Outlook 2007, Autodiscover, "Invalid Name on certificate" issue - for one lone user.
Fighting this issue for almost a year now. We have a small Exchange 2010 organization that was recently migrated from Exchange 2003. Clients are a mix of Windows XP and Windows 7, but all are running Outlook 2007.
For the Outlook 2010 upgrade a certificate that supports multiple SAN's was purchased from GoDaddy. There exists two "domains" in this company although only one is the true AD domain. Lets call the older domain "really_long_name.com" and the
current windows domain name "short_name.com". One of the SAN's for the certificate is "autodiscover.short_name.com", however, there is NO SAN listed for "autodiscover.really_long_name.com".
This one remote user constantly receives this prompt concerning an invalid name on certificate because it is using the autodiscover.really_long_name.com instead of autodiscover.short_name.com
He is the only one that gets this, and I just reinstalled his Windows XP w/outlook 2007 and tested it via vpn and no longer received the error. Well he receives the laptop several days later and says it is not fixed, and finally comes clean that did
a "repair" on Outlook and Add/Remove programs on it to customize his office. Never got a clear answer as to why.
His primary SMTP domain is in fact: jsmith@short_name.com
My AutoDiscoverInternalUri on my CAS server points to autodiscover.short_name.com and every other component references the FQD of my email server using the short_name.com domain.
When I run an Autodiscover test on his laptop everything returns fine and it shows it accessing autodiscover.short_name.com
Does anyone have any idea why his Outlook is for some reason appending the long_name domain for the autodiscover process?
August 17th, 2011 9:07pm
Post the full error text he receives and all the steps he takes to make the error occur.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2011 9:16pm
The error pops up about 5 seconds after launching Outlook. Hitting yes to the prompt makes the message go away until exits and launches Outlook again.
Now this error is correct, the autodiscover name it is using, autodiscover.really_long_name.com is not list on cert, but the problem is that it should not even be using that domain name. It should be using the domain name of the shorter, AD, and primary
SMTP domain.
Again he is the ONLY one experiencing this issue so I feel like there is some odd configuration on his end.
August 18th, 2011 12:57am
Hello,
please check the DNS settings on the client. Maybe the client has an external DNS server instead of an internal one in his DNS servers list.
Greetings,
Toni
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2011 1:20am
Thanks da_doni, the vpn provides the address of our two internal windows DNS servers correctly so that should be good to, and it is a fresh install of XP joined to the domain before I shipped it off. Has the default HOSTS file.
It is driving me insane.
August 18th, 2011 1:27am
Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007
or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site"
http://support.microsoft.com/kb/940726
The Name on the security certificate is invalid or does not match the name of the site - PART 1
http://blogs.technet.com/b/danielkenyon-smith/archive/2010/05/13/the-name-on-the-certificate-is-invalid-or-does-not-match-the-name-of-the-site-part-1.aspx
The Name on the security certificate is invalid or does not match the name of the site - PART 2
http://blogs.technet.com/b/danielkenyon-smith/archive/2010/05/13/the-name-on-the-certificate-is-invalid-or-does-not-match-the-name-of-the-site-part-2.aspx
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2011 3:59am
Thanks Ramesh, but I have already done those steps listed in all of those articles related to this common certificate error. Like I said I have fighting this nagging issue for a long time. This issue ONLY affects one single user, while all of
my other local and remote users do not experience this error. Here is the crux of the issue:
Why does his Outlook believe the autodiscover service is running under the incorrect domain? Is that set in some rogue Service Connection Point record in AD? Why is it appending the really_long_name.com domain to the autodiscover instead of the
short_name.com domain? I cannot figure out where this is coming from.
August 18th, 2011 11:18am
What does that user see when you run Test E-mail Autoconfiguration on that machine? Hold Ctrl, click on the Outlook icon, select Test E-mail Autoconfiguration, enter the user's e-mail address and password, clear the Guessmart checkboxes, and then click
Test.
Also, what is the CN of the certificate?
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2011 1:25pm
Unfortunately this remote user is out in the field in another state and it is difficult to schedule access to his laptop, but I will work on that. However, I did that exact test on Wednesday and the test completed successfully with no issues. All
URL and FQDN's were using the correct "short_name.com" domain.
Here is cert info:
CN Subject as listed in the EMC = exchange.short-name.com
SAN info:
DNS Name=exchange.short-name.com
DNS Name=www.exchange.short-name.com
DNS Name=autodiscover.short-name.com
DNS Name=short-name.com
DNS Name=webmail.short-name.com
DNS Name=exchange
August 18th, 2011 1:50pm
Hi,
Please try to add your exchange server name to your host file and then check the issue.
I'd like to know if you have SRN configured in the DNS. I recommend you to post the result of test e-mailautoconfiguration here.
Besides, please try to use OWA to access mailbox to verify if we would meet certificate error.
Found a similar thread to share with you:
Can't connect Outlook 2007 from home using VPN
http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/b113a0cf-3fc3-4804-b8af-bb175f4a199f/
Xiu
Free Windows Admin Tool Kit Click here and download it now
August 19th, 2011 3:29am
Hi,
Please try to add your exchange server name to your host file and then check the issue.
I'd like to know if you have SRV configured in the DNS. I recommend you to post the result of test e-mailautoconfiguration here.
Besides, please try to use OWA to access mailbox to verify if we would meet certificate error.
Found a similar thread to share with you:
Can't connect Outlook 2007 from home using VPN
http://social.technet.microsoft.com/Forums/en-US/exchangesvradmin/thread/b113a0cf-3fc3-4804-b8af-bb175f4a199f/
Xiu
August 19th, 2011 10:25am
Concerning exchange server host name in host file, I can do that, but before I do consider this:
-The netbios name of the server resolves to the correct ip address of the exchange server.
-The FQDN of the exchange server resolves to the correct ip address of the server.
Verified via nslookup that both of our Windows DNS servers resolve the name correctly over VPN.
Result of Email Autoconfiguration
Protocol: Exchange RPC
Server: EXCHANGE.short-name.com
Login Name: jsmith
Availability Server URL: https://exchange.short-name.com/EWS/Exchange.asmx
OOF URL: https://exchange.short-name.com/EWS/Exchange.asmx
OAB URL: https://exchange.short-name.com/OAB/4dc4fee2-b3e1-4215-8386-b6721d621b15
Unified Message Service URL: https:/exchange.short-name.com/EWS/UM2007Legacy.asmx
Auth Package: Unspecified
Protocol: Exchange HTTP
Server: exchange.short-fiber.com
Login Name: jsmith
SSL: Yes
Mutual Authentication: Yes
Availability Service URL: https://webmail.short-name.com/ews/exchange.asmx
OOF URL: https://webmail.short-name.com/ews/exchange.asmx
OAB URL: https://webmail.short-name.com/OAB/4dc4fee2-b3e1-4215-8386-b6721d621b15
Unified Message Service URL: https://webmail.short-name.com/ews/UM2007Legacy.asmx
Auth Package: NTLM
Certificate Principal Name: msstd:exchange.short-name.com
Log Results:
SMTP: jsmith@short-name.com
Attempting URL https://exchange.short-name.com/Autodiscover/Autodiscover.xml found through SCP
Autodiscover to https://exchange.short-name.com/Autodiscover/Autodiscover.xml starting
GetLastError=0; httpStatus-200.
Autodiscover to https://exchange.short-name.com/Autodiscover/Autodiscover.xml succeeded (0x00000000)
These are the same results that I receive. The user encounters zero issues when accessing OWA.
Free Windows Admin Tool Kit Click here and download it now
August 19th, 2011 11:03am
Hi,
When user vpn to the corp network, he can access OWA without any certificate related issue?
Then I recommend you to try to configure the user profile inside the corp network, and then access via Outlook to see if problem would occur there.
Regards,
Xiu
August 21st, 2011 10:13pm
Hi,
When user vpn to the corp network, he can access OWA without any certificate related issue?
Then I recommend you to try to configure the user profile inside the corp network, and then access via Outlook to see if problem would occur there.
Regards,
Xiu
When I reinstalled XP on the laptop this is exactly what I did as I was connected locally to the network and the Outlook had zero issues, furthermore I connected wirelessly to a public network then VPN back into our corp network and still did not have a
problem. But like I mentioned in my admittedly long story above, he mucked around with the Outlook installation and the cert error returned.
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2011 10:32am
*Update - Workaround for issue*
Amazingly, out of desperation, I have finally resolved the issue by using DNS and hotfix available as described in the following document:
http://support.microsoft.com/kb/940881
Had user apply hotfix, and added DNS SRV record as instructed.
Not thrilled with this solution as I know the root problem still exists and this is simply a band-aid, not to mention the fact that I had to make a change to my windows network infrastructure simply for one trouble user.
Thanks for everyone's time and if anyone can come up with a possible explanation for the original problem I would be grateful.
August 22nd, 2011 10:42am