Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Outlook 2010 certificate issue after upgrading from Exchange 2003 to 2010

Status
Not open for further replies.

dpowell1

MIS
Mar 30, 2004
57
US
Just upgraded from 2003 to 2010 and all client workstations (Outlook 2010) are working fine. However, the Outlook instances on the profiles on our terminal server (server 2003) all throw the same error when we launch Outlook 2010:

"There is a problem with the proxy server's security certificate. The name on the certificate is invalid or does not match the name of the target site."

The certificate we installed on the new exchange server is a public certificate and the Microsoft Remote Connectivity Analyzer passes. Any ideas what might be causing this?
 
The other thing I'm noticing is that the message states that the target site name in the message is mail.xxx.com (actual domain name omitted) which is the proper name. When I look at my SAN certificate is lists the primary name as xxx.com but I also have mail.xxx.com listed as one of the names in the cert. Is it possible that my terminal server (server 2003) doesn't recognize the other names in the SAN cert and only sees the one name?
 
Try opening the OWA website directly from the terminal server. Do you get the security warning ? Take look at the certificate and see what issue is there. You can take a screenshot of the certificate info from terminal server and we can help you further.

It is possible that your terminal server doesnt trust the issued CA.
 
This may be a stupid question, but my motto is the only stupid questions are the ones that aren't asked. So, here goes: Have to enabled the certificate for Exchange? (enable-exchangecertificate -thumbnail xxxxxxxxxx -services IIS,SMTP, etc).

When all else fails, read the book!
 
Please disregard my previous post. Sometimes it helps to read the original post carefully :).

When all else fails, read the book!
 
Powell,

If OWA works without warnings on the terminal server, it must be some other namespace outlook is trying to connect to. Can you upload the screenshot of this error from Outlook ?

It looks like below are your subject alternative names. There's a good chance that the dns name outlook is trying to connect to is missing from this list.

DNS Name: klabin.com
DNS Name: mail.klabin.com
DNS Name: autodiscover.klabin.com
DNS Name: legacy.klabin.com
 
The basic problem is that the terminal server is using Outlook Anywhere (HTTP) to connect to the mail server, and Outlook Anywhere likes to have the name it connects to also be the subject name on the cert, not just an additional SAN (subject alternative name) like it is. The primary subject name on the cert is just "klabin.com" but if you look at the Outlook Proxy settings on one of those terminal server Outlook profiles, you'll see that the box is check to "only connect to servers that have this principle name in their certificate", and the MSSTD name is "mail.klabin.com". But that's not the common name on the cert, so you are seeing the error. Seems like it should look in the SAN list, but it doesn't.

You can basically do two things to get around this:

1. Change the primary name on your cert to mail.klabin.com, which it really should be (it should always be set to whatever you are going to use for Outlook Anywhere).

2. Disable MSSTD verification by unchecking that box. Or better yet, do it on the server like this:

Code:
Set-OutlookProvider EXPR -CertPrincipalName none

Read this article for some additional details around this:


Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Hi,

This problem has been fixed in Vista SP1 and later. The subject Common Name (CN) of your certificate - "klabin.com" does not match the name OA clients are connecting to (even though the name is listed in the SAN).

Instead of patching the issue, I would prefer to re-key the certificate (takes seconds) with the CN=mail.klabin.com. That way the clients will be happy, and the web server - klabin.com will be working fine with the certificate.

BTW, why don't you add in the SAN? You can have at least 5 Subject Alternative Names in that certificate?


Dean

chat-on-dean.jpg

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top