Hello all, Getting a little frustrated so I figured I would post and maybe someone could help me understand something. This is all educational in a lab setting so buying a real cert is out of the question. I am just wondering why I keep getting "the name on the security certificate is invalid or does not match the name on the site" error in IE. What I have is an Exchange 2007 setup with one CAS server. I have enabled Outlook Anywhere. I created a new certificate request, sent that to my Enterprise CA (a 2003 Server box) and got back a cert. Imported and enabled the cert on IIS, SMTP, POP, IMAP just fine. The cert has a common name of "mail.domain.com" which is the address I would use to access my server externally. For the Subject Alternative Names, it has the netbios name of my CAS and the internal FQDN of my CAS (cas.domain.local). Everything is peachy right? Well I pull up IE6 on Windows XP SP2 on an internal client and navigate to https://mail.domain.com/rpc (I have setup my DNS servers to host this zone and added an A record for the "mail" host to point to the IP of my CAS server so I can test this out internally). I get the familiar prompt saying there is a problem with the certificate, the name is invalid or does not match blah blah blah. Same thing in IE8 in Windows 7. So I guess what I am getting at is: why? Viewing the certificate from IE, it says it is issued to "mail.domain.com" So that seems like that should be all I need right? I checked the SANs listed just to make sure, and they are there as well. Any thoughts would be greatly appreciated!!

On Fri, 24 Sep 2010 19:18:58 +0000, in2jars wrote: > > >Hello all, > >Getting a little frustrated so I figured I would post and maybe someone could help me understand something. This is all educational in a lab setting so buying a real cert is out of the question. I am just wondering why I keep getting "the name on the security certificate is invalid or does not match the name on the site" error in IE. > >What I have is an Exchange 2007 setup with one CAS server. I have enabled Outlook Anywhere. I created a new certificate request, sent that to my Enterprise CA (a 2003 Server box) and got back a cert. Imported and enabled the cert on IIS, SMTP, POP, IMAP just fine. The cert has a common name of "mail.domain.com" which is the address I would use to access my server externally. For the Subject Alternative Names, it has the netbios name of my CAS and the internal FQDN of my CAS (cas.domain.local). > >Everything is peachy right? Well I pull up IE6 on Windows XP SP2 on an internal client and navigate to https://mail.domain.com/rpc (I have setup my DNS servers to host this zone and added an A record for the "mail" host to point to the IP of my CAS server so I can test this out internally). I get the familiar prompt saying there is a problem with the certificate, the name is invalid or does not match blah blah blah. Same thing in IE8 in Windows 7. > >So I guess what I am getting at is: why? Viewing the certificate from IE, it says it is issued to "mail.domain.com" So that seems like that should be all I need right? I checked the SANs listed just to make sure, and they are there as well. > >Any thoughts would be greatly appreciated!! Use the IIS Manager and verify that the "Ignore client certificates" is selected. It's on the "Directory Security" tab of the rpc virtual directory. Click the "Edit..." button in the "Secure communications group". How about the certificate? Does the server have your CA's root certificate in its certificate store as a "trusted root"? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thanks for the reply Rich. I think I have figured it out. Firefox is a bit more descriptive when it comes to explaining the reasons for the certificate being invalid. It basically told me that the certificate was only good for the two SANs I had listed (the NetBIOS name of the computer and the internal FQDN of the computer). So I tried adding the external FQDN (which was used as the common name) to the SAN list as well and my prompts about invalid security certificates have seemed to disappear. I am not sure why I had to list all the names in the SAN list. I thought the common name would be used for the external FQDN and the SANs could cover the rest. Thoughts?

On Sat, 25 Sep 2010 02:41:08 +0000, in2jars wrote: > > >Thanks for the reply Rich. I think I have figured it out. Firefox is a bit more descriptive when it comes to explaining the reasons for the certificate being invalid. It basically told me that the certificate was only good for the two SANs I had listed (the NetBIOS name of the computer and the internal FQDN of the computer). So I tried adding the external FQDN (which was used as the common name) to the SAN list as well and my prompts about invalid security certificates have seemed to disappear. > >I am not sure why I had to list all the names in the SAN list. I thought the common name would be used for the external FQDN and the SANs could cover the rest. Thoughts? The CN of the certificate should be included in the DNS names in the Subject Alternative Name property of the cert. But it shouldn't have to have included in the New-ExchangeCertificate cmdlet's "-DomainName" list. The "CN" name from that cmdlet's "-SubjectName" should have been added automatically. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi, I am not sure why I had to list all the names in the SAN list. I thought the common name would be used for the external FQDN and the SANs could cover the rest. Thoughts? For subject alternative name (SAN) certificate, you must add all the domain names you want to use to the subject alternative name list. To generate a certificate request for exchange, you can also use the "new-exchangecertificate" command. More information, please refer the following link: http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT

Hi, I am not sure why I had to list all the names in the SAN list. I thought the common name would be used for the external FQDN and the SANs could cover the rest. Thoughts? For subject alternative name (SAN) certificate, you must add all the domain names you want to use to the subject alternative name list. To generate a certificate request for exchange, you can also use the "new-exchangecertificate" command. More information, please refer the following link: http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT