at this link:

http://technet.microsoft.com/en-us/library/aa995942.aspx

Emanuele

ciao
 
J

Janpaul

#10
Manu_it wrote:

Hello Guys,

after few days of research, I found the matter of this problem, and I wanted to post this, because I hope you won't waste the time as myself.

the problem is much simple as you think, because exchange autogenerate the certificate even if a CA in not present in the AD.

then when you would like to use outlook anywhere, you have to generate a certificate with an external name, otherwise rpc over https won't work. but if you do this outlook 2007 got the certificate error appear when you open it.

to solve the problem we need to generate a certificate with multiple server name. you must generate the request directly from the exchange management shell.

follow the instruction at this link:

http://technet.microsoft.com/en-us/library/aa995942.aspx

Emanuele

ciao

Hi,

The solution of Emanuele is only useable for a new certificate request. I have an existing certificate and dont want to generate (and pay) a new one.

is there another solution? I also found this article but did not test it: http://www.pro-exchange.be/modules.php?name=News&file=print&sid=345

Janpaul
 
S

Smokey024

#11
I too have spent much time trying to find a reasonable solution to this problem of outlook 2007 client producing an error " The name on the security certificate is invalid or does not match the name of the site" . Of all my researching though, I have not found anything that has been put out by Microsoft to directly address this. This is going to continue to become a significant issue as more and more business' migrate to the new technologies of the 2007 product line. I hope we can get a resolution from Microsoft soon. --BN
 
D

dcarrington

#12
Hello, I went to Vista here a week ago. I am running 64-bit Ultimate and I am having constant Certificate invalid messages in IE7 as well. I just installed my copy of Office 2007 Enterprise edition and whenever I open up Outlook I get the same " security certificate that can't be verified" message, and I am using Comcast for email. Now on IE7, when I look at the certificate issuing authority it says the name of the website (take USAA for example, it says it was issued 12/06 and is valid until 12/09, and says it is from www.usaa.com) when they are actually (according to the site and other computers I checked) by a certificate authority. I was running XP Pro 64 bit with IE7 and didn't' encounter these problems, but Vista is starting to torque me off now! At least when I went to FireFox it didnt' have the certificate errors! Oh, BTW, I have disabled/uninstalled Defender, the UAC and all that other garbage that is in Vista, if that helps! Hell, I even tried dropping the internet and intranet security settings to their lowest and still get the certificate issues! Might roll on back to XP next weekend!!
 
J

jbush812

#13
Someone call feel free to correct me if I'm off, but...

The rollback to XP will not remove the certificate issue. However, roll back to Office 2003, and I feel comfortable saying your problem will probably go away. At least in my enviroment...I have XP and Vista boxes, and the only ones with certificate problems are the ones with Office 2007 installed.
 
O

Oguz Mazlum

#15
There is a work around. I have deployed OWA with ISA 2006. I had already a 3rd party certificate. The certificate was issued on the following address webmail.domain.com. I could not use this certificate on the new exchange 2007 server. To get rid of the certificate error on outlook users internally i have created a certifcate request on exchange 2007 server with the powershell commandlet

New-ExchangeCertificate -generaterequest -subjectname " C=NL,DC=Organisationname,O=Org description,CN=domain.com" -domainname webmail.domain.com,autodiscover.domain.com, cas1.domain.local, cas1 -path c:\certrequest_cas01.txt

This is a certificate request with multiple host and domain names. There is external domian name and also the local domain name on the certificate.

After creating the request, I opened from IE my DC certificate services http://192.168.0.1/certsrv

select the Request a certificate and then advanced certificate request.</LOCID< Font> then Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Paste the csr that is creaated with the exchange cmdlet in to the field and select the Web server certificate template. Than

submit the request. The certificate will be created download it and place it some where.

Import the created certificate in to exhcange server with the cmdlet and not with de certificate mmc snapin. After importing the certificate change the certificate on the IIS to the new created certificate. The clients must have the certificate autohoruty root cert in the client pc's. That is achived when you already did deploy the certificate services on your network. The certificate error must disappeer and OWA will also work just fine. This is only to fix internally the cert problems. If you want to deploy autodiscover.domain.com on external side of your network than you must buy a 3rd party UC with multiple hostnames.

I have put the following host and domainnames in the cert request.

- domain.com (external domain)
- webmail.domain.com

- autodiscover.domain.com

- cas1 (exchange server name)

- cas.domain.local

- domain.local (internal domain)

I hope that will solve your problem.
 
B

Brian Allard

#16
I've thought about creating a certificate with multiple names (or a wildcard-type) but from what I have read, devices running Windows Mobile 5 are not able to recognize wildcard certificates. This would affect our deployment as we plan on running ActiveSync on some of our handhelds.
 
N

Noyzyboy

#17
Hi,

Does anyone have a solution to this yet? The one a couple of posts from Oguz up is fine assuming you are using homemade certificates, but if you have a certificate from a CA which doesn't match the name of the Exchange Server (which must apply to a heap of people) I don't beleive it works (well it doesn't for me anyway). There is no way the name on the cert can ever match the name of the Exchange Server unless your internal and external domains are the same and you publish the name of your Exchange Server to the outside world (unless I'm mistaken). I have followed the articles from MS which mention changing the OAB, UM and WebServices virtual directories to have an external URL but this makes no difference either. Plus another article I found regarding using the enable-Exchangecertificate cmdlet to enable the cert on services such as SMTP which aren't by default apparently.

From what I can see the problem is with the Outlook profile. When you put in the server name, even if you put in the name of the server as it is published to the outside world (rpc.company.com), it still resolves that to the internal Exchange Server name (server.domain.local) and this is where the issue seems to arise when Outlook 2007 starts as it tries to make a connection but fails due to mismatched names on the certificate and the Exchange Server. This happens even if you set the RPC over HTTPS settings to turn off using HTTP on a " fast network" .

Hope someone can help here.

Cheers,

Rich
 
R

R6 Mike

#18
Hello,

Any update on this? I just installed my CA yesterday just to find out that my webmail works fine but Outlook 2007 gives me the invalid cert because of the different name. I am also having this problem with Outlook 2003 POP users "The server you are connected to is using a security certificate that could not be verified."

Thanks for any help you can provide.

Mike
 
Top