About Me

My photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2008/01/31

Outlook 2007 Certificate Error

I am reposting this because it took me a goodly amount of time to find this information/fix when I encountered it - Shudnow.net is the source - I did not have to use every step, but I did faithfully work through each item just to make sure.

Let's get started!

When importing a new certificate into Exchange 2007, you might encounter a certificate error in Outlook 2007. I have included a screenshot of the error I encountered today:

clip_image001

When you choose the View Certificate button, it brings up another window that shows you what certificate is in error. In this case, the certificate name is “mail.shudnow.net.”

So the million dollar question? Why the error?

Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here.

So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) of mail.shudnow.net We install this certificate onto our Exchange box with its’ private key. In our case we were migrating so we did not have to request a certificate via IIS. We just exported it with its’ private key and imported onto the new box. We then assigned this certificate to IIS. Now I went to the Exchange Management Shell and enabled Exchange services to use this certificate. In order to do this, you must run the following commands:

Get-ExchangeCertificate

Thumbprint Services Subject

———- ——– ——-

BCF9F2C3D245E2588AB5895C37D8D914503D162E9 SIP.W CN=mail.shudnow.net.com

What I did was go ahead and enable all new services to use every available service by using the following command:

Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP -Thumbprint BCF9F2C3D245E2588AB5895C37D8D914503D162E9

The next step would be to ensure the AutodiscoverInternalURI is pointed to the CAS that will be your primary CAS for Autodiscover servicing.

Get-ClientAccessServer -Identity CASServer | FL

AutoDiscoverServiceInternalUri : https://casnetbiosname/Autodiscover/Autodiscover.xml

See the issue here? We are not using a UC certificate that contains the names, “casnetbiosname, casnetbiosname.shudnow.net, mail.shudnow.net, and autodiscover.shudnow.net” Since the Autodiscover directory in IIS will be requring SSL encryption, the url specified in the AutoDiscoverServiceInternalURI must match what is specified in your certificate. You must also ensure there is a DNS record that allows mail.shudnow.net to resolve to your CAS. We should re-configure the AutoDiscoverServiceInternalURI by using the following command:

Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml

We now need to go configure all the InternalURLs for each web distributed service. Here is the reason why we were receiving the certificate errors. Your InternalURLs most likely are not using mail.shudnow.net. Your InternalURLs are most likely pointed to something such as https://casnetbiosname/ServiceURL which will fail since this is not the CN of your simple certificate.

You can run the following commands to fix your internalURLs so your Outlook 2007 client can successfully take advantage of your web distribution services.

Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://mail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true

Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://mail.shudnow.net/OAB -BasicAuthentication:$true

Enable-OutlookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ExternalAuthenticationMethod “Basic”-SSLOffloading:$False

Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://mail.shudnow.net/Microsoft-Server-Activesync

Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” -InternalURL https://mail.shudnow.net/UnifiedMessaging -BasicAuthentication:$true

Elan Shudnow :: Aug.10.2007 :: Exchange, Microsoft :: No Comments »

8 comments:

colin said...

Thanks! This gave me exactly what I needed to fix a cert problem we were having!

stuart_bowen said...

when trying to enable services on a new certificate, i get

[PS] C:\Windows\System32>Enable-ExchangeCertificate C429313BBFBFF244D31FDB4EE060
3FF630100000 -Services:"POP,IMAP,UM,IIS,SMTP"
Enable-ExchangeCertificate : Service is not installed.
Parameter name: Services
At line:1 char:27
+ Enable-ExchangeCertificate <<<< C429313BBFBFF244D31FDB4EE0603FF630100000 -Se
rvices:"POP,IMAP,UM,IIS,SMTP"

any idea what the problem is

tsoorad said...

more than likely you don't have UM installed?

Stuart said...

thanks. i found out last night just after posting, but I added them individually and it seemed to take the others (pop3, smtp, iis and imap) but still getting the warning in outlook when connecting about 'name on certificate is invalid or doesnt match the name of the site'/ I ran the enable-exchangecertificate against the new certificate that I ordered and installed and is working fine for OWA

Jabba said...

Good post.


Do i need ExchangeCertificate on the server at all?

I was just wondering..

tsoorad said...

Yes, if you want SSL, you need a cert. Otherwise, you can just open up port 80 and leave yourself open to all sorts of nefarious activity.

sivextien said...

There is another issue on SSl Certificate with Outlook 2007 client

When you create SSL Certificate SAN, make sure the mail server URL stay in top of other ( i.e : mail.mydomain.com ) otherwise Outlook 2k7 client will issue warning " The target principal name is incorrect". The only workaround is to reissue the CA which is a little bit complicated.
MS doesn't provide patch for this and only fix on Outlook 2010

Unknown said...

I'm getting the same thing on Outlook 2010.

AudioCodes 400HD firmware v3.04

Those fine folks (and apparently busy beavers) at AudioCodes have popped a new IP Phone firmware release out into the wild. Brings a nice ne...