Internal Domain Vs. External w/ certificate
Microsoft Exchange could not find a certificate that contains the domain name computer.internal.local.
I have the email server using our external wild card cert, ( which is working correctly externally. ) Which resolves to computer.external.com
I'm getting this error, and I believe it to be causing issues with my active sync to mobile devices. I tried to set the internal and external on active sync, to no avail.
Here's the full error.
Microsoft Exchange could not find a certificate that contains the domain name BTEXCH01.internal.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector
with a FQDN parameter of BTEXCH01.internal.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that
FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
August 15th, 2011 9:10am
Please post the internal and external URLs for activesync? Also, the SAN names in your certificate.
Free Windows Admin Tool Kit Click here and download it now
August 15th, 2011 11:07am
The error that you have posted has nothing to do with ActiveSync. It is referring to the SMTP transport, which isn't used by ActiveSync. The only way to clear the error is to have a certificate with the correct name. It is one of the main reasons why I don't
use a wildcard, rather than a UC or SAN certificate.
Some mobile devices also have issues with a wildcard certificate, so that could also be the cause of your problems.
Create a test account and run through the ActiveSync test on the Microsoft test site at
http://exrca.com/ . If there is an issue, that should flag it.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
August 15th, 2011 11:49am
Sorry LMurthy,
I'm not comfortable posting that out in the net.
Free Windows Admin Tool Kit Click here and download it now
August 15th, 2011 1:23pm
Here's the output from the active sync test. On the answer you provided above, I had a feeling that's what is would be. However, I really need a work around on this. We pay a good amount of money for this certificate, and we use it in
multiple servers. I know we're not the only company with a different internal domain than external. How is this usually handled? if the only option is a SAN cert, that really seems lame.
Thanks for your help!
ExRCA is testing Exchange ActiveSync.
The Exchange ActiveSync test failed.
Test Steps
Attempting to resolve the host name btexch01.external.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: xx.xx.xx.xx
Testing TCP port 443 on host btexch01.external.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server btexch01.external.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Validating certificate trust for Windows Mobile devices.
The certificate is trusted and all certificates are present in the chain.
Test Steps
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Testing HTTP Authentication Methods for URL https://btexch01.external.com/Microsoft-Server-ActiveSync/.
The HTTP authentication test failed.
Additional Details
An HTTP 500 response was returned from Unknown.
August 15th, 2011 1:30pm
On Mon, 15 Aug 2011 13:03:07 +0000, Shaunb417 wrote:
>Microsoft Exchange could not find a certificate that contains the domain name computer.internal.local.
>
> I have the email server using our external wild card cert, ( which is working correctly externally. ) Which resolves to computer.external.com
Then it's no surprise that that certificate error. The cert won't
match *.internal.local, it only works with only *.external.com.
>I'm getting this error, and I believe it to be causing issues with my active sync to mobile devices. I tried to set the internal and external on active sync, to no avail.
No doubt.
Dump the wildcard and get a SAN/UCC cert with the appropriate names,
or correct the URL used by the mobile devices to use the external
domain name. Also, not all mobile devices work well with wildcard
certs. Make sure yours do.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
August 15th, 2011 5:51pm
On Mon, 15 Aug 2011 17:22:36 +0000, Shaunb417 wrote:
>Here's the output from the active sync test. On the answer you provided above, I had a feeling that's what is would be. However, I really need a work around on this. We pay a good amount of money for this certificate, and we use it in multiple servers.
I know we're not the only company with a different internal domain than external. How is this usually handled? if the only option is a SAN cert, that really seems lame.
>
>Thanks for your help!
>
> ExRCA is testing Exchange ActiveSync.
[ snip ]
> The HTTP authentication test failed.
> Additional Details
> An HTTP 500 response was returned from Unknown.
I don't think your problem is related to your cert (well, not all of
it anyway):
http://technet.microsoft.com/en-us/library/dd439375(EXCHG.80).aspx
You haven't said what release of Exchange you're using. Try google.com
and "status 500 activesync" for more.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
August 15th, 2011 6:01pm
Hello,
To troubleshoot this certificate mismatch issue, please collect the following informaiton:
1. [Please provide a screenshot of the certificate warning in Outlook]
2. [Collect AutoConfiguration Status in problematic Outlook]
========================================
a. While Outlook is running, click the CTRL key and then right-click the Outlook icon in the system tray and then select “Test Email Autoconfiguration”.
b. Confirm that your email address is in the address field, uncheck “Use Guessmart”
and “secure Guessmart authentication” boxes. Then click the “Test” button.
c. Once it runs, please send me a screen shot of the Log tab.
3. [Certificate configuration information]
=============================
On CAS server, open “Exchange Management Shell” and type the cmdlet:
Get-ExchangeCertificate |fl >c:\certlog.txt
Get-autodiscovervirtualdirectory | fl >c:\auto.txt
Get-clientaccessserver | fl >c:\cas.txt
You can reach me at:
v-simwu@microsoft.com
Thanks,
Simon
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2011 4:25am