0

Last weekend I did a swing migration from Exchange 2003 to Exchange 2010. It all went fine, but now my users are getting a Security Alert ~ "The name on the security certificate is invalid or dose not match the of the site." The web-mail part works, and internal part works, but gives that message.

The external name on the SSL cert is [mail.example.com], and the internal name is [exchange2010.local.example.com].

The only two answer I have seen are adding the internal name of the server to the SSL. I would rather not show my internal DNS name. The other answer was to disable SSL, but I didn't it didn't explain how to disable it. Any suggestions?

Edit I did a Best Practices Analyzer and found this..

The subject alternative name (SAN) of SSL certificate for https://exchange2010.local.example.com/Autodiscover/Autodiscover.xml does not appear to match the host address. Host address: exchange2010.local.example.com. Current SAN: DNS Name=mail.example.com.

The subject alternative name (SAN) of SSL certificate for https://exchange2010.local.example.com/EWS/Exchange.asmx does not appear to match the host address. Host address: exchange2010.local.example.com. Current SAN: DNS Name=mail.example.com.

The subject alternative name (SAN) of SSL certificate for https://exchange2010.local.example.com/Microsoft-Server-ActiveSync does not appear to match the host address. Host address: exchange2010.local.example.com. Current SAN: DNS Name=mail.example.com.

The subject alternative name (SAN) of SSL certificate for https://exchange2010.local.example.com/owa does not appear to match the host address. Host address: exchange2010.local.example.com. Current SAN: DNS Name=mail.example.com.

Edit it's working! You need to make A DNS change; in my case CNAME mail.example.com -> exchange2010.local.example.com you also need to do the following power shell commands.

Set-AutodiscoverVirtualDirectory -Identity * –internalurl “https://mail.example.com/autodiscover/autodiscover.xml”
Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri “https://mail.example.com/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory –Identity * –internalurl “https://mail.example.com/ews/exchange.asmx”
Set-oabvirtualdirectory –Identity * –internalurl “https://mail.example.com/oab”
Set-owavirtualdirectory –Identity * –internalurl “https://mail.example.com/owa”
Set-ecpvirtualdirectory –Identity * –internalurl “https://mail.example.com/ecp”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.example.com/Microsoft-Server-ActiveSync"
Sam Sanders
  • 173
  • 4
  • 6
  • 18
  • I think the problem could be Autodiscover, I don;t use power shell that much so it a bit of a learning curve. – Sam Sanders Mar 25 '14 at 18:39
  • I found this on Google. launch Outlook 2010, hold Ctrl key and right-click the Outlook system tray icon. You will see two new options in the context menu, i.e; Connection Status and Test E-mail Auto Configuration. – Sam Sanders Mar 25 '14 at 20:51

2 Answers2

1

This might be a possible solution:

Configure the clients to connect via RPC over HTTP and to use HTTPS for slow and fast networks. That way they won't use the internal SCP, which will have the internal name, but instead they'll use the external name, which will match your certificate.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Odd I made the change to outlook and it connected, but then reset the changes back to what they stated at. Then it still had a "Security Alert" message. Maybe this is a different problem, it like I can't change the outlook settings. – Sam Sanders Mar 25 '14 at 14:00
1

We created an A record that points to the server that matches the external DNS entry. In our case internally it is mail..com and externally it is mail..com, but depending on which DNS is asked (internally or externally) would depend on the IP returned. This way the same certificate can be used no matter where they are. Works great for laptops too when they move back and forth..

MikeAWood
  • 2,566
  • 1
  • 12
  • 13
  • I tried that, but when I pointed the outlook client at mail.example.com it changed it back to exchange2010.local.example.com after it connected. – Sam Sanders Mar 25 '14 at 13:15
  • Were you using a CNAME record or an A record? (though in truth, I am not sure why this would matter).... in our case we are using a CAS with multiple machines pointing to a virtual IP, that might be why ours works in this fashion. Also, Did you change the "external host name" under the Client Access for the Hub transport? ours is mail.domain.com. – MikeAWood Mar 25 '14 at 18:24
  • Oops you are correct, I used a CNAME not an A record. I didn't think it would make a difference. And yes the idea about Client Access sounds right I'm going to try that in about an hour. All the setting in Server Configuration > Client Access show "Internal URL:" as [exchange2010.local.example.com] I'm going to change them all to [mail.example.com]. – Sam Sanders Mar 25 '14 at 21:02
  • I don't think the CNAME thing makes a difference, but it might if it is trying to resolve the names. The Client access URL is likely part of your issue... This along with Joe's suggestion to use RPC over HTTP should fix it up... – MikeAWood Mar 25 '14 at 21:08
  • Well just editing the Client access URL from the EMC didn't do it. Outlook didn't function after that. I found this page http://asifgohar.blogspot.com/2013/07/set-exchange-urls-owa-activesync-oab.html all the internal URLs are set to exchange2010.local.example.com My next test will be to change them all. – Sam Sanders Mar 26 '14 at 13:57