Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Certificate Error!

Status
Not open for further replies.
jcrapps

jcrapps

Programmer
Oct 26, 2001
94
US
I basically have Exchange Server 2007 installed and configured the way I want it but I keep getting this pesky error. When my users start Outlook, they get a certificate error.

"The server you are connected to is using a security certificate that could not be verified.
The certificate's CN name does no match the passed value.
Do you want to continue using this server?"

I am using a certificate with a 3rd party vendor called Startcom. They give them out for free so I figured I’d try it. The users are currently using the Exchange Server as a POP server since their software doesn’t permit them to use RPC over HTTP because they are using Outlook 2002 (XP). I think it might have to do with the fact that the certificate uses the external FQDN and when the client accesses the Exchange Server with Outlook, they are using the internal name for the server. When they access OWA, it works fine with the certificate. No errors at all. Anyway, where would I start to look for this error? I’m totally in the dark at the moment since this is all so new to me.

 
Sort by date Sort by votes
Bit strange that it happens when using Outlook I would have thought that the clients would use the default certificate. Did you add the certificate to the clients? can be done through GPO
 
Upvote 0 Downvote
You need to use the cmd-lets to change the name that Exchange is using. Try this. Open up the powershell and type

Get-WebServicesVirtualDirectory


If the internal and external url do not match the certificate then change them.

Also you need to check

Get-OwaVirtualDirectory <owa site in quotes> | FL
Get-OABVirtualDirectory | FL

to make sure the URLs are correct on this as well.


It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
 
Upvote 0 Downvote
Hello computerhighguy,
Thanks for your response. I ran the Get-WebServicesVirtualDirectory command in Exchange Management Shell, since it didn't work in PowerShell and sure enough, the external URL and internal URL were different. The external URL was blank. So if my certificate uses the external URL, then my two "internal URL" and "external URL" need to be the actual external URL in the certificate?

For the "Get-OwaVirtualDirectory <owa site in quotes> | FL" command, I have the internal URL value specified, but the external URL value is blank.

For the "Get-OABVirtualDirectory | FL" command, I have the internal URL value defined with an external URL value ( and the external URL value not defined.

Do the two commands above need to show that my external and internal URLs exactly match the URL on my certificate (
 
Upvote 0 Downvote
Both should match on the Internal and External URL unless ..... you are using a multi-name certificate. Most people don't, so just add a new entry in the DNS server and make them both the same. Make sure that it is the same as the name on the certificate. It may also require a reboot for everything to take effect, but I am not certain about that. Fun isn't it? I really hated the powershell when I first installed Exchange 2007. I probaly still hate it but it is getting easier to use. Anyway. of bot the external and internal URLs are the same, your clients are good to go no matter where they connect, they will use the same URL.

It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
 
Upvote 0 Downvote
Thanks for the advice. I will try that soon. But one thing that I don't understand. What do you mean by adding another entry to the DNS Server?
 
Upvote 0 Downvote
So I changed the records as mentioned above so the external and internal URLs are the same. But I still seem to get the same issue. I still haven't added anything to the DNS entry so that may be the reason why. Please let me know what you mean by the DNS entry and I'll change that too. Thanks again for your help.
 
Upvote 0 Downvote
My Exchang server's computer name is 1stacex01. However, my clients don't use this in thier RPC over HTTP settings. They use mail.domain.com (the name of my server cert). On the Internet, this is not a big deal since our DNS entry for our MX record is mail.domain.com.

You should have 2 seperate DNS systems.
1) Internal for Micrsoft AD
2) External for the rest of the world.

I had to add a new (A) record (you could also use a CNAME) for the server mail so that no matter where my Outlook clients are they connect to the same URL. Does that explain it?

It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
 
Upvote 0 Downvote
Yeah, I think I understand what you mean, but wouldn't this mean that I shouldn't be having this problem if I try and contact the server externally? When I try externally and internally, I get the same exact error. We use POP, so we don't use RPC over HTTP. OWA works well, and Exchange works well (w/ RPC over HTTP). It's just the POP server that gives these errors. I tried adding the DNS entry on the DNS server internally and same issue.

thanks
 
Upvote 0 Downvote
Pop doesn't use security certificates.

It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
 
Upvote 0 Downvote
I looked at the following output and there does seem to be a owaserverurl setting.

Get-POPSettings

I don't see why not having that set would give you a certificate error.

It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
 
Upvote 0 Downvote
Hmm, weird. So POP uses TLS right? Isn't that equivelant to SSL? It's strange that I would be getting a certificate error from POP, if it has nothing to do with certificates at all. I did try inputting the owaserverurl attribute and still the same error. I would disable TLS, but I don't think it would be a good idea since the exchange server is in our private network. What are your thoughts on security for POP?
 
Upvote 0 Downvote
Secure POP uses TLS. POP is an old unecrypted clear text password protocol. If your are using TLS, why not use Outlook Anywhere?

It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
 
Upvote 0 Downvote
My clients are using Outlook XP (2002) and Outlook Anywhere is not supported. They could use the exchange server, but they'd need to all have VPN accounts and that's too much of a hassle. We really need to upgrade Office altogether, but that's not in our budget :(. I'm just about to throw the towel in on this one. I've been trying to figure this out for a week straight!
If you want to look at any cmdlet outputs let me know. I'll do whatever it takes to figure this damn thing out!
 
Upvote 0 Downvote
What are you putting in for the POP3 server address? Is it the same as the certificate name?

It is what it is!!
__________________________________
A+, Net+, I-Net+, Certified Web Master, MCP, MCSA, MCSE, CCNA, CCDA, and few others (I got bored one day)
 
Upvote 0 Downvote
Yeah, it's the same exact address that in the certificate. I'm using mail2.companyname.com for both POP and SMTP. The certificate is using mail2.companyname.com. Maybe I'm installing the certificate on the client side incorrectly. I only did it the browser way. Is there a different way that I should be installing it? I also tried it the MMC way with the "Certificates" Snap-in.
 
Upvote 0 Downvote
Well, I still haven't been able to figure this out and it's really driving me crazy! I'm getting pretty desperate here. Anyone else think they can give my any insight?
 
Upvote 0 Downvote
In the browser, go to the cert then manually add it to the trusted root cert store and see if that fixes it.

Do you have Exchange 2003 anywhere? that gives you the licence for Outlook 2003 which allows OA.
 
Upvote 0 Downvote
Tried the browser addition for the certificate and it didn't work. This is where you just install the certificate through the browser certificate error right?

Unfortunately, almost all clients use Outlook XP, which doesn't allow the use of Outlook Anywhere. It works fine in Outlook Anywhere thought so it's pretty frustrating.
 
Upvote 0 Downvote
If it's a third party, trusted cert, make sure that all Exchange web services are configured to use that name. Then make sure that name is resolvable in your internal DNS. Often, this requires split brain DNS.

The alternative is to use a SAN certificate, which Exchange likes to see.

Pat Richard
Microsoft Exchange MVP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
3K
Wesaf
Wesaf
watsson7278
  • Locked
  • Question
USB Error
Replies
1
Views
278
strongm
strongm
Zepfanman
  • Locked
  • Question
New sha256RSA certificate causing Outlook security popups
Replies
1
Views
261
ShackDaddy
ShackDaddy
m245
  • Locked
  • Question
Exchange 2013 Installation Error
Replies
0
Views
233
m245
m245
kkiedrowski
  • Locked
  • Question
Exchange 2013 and Outlook 2016 error
Replies
1
Views
474
RobertWinther
RobertWinther

Part and Inventory Search

Sponsor

Back
Top