Hello,

we have Exchange 2013 enviroment with 3rd party certificate installed. This certificate is assigned to all services: IMAP, POP, IIS, SMTP on all Exchange servers. All virtual directories are configured to use external domain.com. Owa and autodiscovery works fine, but when i try to configure Outlook to use POP or IMAP i get "The target principal name is incorrect" security warning on outgoing mail. Exchange use self signed certificate instead of our 3rd party certificate for SMTP connection. Is there a way to force Exchange to use 3rd party certificate for Outlook SMTP connectivity?

Hi Simon

The solution is quite simple; click on the View Certificate button and look at the Issued to name. This is usually the name that youll need to specify for your incoming and/or outgoing server in your account configuration.

In some cases, this still wont work when the certificate holds multiple names. You can then select the Details tab and see if the certificate holds a field called Subject Alternative Name. If so, then youll find other names that you could try behind the DNS Name= value.

Ensure you have the correct SAN added on the certificate 

match the correct SAN  and this will fix your problem

What if you send outbound emails via CAS server? By default, it goes through Mailbox server which doesn't need the 3rd party certificate.

Check http://theucguy.net/how-to-proxy-outbound-emails-through-cas-in-exchange-2013/

I do send emails via CAS servers. I have 2 load balanced CAS servers and configure Outlook to send email through NLB address.

• Edited by Vygintas Simonavicius Thursday, May 22, 2014 6:17 AM

Hello Sathish

when i click on the "View Certificate..." it shows "Issued to Server1". I use mail.company.com FQDN for my owa and autodiscovery. I want to use mail.company.com for my IMAP, POP configurations also. I did import mail.company.com cert to CAS servers, assigned it to all services. The question is: how do i force Exchange to use my imported mail.company.com cert instead of his default server1 selfsigned cert when i try to send email through SMTP?

Don't send it through the NLB address by using it as a smart host in the connector.

Just proxy outgoing emails through CAS

The problem is not sending an email to internet. I get the cert warning when i try to send email from Outlook to Exchange server.

My Outlook IMAP configuration is:

Incoming mail server: email.company.com

Outgoing mail server (SMTP): email.company.com

This email.comapny.com is CAS NLB address.

I get Internet Security Warning "The target principal name is incorrect" when Outlook tries to send test email through SMTP.

http://support.microsoft.com/kb/958977/en-us explains the issue.

I did add 3rd party certificate from trusted Certificate Autority to all CAS servers. Now CAS servers has 3 certificates assigned to SMTP services:

1. 3rd party cert issued to mail.company.com
2. Self-signed Microsoft Exchange cert issued to Server1
3. Self-signed Microsoft Exchange Server Auth Certificate Issued to CN=Microsoft Exchange Server Auth Certificate

When Outlook tries to connect to Exchange server it uses the Self-signed cert issued to Server1 and i get this security warning. And i want to force it to use the 3rd party cert issued to mail.company.com.

PKI certificates should take precedence over self-signed once if the FQDN is fine, but you need to configure them using the cmdlet Enable-ExchangeCertificate:

Here is a summary of the selection process...

Selection of Inbound STARTTLS Certificates

... and Details for the Enable-ExchangeCertificate cmdlet

Elke

Thanks for reply, Elke.

I did double check - my 3rd party cert is enabled. Here are the details:

AccessRules        :
CertificateDomains : {mail.company.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=TERENA SSL CA, O=TERENA, C=NL
NotAfter           : 2014-11-17 01:59:59
NotBefore          : 2011-11-17 02:00:00
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : <hidden>
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : <hidden>
Thumbprint         : <hidden>

But still it is not being used by CAS servers to establish SMTP connection with Outlook clients.

Hi Vygintas

Did you solve the problem. I have the same problem. And I tried to run Enable-ExchangeCertificate -services none -Thumbprint xxxxx on the self signed cert but no luck. Smtp still using self signed instead of my 3party cert.

Regards

Lars