"Name on the Security Certificate is Invalid or Does not Match..." using Outlok 2007 w/ Exchange 200

  • Thread starter Craig Regester
  • Start date Views 7,028
B

BoulderTripp

I too am running into this issue on an SBS 2003 R2 server using Exchange 2003 with SP2, and Windows Server 2003 Service Pack 2. Outlook 2003 clients on either XP Pro with SP2 can connect over the Internet no problemo using the same self-generated certificate, as can Outlook 2003 clients on Vista, but ANY Outlook 2007 clients, regardless of whether 2007 is installed on XP or Vista, get the certificate error noted in this thread, again with the same certificate.

Is there any indication a patch will be forth-coming?
 
B

Brian Allard

@R6 Mike

I've read through but I'm still a little confused. From my understanding I would have to create a " special" multi-purpose certificate (not in IIS), register it with some small third-party company I've never used, and then apply this new " special" certificate to the server (again not through IIS). What about if we've already purchased an SSL cerificate from a large company such as Network Solutions? Does that mean the certificate is useless?

If the answer is yes, then I can't say I'm very impressed with this product thus far. Apart from crashing installs, new non-standard certificates and other issues it's been a complete nightmare. That will teach us for going to a new version before the masses. I really hope Microsoft comes up with a patch for this.

(Oh and I wasn't directing my frustration at you, just the product in general. Thanks for letting me vent!)
 
R

R6 Mike

Here is what I did to get mine working.

I started with VeriSign but they do not support multiple FQDN's that I needed for my cert. Therefore, after reviewing this article and a few others, I ended up getting an Entrust Unified Communications Certificate. http://www.entrust.net/ssl-certificates/unified-communications.htm

As far as your SSL through Network Solutions, I would check with them to see if they support Exchange 2007. If they do not, get a refund. That is what I had to do with VeriSign. The Entrust cert was cheaper then VeriSign, but they took longer to generate my key.

Here is another website that helps.

http://technet.microsoft.com/en-us/library/aa998840.aspx

Here are some steps that I took to solve my problem.

1. I removed my VeriSign cert out of IIS using the wizard

2. Lunch the Exchange Management Shell

3. Depending on how many names you need, generate a cert request. Here is an example what I did.

New-ExchangeCertificate -GenerateRequest -SubjectName " c=US, o=(your domain here), cn=webmail.(your domain here).com" -IncludeAcceptedDomains -DomainName mail.(your domain here).com, mobile.(your domain here).com, Autodiscover.(your domain here).com, (Email server name 1).(your domain here).com, (Email server name 2).(your domain here).com, public.(your domain here).com -Path c:\request.req -privatekeyExportable: $true

Some notes from the above string:

cn=webmail.(your domain here).com This is the main address for my users to access webmail.

-privatekeyExportable: $true This makes the cert exportable

***Note***, remove the space between ":" and the "$true" for this string. -privatekeyExportable: $true

(The stupid thing was putting a smiley in.)

4. I just pasted this into the Exchange Management Shell and it produced a file named " request.req" on the c:\. I opened the file with notepad and copied the key into Entrust's site when I was creating the SSL. (Just like you do with the IIS wizard.)

5. Once I got the key back from Entrust, I copied it into a txt file and renamed it to web.cer

6. I copied it over to my Exchange server and used the following command in Exchange Management Shell to import it in.

Import-ExchangeCertificate -Path c:\web.cer | Enable-ExchangeCertificate "Services IIS,POP, IMAP

(I needed POP3, IIS and IMAP4 to work as well so I added the services in)

7. Launch IIS.

8. Now, check out the cert for your server. You will notice that it is already installed and ready for use.

9. If you are using POP and/or IMAP, restart the services on the exchange server. Once the services came back up, all my errors went away.

I hope this helps.
 
B

Brian Allard

Thanks Mike,

I will try to refund our certificate and start fresh. That tutorial is very helpful as well! Thanks for the info. I actually got in touch with Microsoft Premiere Support and discussed why directionally they chose to go with these new certificates (note that wildcard certs will not work), and the rep wasn't actually sure either. He seemed to think it was because it would be more convenient to include multiple names on a single cert. At this point though, very few providers will actually provide this multi-name cert which is fairly confusing and frustrating.

I also asked if they would release a patch or reg key change to suppress the actual Outlook error messages people are getting. The long and short of it is that if they did, they would deem it an unsupported install. I'm guessing that once more people start rolling this out and hitting the same errors they may change their tunes though.

Regardless, it looks like I'll be heading back to the drawing board with our Exchange deployment. Thanks again for your help!
 
F

Fletchgqc

There are some solutions to the multiple-name-on-certificate problem on this Exchange blog post http://msexchangeteam.com/archive/2007/04/30/438249.aspx. These guys offer a cert which is a bit cheaper than the other multiple-name ones so far: http://www.comodo.com/msexchange/.

The problem is that you need the cas server's name in the cetificate. If not, Outlook Anywhere won't work properly. No CA will give you a cert for the server name in some of the above example posts, cas.domain.local. Many people however will be using such a name. Don't know the solution to this problem...
 
F

Frikkas1

My problem is the same as you other guys have. I get the error message : " The name on the security certificate is invalid or does not match the name of the site" this occurs when users running Office 2007 starts Outlook to connect to the new wonderful Exchange 2007 server. But the name of the server is correct except that is doesn't have the domain name of active directory. I wonder now if I should take the chance to make a new server certificate on the exchange server and call it the server name + the domain name. ?

Like this is is today the exchange server name is : somethingex64. And the new should be like this somethingex64.domain.local. As I now remember our firewall ISA server 2006 was very precise that the name of the certificate should be only the name of the server. Hmm. This for the relaying of the HTTPS traffic from the other certificate I bought to let the users get an easy address to remember. The other certificate that I am now struggeling with is the intarnal one which forwards the https traffic from the firewall to the exchange server.! I am so bored of this certificate issues now that I really wonder to switch to http instead. The whole process has been ok except that it has been many hours and long evenings managing the correct configuration. It is now really frustrating that the communication between the clients and the server INTERNALLY has this very complex way to communicate.

Any Ideas anyone. ?

(From an exchange 2007 setting that is wonderful, except the certificate error warning message)
 
R

Rick Beaber

The last post on here was some time ago. Has anyone found a solution other than getting a new certificate issued with multiple names?

Thanks,

Rick
 
J

jrealmac

I've been curious about getting a solid simple solution to this issue. The only way I've been able to get the certificate error to be removed is the make the DNS address static, then switch the order of the DNS.

Most networks are setup for DHCP. If you switch the network order in Start>Network and Internet Connections>Network Connections>Right Click Network connections> Properities>Internet Protocol>Use Following DNS Server. Automatically is usually the option of choice. Switch that to use the following, determine IP addresses of network, switch the order that is currently setup. That removes the certificate error. I don't know if that's the best answer, but it seems to work.
 
T

Tony Lara

Has anyone been able to find a fix to this?

I have having this problem and didn't know if it was because i was using a GoDaddy Cert.

If i need to get a real cert, like one from Network Solutions or EasyDNS i can do that.

But didn't know if it would fix the problem or not.

Thanks!
 
D

DCOTA

Has anyone tried repointing the Autodiscovery to the existing SSL using:

Set-ClientAccessServer -Identity CASserver1 -AutoDiscoverServiceInternalUri https://yourinternaladdress.xxx

If so does it prevent 2003 outlook clients from accessing Exchange 2007 server as I have a hybrid enviroment.

Thanks
 
T

Turismon

dude, you are the win. That worked perfectly, setting both CAS servers url to my 3rd party cert url worked flawless. Thansk .
 
C

caroltoe

So I ran that also, and hooray. The cert error is gone, but as a result of that I cannot see any free/busy schedule when scheduling meetings. Does anyone else know what else needs to be ran?
 
P

PersistentNoob

I have been plagued with the same errors " The server you are connecting to is using a certificate that could not be verified." I am brand new to Exchange and have recently set up Exchange 2007 on a standalone server. My clients are using Outlook XP, so I have to use POP for them to receive mail, because I don't want the travelling laptop users to have to use VPN whenever they want to connect to the exchange server. Here is my questions: Why do I need to set the autodiscovery to the external URL when I'm not even using autodiscovery. This is only for Outlook 2007 users right? All I recall using is OWA and POP accounts to fetch mail the old way. I have certificates with Startcom and of course gave them my external FQDN for the certificate. OWA works great after installing the certificate, but of course the Outlook client itself gets that annoying popup. I know it was probably explained above, but I think I need another explanation due to by noobness. Thanks much!
 
T

TracsTech

FWIW i reinstalled rollup 4 for Exchange 07 and my problems went away.

T
 
Top