After my exchange 2010 server crashed earlier this week I decided to go ahead and setup an exchange 2013 server. I completed the setup and installed the SSL certificate but I am having issues with outlook connecting. I can manage to get my account setup in outlook but every time I open I receive the error in the pic.
Sounds like you need to change you virtual directories to match the cert you have. Here are a few things that should help with your issue.
These first links do a pretty good job explaining planning what names need to be on your certificate
http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx
http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/
Here's another forum post that should be some hope as well with changing the required directories.
Looking at my server in the Exchange Admin Center I see four Certificates.
Godaddy: has the SMTP, IMAP, POP, and IIS services checked
MS Exchange Server Auth Certificate: has the SMTP service checked.
MS Exchange: has SMTP and IIS checked
WMSVC: does not have any services checked.
It seems odd to me that some of the services are assigned to multiple certificates.
Here are the results of Get-OutlookProvider.
Name Server
CertPrincipalName TTL
---- ------
----------------- ---
EXCH
1
EXPR
1
WEB
1
can you run:
Get-ClientAccessServer | select identity, *autodiscover*
Get-OutlookAnywhere | select servername, *host*
Get-ClientAccessServer | Select Servername, *host*
Identity : servername
AutoDiscoverServiceCN : servername
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://servername.domain.local/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}
Get-OutlookAnywhere | Select servername, *host*
ServerName ExternalHostname
InternalHostname
---------- ----------------
----------------
server mail.domain.org
mail.domain.org
Get-ClientAccessServer | Select Servername, *host*
Identity : servername
AutoDiscoverServiceCN : servername
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://servername.domain.local/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}Get-OutlookAnywhere | Select servername, *host*
ServerName ExternalHostname InternalHostname
---------- ---------------- ----------------
server mail.domain.org mail.domain.org
Ok the AutodiscoverServiceInternalURi is the issue here. IT is still set to domain.local which is why you are getting the getting the error.
To fix it you can Run:
Set-ClientAccessServer <servername> -AutodiscoverServiceInternalURi "https://mail.domain.org/Autodiscover/autodiscover.xml"
Results
Identity : server
AutoDiscoverServiceCN : server
AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://mail.domain.org/Autodiscover/autodiscover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}
That does seem to have helped however they are still getting the message below when they open Outlook. If they click yes they are able to continue. My SSL cert is for mail.domain.org, www.mail.doamin.org, activesycn.domain.org, and autodiscover.domain.org.
Should I also add server.domain.local to the certificate?
This is what the server settings look like in the account settings. This is very different from what they were.
Give IIS a recycle. and give it some time. Outlook needs to query autodiscover again for settings. It's not usually instantaneous. I forget the actual interval, I think it's every couple of hours or so.
Also, you cant add any tld to an external cert that is not publicly accessible. To test this, if you create a new profile do you get the cert error?
I re-booted the server and I still receive the error message.
Yes, If I create a new profile I get the cert error.
- Edited by sapper12 16 hours 29 minutes ago
Should I also add server.domain.local to the certificate?
It's usually recommended to NOT add your internal hostname to the cert.
Now it's a matter of Outlook querying autodiscover again. The new profile not prompting is a good sign that it should be corrected.I re-booted the server and I still receive the error message.
Yes, If I create a new profile I get the cert error.
I am not sure if this will help but I went back and ran Get-OulookProvider. Here are the results
Name Server
CertPrincipalName TTL
---- ------
----------------- ---
EXCH
1
EXPR
1
WEB
1
I re-booted the server and I still receive the error message.
Yes, If I create a new profile I get the cert error.
- Edited by sapper12 Monday, March 23, 2015 2:54 PM
Hi,
In your case, I recommend you disable the third-party add-ins and check the result.
1. Use Outlook safe mode to help isolate the issue.
2. Check for third-party COM add-ins and disable them.
For more information, here is a helpful KB for your reference.
https://support.microsoft.com/en-us/kb/923575
Hope this can be helpful to you.
Best regards,
This is what the server settings look like in the account settings. This is very different from what they were.
I just looked harder at this screen shot. What are the primary email addresses in your domain? Are they username@domain.local? or username@domain.org?
Do you have any email address policies in place?
We have one exchange server period in our environment.
Our Primary email addresses are username@domain.org.
What if you get the certificate re-issued from your CA (GoDaddy)? I know a lot of CAs will offer to re-issue your cert for free; you'd have to go through the cert request process again, but then you'd be generating the info from the new Exchange 2013 server and not recycling the cert from Exchange 2010.
A work around would be to push the cert out through group policy to the clients; once it's in their personal cert store, it shouldn't throw the hostname cert mismatch error when they open Outlook. I've done this in the past with self-signed certs.
How is OWA working; any cert errors there?
I went through the process of re-issuing the cert when I setup the new server so the cert should be good.
OWA does not give any cert errors.
Has to still be something with the URLs your Exchange server is advertising. Run the following command in the shell:
Get-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" | FL
In the output, look for "InternalUrl" and "ExternalUrl"; do they say https://servername.domain.local/EWS/Exchange.asmx or do they say https://mail.domain.org/EWS/Exchange.asmx ? If it shows the internal FQDN, you'll need to change that to mail.domain.org like you did for autodiscover. Give the link below a look, I really think it will help you with your setup. If I understand correctly, you're using a SSL cert and not a SAN/UC cert, which matches what this article talks about. Let us know how it goes and good luck.
http://exchangeserverpro.com/avoiding-exchange-2013-server-names-ssl-certificates/
Here is the output. I can see a couple places where this may need to be changed.
[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" | FL
RunspaceId : 6b83ecd1-412e-4aa5-b729-9ffc85efffd9
CertificateAuthentication :
InternalNLBBypassUrl :
GzipLevel : Low
MRSProxyEnabled : False
Name : EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
MetabasePath : IIS://server.domain.local/W3SVC/1/ROOT/EWS
Path : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.0 (Build 847.32)
Server : server
InternalUrl : https://server.domain.local/EWS/Exchange.asmx
ExternalUrl : https://mail.domain.org/EWS/Exchange.asmx
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
DistinguishedName : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=EXCH2010,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=domain,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity : server\EWS (Default Web Site)
Guid : 04543764-0089-4c58-9f4b-f33471bfe935
ObjectCategory : domain.local/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged : 3/20/2015 10:59:32 AM
WhenCreated : 3/19/2015 6:07:09 PM
WhenChangedUTC : 3/20/2015 3:59:32 PM
WhenCreatedUTC : 3/19/2015 11:07:09 PM
OrganizationId :
OriginatingServer : domaincontroller.domain.local
IsValid : True
ObjectState : Changed
Yes, your internal url is referencing server.domain.local. The commands to change this are contained in the link I mentioned before, but here it is again. I think after you get the various URLs ironed out, your cert error will go away.
http://exchangeserverpro.com/avoiding-exchange-2013-server-names-ssl-certificates/
Here is how the out put looks now. It seems to have cleared up the certificate issue but now I have not mail flow in or out.
RunspaceId
: 6b83ecd1-412e-4aa5-b729-9ffc85efffd9
CertificateAuthentication :
InternalNLBBypassUrl :
GzipLevel
: Low
MRSProxyEnabled
: False
Name
: EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication :
WSSecurityAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : False
DigestAuthentication : False
WindowsAuthentication : True
OAuthAuthentication : True
AdfsAuthentication : False
MetabasePath
: IIS://server.domain.local/W3SVC/1/ROOT/EWS
Path
: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
AdminDisplayVersion : Version 15.0
(Build 847.32)
Server
: server
InternalUrl
: https://mail.domain.org/EWS/Exchange.asmx
ExternalUrl
: https://mail.domain.org/EWS/Exchange.asmx
AdminDisplayName
:
ExchangeVersion
: 0.10 (14.0.100.0)
DistinguishedName : CN=EWS
(Default Web Site),CN=HTTP,CN=Protocols,CN=EXCH2010,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=domain,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity
: server\EWS (Default Web Site)
Guid
: 04543764-0089-4c58-9f4b-f33471bfe935
ObjectCategory
: domain.local/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass
: {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged
: 3/20/2015 10:59:32 AM
WhenCreated
: 3/19/2015 6:07:09 PM
WhenChangedUTC
: 3/20/2015 3:59:32 PM
WhenCreatedUTC
: 3/19/2015 11:07:09 PM
OrganizationId
:
OriginatingServer : domaincontroller.domain.local
IsValid
: True
ObjectState
: Changed