Certificate Security Alert

Lee · Joined: 05 Aug 2007 Posts: 8

Hello;

We have Exchange 2007 and Outlook 2007. When users open Outlook they get a
Security Alert telling me the "name on the security certificate is invalid or
does not math the name of the site. Do you want to proceed. I currently dont
have a certificate in place. How can I stop this from coming up?
--
Lee Morgenstein

Archived from group: microsoft>public>exchange>clients

v-robeli · Joined: 18 Dec 2007 Posts: 22

Hi Lee,

Thanks for posting in our newsgroup.

From your description, I know that when you open Outlook 2007, you get the
"The name on the security certificate is invalid or does not match the name
of the site". If that's not right, please don't hesitate to let me know.

Based on my research, this issue is caused by that you changed the security
certificate installed on your Exchange 2007 server and the Issue To name of
the certificate now doesn't match the internal FQDN name of your Exchange
server. For more info about this error, please refer to the following KB
article:

923575 Error message when Outlook 2007 tries to connect to a server by
using an RPC connection or an HTTPS connection: "There is a problem with
the proxy server's security certificate"
http://support.microsoft.com/default.aspx?scid=kb;EN-US;923575

Based on my knowledge, we may have two possible solutions for this
particular issue:

1. The straightforward solution is to contact the third-party vendor who
you get the new security certificate from, and confirm whether their
certificate supports Subject Alternative Names. If so, you can ask them to
simply issue a new certificate with both internal name and external name of
your Exchange 2007 server, and then install the new certificate to solve
the problem.

2. Alternatively you need to change the AutoDiscoverServiceInternalUri
value on your Exchange 2007 ClientAccess Server (CAS) to match the Issue To
name of your current security certificate. To do so, please follow these
steps:

i.) First we need to check the current value of
AutoDiscoverServiceInternalUri in your Exchange 2007 CAS server:

a. In Exchange Management Shell, run the command: GET-ClientAccessServer |
fl

b. Then you will see the following as example:

Name :
OutlookAnywhereEnabled : False
AutoDiscoverServiceCN :
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https:// 2007 CAS>/Autodiscover/Autodiscover.xml

c. Then check whether the name in AutoDiscoverServiceInternalUri matches
the name in the Issue To field of the security certificate you are using
now. If it doesn't match, it will cause the error your users encountered.

ii.) In order to fix the error, we have to change the
AutoDiscoverServiceInternalUri to match the Issue To name on the
Certificate. In addition we have to change the path on the Default Web
Site. To do that:

a. First run the following commands in the Exchange Management Shell on
your Exchange 2007 CAS so that we would have a backup listing of the
current settings:
Get-Clientaccessserver | fl >
backupCAS.txt
Get-WebServicesVirtualDirectory | fl > backupWeb.txt

b. We then run the following commands

Set-Clientaccessserver
-AutoDiscoverServiceInternalUri https:// 2007 which is in the Issue To field of current
certificate>/Autodiscover/Autodiscover.xml

set-WebServicesVirtualDirectory " name>\EWS (Default Web Site)" -InternalUrl https:// Exchange 2007 which is in the Issue To field of current
certificate>/EWS/Exchange.asmx

Hope this helps.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------

< charset="Utf-8"

<
<
<
or
dont
<--
<

Lee · Joined: 05 Aug 2007 Posts: 8

thank you for your assistance
--
Lee Morgenstein

"v-robeli@online.microsoft.com (Robert Li" wrote:

> Hi Lee,
>
> Thanks for posting in our newsgroup.
>
> From your description, I know that when you open Outlook 2007, you get the
> "The name on the security certificate is invalid or does not match the name
> of the site". If that's not right, please don't hesitate to let me know.
>
> Based on my research, this issue is caused by that you changed the security
> certificate installed on your Exchange 2007 server and the Issue To name of
> the certificate now doesn't match the internal FQDN name of your Exchange
> server. For more info about this error, please refer to the following KB
> article:
>
> 923575 Error message when Outlook 2007 tries to connect to a server by
> using an RPC connection or an HTTPS connection: "There is a problem with
> the proxy server's security certificate"
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;923575
>
> Based on my knowledge, we may have two possible solutions for this
> particular issue:
>
> 1. The straightforward solution is to contact the third-party vendor who
> you get the new security certificate from, and confirm whether their
> certificate supports Subject Alternative Names. If so, you can ask them to
> simply issue a new certificate with both internal name and external name of
> your Exchange 2007 server, and then install the new certificate to solve
> the problem.
>
> 2. Alternatively you need to change the AutoDiscoverServiceInternalUri
> value on your Exchange 2007 ClientAccess Server (CAS) to match the Issue To
> name of your current security certificate. To do so, please follow these
> steps:
>
> i.) First we need to check the current value of
> AutoDiscoverServiceInternalUri in your Exchange 2007 CAS server:
>
> a. In Exchange Management Shell, run the command: GET-ClientAccessServer |
> fl
>
> b. Then you will see the following as example:
>
> Name :
> OutlookAnywhereEnabled : False
> AutoDiscoverServiceCN :
> AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
> AutoDiscoverServiceInternalUri : https:// > 2007 CAS>/Autodiscover/Autodiscover.xml
>
> c. Then check whether the name in AutoDiscoverServiceInternalUri matches
> the name in the Issue To field of the security certificate you are using
> now. If it doesn't match, it will cause the error your users encountered.
>
> ii.) In order to fix the error, we have to change the
> AutoDiscoverServiceInternalUri to match the Issue To name on the
> Certificate. In addition we have to change the path on the Default Web
> Site. To do that:
>
> a. First run the following commands in the Exchange Management Shell on
> your Exchange 2007 CAS so that we would have a backup listing of the
> current settings:
> Get-Clientaccessserver | fl >
> backupCAS.txt
> Get-WebServicesVirtualDirectory | fl > backupWeb.txt
>
> b. We then run the following commands
>
> Set-Clientaccessserver
> -AutoDiscoverServiceInternalUri https:// > 2007 which is in the Issue To field of current
> certificate>/Autodiscover/Autodiscover.xml
>
> set-WebServicesVirtualDirectory " > name>\EWS (Default Web Site)" -InternalUrl https:// > Exchange 2007 which is in the Issue To field of current
> certificate>/EWS/Exchange.asmx
>
> Hope this helps.
>
> If you need further assistance, please don't hesitate to let me know.
>
> Best regards,
>
> Robert Li(MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
>
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> > > >
> > > >
> > > < charset="Utf-8"
> > > > > > > > > > > > <
> <
> > <
> > > or
> > dont
> > <--
> > <
>
>

v-robeli · Joined: 18 Dec 2007 Posts: 22

Hi Lee,

Thanks for your reply.

I am glad to know the information is helpful.

If you have any questions in future, please don't hesitate to post in our
newsgroup.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

dylan · Joined: 03 Dec 2007 Posts: 4

On Jan 21, 3:12 am, v-rob...@online.microsoft.com (v-
rob...@online.microsoft.com (Robert Li [MSFT])) wrote:
> Hi Lee,
>
> Thanks for your reply.
>
> I am glad to know the information is helpful.
>
> If you have any questions in future, please don't hesitate to post in our
> newsgroup.
>
> Best regards,
>
> Robert Li(MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! -www.microsoft.com/security
>
> =====================================================
>
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> checkhttp://support.microsoft.comfor regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
>
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.

Is there a way to use the self-signed certificate for the internal uri
and use the certificate that I bought for the external?

Certificate problem with windows mobile 5 Can someone please provide the steps for correcting the issue so I can sync exchange 2003 sp2 with a windows mobile 5 client. I am getting the server certificate is invalid. It is not. windows mobile 6 can connect without a problem. Thanks, SJMP

Certificate warning when using Outlook Anywhere I have a consisting of two serveres. was hosting my Exchange 2003 installation and had a certifcate used by smtp and OWA. After a sucsessful of Exchange 2007 i removed my Exchange 2003 installation but the

security certificate I was asked to password protect our email and they supplied us with a password. Is there any place on the web that has step by step instructions on how to set this up. I have IIS running and also the certificate services but am not sure as what to exactly

Alert when a user tries to access a mailbox other than their Is there any software out there that alerts when a user tries to access a mailbox other than their own? I think I am having an issue with admins abusing their privledges and reading other ppl's email. The thought of that just REALLY PEAVES me to no end!

Alert when a user tries to access a mailbox other than their Is there any software out there that alerts when a user tries to access a mailbox other than their own? I think I am having an issue with admins abusing their privledges and reading other ppl's email. The thought of that just REALLY PEAVES me to no end!