Certificate Error!

[jcrapps]

I basically have Exchange Server 2007 installed and configured the way I want it but I keep getting this pesky error. When my users start Outlook, they get a certificate error.

"The server you are connected to is using a security certificate that could not be verified.
The certificate's CN name does no match the passed value.
Do you want to continue using this server?"

I am using a certificate with a 3rd party vendor called Startcom. They give them out for free so I figured I’d try it. The users are currently using the Exchange Server as a POP server since their software doesn’t permit them to use RPC over HTTP because they are using Outlook 2002 (XP). I think it might have to do with the fact that the certificate uses the external FQDN and when the client accesses the Exchange Server with Outlook, they are using the internal name for the server. When they access OWA, it works fine with the certificate. No errors at all. Anyway, where would I start to look for this error? I’m totally in the dark at the moment since this is all so new to me.

 

[jcrapps]

Thanks sniper, I am giving in and going the SAN Cert route and will let you all know how it goes.

 

[Cstorms]

Just an FYI you can use digicerts site to help you get the cmdlet you will use to generate the request. Its pretty straight forward, installing it isnt the most fun though

Cory

 

[58sniper]

One thing to keep in mind for those that are considering using a SAN cert... last I checked ISA doesn't support them. So, if you use ISA, plan accordingly.

Pat Richard
Microsoft Exchange MVP

 

[Zelandakh]

ISA 2004 and 2006 certainly don't support them but I think ISA 2008 might.

I cheated and instead of using the OWA publishing on ISA, I installed the cert onto the CAS and did a straight forward port 443 route from ISA to CAS. Much simpler!!

 

[jcrapps]

Luckily I'm not using ISA so I shouldn't have a problem. Thanks for the heads up.

 

[jcrapps]

Ok, a few updates here. I'm starting to find that this is something that I overlooked and will soon feel dumb, but I still haven't resolved it.

1. Install DigiCert SAN (didn't fix the issue)
2. I found that I only get this error when I enabled SSL for SMTP on the Outlook Client. When I choose to send mail through port 25, it works beautifully. Through port 587, it gives me that blasted error. Does this mean that I have something wrong with my send connector on the exchange server?

 

[jcrapps]

OK, I'm thoroughly embarassed! The SMTP service wasn't enabled on the 3rd party certificate. For some reason, when I ran the enable-exchangecertificate to work with SMTP, POP, IIS, and IMAP it didn't register the SMTP service the because the default certificate was already using SMTP as its only service. After I ran enable-exchangecertificate again, it asked me to overwrite the other certificate's SMTP service and now all looks well. I'll keep my fingers crossed!

 

[Zelandakh]

Excellent feedback. Irrespective of what happened, I'm really pleased you've got to the bottom of it AND reported back.

Nice one.

 

[Cstorms]

Bravo! Yes I agree with Zelandakh, especially when having to dig into the shell and pick apart the pieces of the cert to make sure everything is setup right. Getting all your urls squared, enabling services, and installing it correctly is something to be had. I am sure your experience will help others out, and I would say you shouldnt have been embarassed at all.

Good work.

Cory

 

[jcrapps]

Thanks, I wouldn't have been able to do it without you all! And yes I've learned quite a bit from this experience .

 

[Zelandakh]

Little purple stars all round then.