RE: Certificate Security Alert

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

thank you for your assistance
--
Lee Morgenstein


"v-robeli@xxxxxxxxxxxxxxxxxxxx (Robert Li" wrote:

Hi Lee,

Thanks for posting in our newsgroup.

From your description, I know that when you open Outlook 2007, you get the
"The name on the security certificate is invalid or does not match the name
of the site". If that's not right, please don't hesitate to let me know.

Based on my research, this issue is caused by that you changed the security
certificate installed on your Exchange 2007 server and the Issue To name of
the certificate now doesn't match the internal FQDN name of your Exchange
server. For more info about this error, please refer to the following KB
article:

923575 Error message when Outlook 2007 tries to connect to a server by
using an RPC connection or an HTTPS connection: "There is a problem with
the proxy server's security certificate"
http://support.microsoft.com/default.aspx?scid=kb;EN-US;923575

Based on my knowledge, we may have two possible solutions for this
particular issue:

1. The straightforward solution is to contact the third-party vendor who
you get the new security certificate from, and confirm whether their
certificate supports Subject Alternative Names. If so, you can ask them to
simply issue a new certificate with both internal name and external name of
your Exchange 2007 server, and then install the new certificate to solve
the problem.

2. Alternatively you need to change the AutoDiscoverServiceInternalUri
value on your Exchange 2007 ClientAccess Server (CAS) to match the Issue To
name of your current security certificate. To do so, please follow these
steps:

i.) First we need to check the current value of
AutoDiscoverServiceInternalUri in your Exchange 2007 CAS server:

a. In Exchange Management Shell, run the command: GET-ClientAccessServer |
fl

b. Then you will see the following as example:

Name : <your Exchange 2007 Server name>
OutlookAnywhereEnabled : False
AutoDiscoverServiceCN : <your Exchange 2007 CAS name>
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://<internal name of your Exchange
2007 CAS>/Autodiscover/Autodiscover.xml

c. Then check whether the name in AutoDiscoverServiceInternalUri matches
the name in the Issue To field of the security certificate you are using
now. If it doesn't match, it will cause the error your users encountered.

ii.) In order to fix the error, we have to change the
AutoDiscoverServiceInternalUri to match the Issue To name on the
Certificate. In addition we have to change the path on the Default Web
Site. To do that:

a. First run the following commands in the Exchange Management Shell on
your Exchange 2007 CAS so that we would have a backup listing of the
current settings:
Get-Clientaccessserver <your Exchange 2007 server NetBIOS name> | fl >
backupCAS.txt
Get-WebServicesVirtualDirectory | fl > backupWeb.txt

b. We then run the following commands

Set-Clientaccessserver <your Exchange 2007 server NetBIOS name>
-AutoDiscoverServiceInternalUri https://<external name of your Exchange
2007 which is in the Issue To field of current
certificate>/Autodiscover/Autodiscover.xml

set-WebServicesVirtualDirectory "<your Exchange 2007 server NetBIOS
name>\EWS (Default Web Site)" -InternalUrl https:// <external name of your
Exchange 2007 which is in the Issue To field of current
certificate>/EWS/Exchange.asmx

Hope this helps.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<Thread-Topic: Certificate Security Alert
<thread-index: AchXgZMU0A+Qc51mSo2od3gYqA4KDA==
<X-WBNR-Posting-Host: 207.46.19.168
<From: =?Utf-8?B?TGVl?= <Alabama@xxxxxxxxxxxxx>
<Subject: Certificate Security Alert
<Date: Tue, 15 Jan 2008 06:19:01 -0800
<Lines: 9
<Message-ID: <F1DCD554-75FE-4471-A62E-EA403B68394C@xxxxxxxxxxxxx>
<MIME-Version: 1.0
<Content-Type: text/plain;
< charset="Utf-8"
<Content-Transfer-Encoding: 7bit
<X-Newsreader: Microsoft CDO for Windows 2000
<Content-Class: urn:content-classes:message
<Importance: normal
<Priority: normal
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
<Newsgroups: microsoft.public.exchange.clients
<Path: TK2MSFTNGHUB02.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.exchange.clients:3737
<NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
<X-Tomcat-NG: microsoft.public.exchange.clients
<
<
<Hello;
<
<We have Exchange 2007 and Outlook 2007. When users open Outlook they get a
<Security Alert telling me the "name on the security certificate is invalid
or
<does not math the name of the site. Do you want to proceed. I currently
dont
<have a certificate in place. How can I stop this from coming up?
<--
<Lee Morgenstein
<


.

Relevant Pages

  • RPC over HTTP, Microsoft solution
    ... Exchange Server 2003 RPC over HTTP Deployment Scenarios ... Place a check in the box next to 'Certificate Services' and click 'Yes' ...
    (microsoft.public.exchange.setup)
  • Re: how to configure rpc over http connection for a client
    ... This is a server for my client. ... When i work at my office, outlook can connect to the exchange server. ... Yep - this is where you accept & then install the certificate after you get ...
    (microsoft.public.windows.server.sbs)
  • Re: Dead Exchange Server
    ... Microsoft Certified Partner ... Server, and matched up every setting on my default, then deleted the new one, ... I would suggest downloading Exchange Best Practice and SBS Best Practice ... > certificate that was generated with the install, but i made a new one> to ...
    (microsoft.public.exchange.connectivity)
  • Re: EXCHANGE: Outlook 2007 Cannot collect Exchange Mail
    ... If you are setting up a "Microsoft Exchange" ... This CA Root certificate is not trusted because it is not in the ... Do not change Web server certificate is ... (dynDNS.org shows following for CustomDNS settings .....) ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Connection problem with new install
    ... pointing to the fqdn (the one you filled in for the web certificate during ... > I am a SBS 2003 newbie and have a few questions with a brand new install. ... > When accessing the SBS server remotely from the net using ... > "The security certificate was issued by a company you have not chosen to ...
    (microsoft.public.windows.server.sbs)