I have a third party certificate on my Exchange 2007 configuration. OA and OWA work fine from outside the LAN. Internally, however, I get a "certifcate has expired" and "name on the certifcate is invalid or does not match the name of the site". When I click on view certificate, the certifcate listed is issued to "localhost.localdomain" and issued by "localhost.localdomain". Please help. I have changed all references on Exchange from the netbios name to the public name of the server, e.g. mail.mydomain.com, which is also the name on the certifcate.

Hi Can you run get-exchangecertificates | fl and post the result in here Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

Hi Jonas, Thanks for the swift response. Here's the output. I have replaced my domain with mydomain.co.za. [PS] C:\Documents and Settings\Administrator>get-exchangecertificate | fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {winserv2-ex, winserv2-ex.mydomain.co.za} HasPrivateKey : True IsSelfSigned : True Issuer : CN=winserv2-ex NotAfter : 2011/05/04 11:13:49 AM NotBefore : 2010/05/04 11:13:49 AM PublicKeySize : 2048 RootCAType : None SerialNumber : 83E9F452CCF20C8345C2E9F034A66303 Services : SMTP Status : Valid Subject : CN=winserv2-ex Thumbprint : 8E6FAF90453CF82670E8F45C520B162DB864BE91 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {winserv2-ex.mydomain.co.za} HasPrivateKey : True IsSelfSigned : False Issuer : CN=webmail.mydomain.co.za, DC=d-v, DC=co, DC=za NotAfter : 2011/04/19 05:54:01 PM NotBefore : 2010/04/19 05:54:01 PM PublicKeySize : 1024 RootCAType : Registry SerialNumber : 3A662E66000000000007 Services : None Status : Valid Subject : CN=winserv2-ex.mydomain.co.za Thumbprint : 7EA1873B05194B07F6BD9A85C5C6331525EFE66C AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {webmail.mydomain.co.za, mydomain.co.za} HasPrivateKey : True IsSelfSigned : False Issuer : CN=StartCom Class 1 Primary Intermediate Server CA, OU=Sec ure Digital Certificate Signing, O=StartCom Ltd., C=IL NotAfter : 2011/02/11 10:53:42 PM NotBefore : 2010/02/11 07:47:41 AM PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : 013148 Services : IMAP, POP, IIS, SMTP Status : Valid Subject : E=webmaster@mydomain.co.za, CN=webmail.mydomain.co.za, OU=StartCom F ree Certificate Member, O=Persona Not Validated, C=ZA, Des cription=145793-a2dpA6k689Q06H8Z Thumbprint : 51D10ACE9FC5E59472FAFFAB481FC29B2F54B1AC AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {webmail.mydomain.co.za} HasPrivateKey : True IsSelfSigned : True Issuer : CN=webmail.mydomain.co.za, DC=d-v, DC=co, DC=za NotAfter : 2014/02/11 04:25:19 PM NotBefore : 2009/02/11 04:17:27 PM PublicKeySize : 2048 RootCAType : Registry SerialNumber : 188475C758A283B4407DDEB802170D20 Services : IMAP, POP, SMTP Status : Valid Subject : CN=webmail.mydomain.co.za, DC=d-v, DC=co, DC=za Thumbprint : 1F54DE25C7B8D7F2E1CA259868E0D5C17D1EC9C9 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {winserv2-ex.mydomain.co.za} HasPrivateKey : True IsSelfSigned : True Issuer : CN=winserv2-ex.mydomain.co.za, O="", L=Gauteng, S=Gauteng, C=ZA NotAfter : 2009/08/04 05:04:40 PM NotBefore : 2008/08/04 11:04:40 AM PublicKeySize : 2048 RootCAType : Unknown SerialNumber : 9BF0F06BA38014984DFBD8121901ACBF Services : None Status : Invalid Subject : CN=winserv2-ex.mydomain.co.za, O="", L=Gauteng, S=Gauteng, C=ZA Thumbprint : 151FD5A3AA9055E2E8B4C2EB3E1F03AA995350FD [PS] C:\Documents and Settings\Administrator>

I'm guessing that you want to use mail.mydomain.com internally as well? Have you also set the AutoDiscoverServiceInternalUri? You can check this by running the following command and look for the value of the AutoDiscoverServiceInternalUri parameter: Get-ClientAccessServer | flMartin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com

Hi Martin, I ran the set-clientaccesserver commands on a previous occassion. This is the output of get request: PS] C:\Documents and Settings\Administrator>Get-ClientAccessServer | fl Name : WINSERV2-EX OutlookAnywhereEnabled : True AutoDiscoverServiceCN : winserv2-ex AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service AutoDiscoverServiceInternalUri : https://webmail.mydomain.co.za/autodiscover/autodis cover.xml AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596 AutoDiscoverSiteScope : {Default-First-Site-Name} IsValid : True OriginatingServer : winserv2-ex.mydomain.co.za ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=WINSERV2-EX,CN=Servers,CN=Exchange Administ rative Group (FYDIBOHF23SPDLT),CN=Administrati ve Groups,CN=First Organization,CN=Microsoft E xchange,CN=Services,CN=Configuration,DC=mydomain,DC =co,DC=za Identity : WINSERV2-EX Guid : e5edc133-a6fa-4468-804a-46b9def26fa9 ObjectCategory : d-v.co.za/Configuration/Schema/ms-Exch-Exchang e-Server ObjectClass : {top, server, msExchExchangeServer} WhenChanged : 2010/05/17 11:51:13 AM WhenCreated : 2007/08/03 03:37:38 PM

Hi In your DNS internally, do you have one zone called: mydomain.co.za ? Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

Hi Jonas, Yes I do, and have an entry for webmail.

Pointing directly to your CAS server/CAS Array?Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

Great, please check the InternalUrl parameter that you get when running the following commands and make sure that they are set to mail.mydomain.co.za: Get-AutodiscoverVirtualDirectory | fl Get-WebServicesVirtualDirectory | fl Get-OABVirtualDirectory | fl Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com

Hi, Yes, it's pointing directly at the CAS server. We have a single-server deployment. All the roles are on this server.

Hi, Here's the output: [PS] C:\Documents and Settings\Administrator>Get-AutodiscoverVirtualDirectory | fl Name : Autodiscover (Default Web Site) InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated} ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated} BasicAuthentication : True DigestAuthentication : False WindowsAuthentication : True MetabasePath : IIS://winserv2-ex.mydomain.co.za/W3SVC/1/ROOT/Autodi scover Path : C:\Program Files\Microsoft\Exchange Server\Clie ntAccess\Autodiscover Server : WINSERV2-EX InternalUrl : ExternalUrl : AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=Autodiscover (Default Web Site),CN=HTTP,CN=P rotocols,CN=WINSERV2-EX,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admin istrative Groups,CN=First Organization,CN=Micro soft Exchange,CN=Services,CN=Configuration,DC=d -v,DC=co,DC=za Identity : WINSERV2-EX\Autodiscover (Default Web Site) Guid : 74ee0dec-9507-4d3e-a130-7f3e13ed1ee2 ObjectCategory : mydomain.co.za/Configuration/Schema/ms-Exch-Auto-Dis cover-Virtual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscove rVirtualDirectory} WhenChanged : 2007/08/03 03:52:40 PM WhenCreated : 2007/08/03 03:52:40 PM OriginatingServer : winserv2-ex.mydomain.co.za IsValid : True [PS] C:\Documents and Settings\Administrator>Get-WebServicesVirtualDirectory | f l InternalNLBBypassUrl : https://winserv2-ex.mydomain.co.za/ews/exchange.asmx Name : EWS (Default Web Site) InternalAuthenticationMethods : {Ntlm, WindowsIntegrated} ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated} BasicAuthentication : False DigestAuthentication : False WindowsAuthentication : True MetabasePath : IIS://winserv2-ex.mydomain.co.za/W3SVC/1/ROOT/EWS Path : C:\Program Files\Microsoft\Exchange Server\Clie ntAccess\exchweb\EWS Server : WINSERV2-EX InternalUrl : https://webmail.mydomain.co.za/ews/exchange.asmx ExternalUrl : AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols, CN=WINSERV2-EX,CN=Servers,CN=Exchange Administr ative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exch ange,CN=Services,CN=Configuration,DC=mydomain,DC=co, DC=za Identity : WINSERV2-EX\EWS (Default Web Site) Guid : f85203ad-7080-4102-8378-f34a4ef525f5 ObjectCategory : mydomain.co.za/Configuration/Schema/ms-Exch-Web-Serv ices-Virtual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchWebServices VirtualDirectory} WhenChanged : 2010/05/17 12:01:40 PM WhenCreated : 2007/08/03 03:53:35 PM OriginatingServer : winserv2-ex.mydomain.co.za IsValid : True [PS] C:\Documents and Settings\Administrator> [PS] C:\Documents and Settings\Administrator>Get-OABVirtualDirectory | fl Name : OAB (Default Web Site) PollInterval : 480 OfflineAddressBooks : {Default Offline Address Book} RequireSSL : True BasicAuthentication : False WindowsAuthentication : True MetabasePath : IIS://winserv2-ex.mydomain.co.za/W3SVC/1/ROOT/OAB Path : C:\Program Files\Microsoft\Exchange Server\Clie ntAccess\OAB Server : WINSERV2-EX InternalUrl : https://webmail.mydomain.co.za/oab InternalAuthenticationMethods : {WindowsIntegrated} ExternalUrl : ExternalAuthenticationMethods : {WindowsIntegrated} AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) DistinguishedName : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols, CN=WINSERV2-EX,CN=Servers,CN=Exchange Administr ative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exch ange,CN=Services,CN=Configuration,DC=mydomain,DC=co, DC=za Identity : WINSERV2-EX\OAB (Default Web Site) Guid : a7e41738-f822-4c04-a089-589225e02306 ObjectCategory : mydomain.co.za/Configuration/Schema/ms-Exch-OAB-Virt ual-Directory ObjectClass : {top, msExchVirtualDirectory, msExchOABVirtualD irectory} WhenChanged : 2010/02/11 11:11:55 AM WhenCreated : 2007/08/03 03:52:19 PM OriginatingServer : winserv2-ex.mydomain.co.za IsValid : True [PS] C:\Documents and Settings\Administrator>

Ok, you should set the External Url with the following commands: Set-WebServicesVirtualDirectory -ExternalUrl "https://webmail.mydomain.co.za/ews/exchange.asmx" Set-OABVirtualDirectory -ExternalUrl "https://webmail.mydomain.co.za/oab" Also, have you set autodiscover SRV records for mydomain.co.za in both internal and external DNS? Martin Sundström | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com

I do not have autodiscover SRV records. I have never had to do anything around autodiscover. I'm a consultant and deal with several clients. This implementation works at all my other sites except this particular one. I will try the set-external urls. But remember, this issue only affects Outlook and Office Web Access within the LAN.

Is it anything with this implementation that differs from the other ones you have done? Since the other implementations are working... Martin Sundstrm | Microsoft Certified Trainer | MCITP: Enterprise Messaging Administrator 2007/2010 | http://msundis.wordpress.com

Hi, Please try to press Ctrl+right click Outlook icon in System Tray, select Test E-mail AutoConfiguration, click Test button, then post the information here under Results Tab. Additionally, what's the url of OWA did you use? Thanks Allen

As far as I can tell, the difference could be in deleting the original self-signed certificate. But I have regenerated a new one since then.

What really beats me is that the certificate is issued to localhost.localdomain by localhost.localdomain. It's the first such error I've come across.

OWA: https:webmail.mydomain.co.za/owa

Autodiscover fails with the following errors: autodiscover to https://webmail.mydomain.co.za/autodiscover/autodiscover.xml FAILED (0x0800c8203) autodiscover request completed with http status code 404 autodiscover to https://mydomain.co.za/autodiscover/autodiscover.xml FAILED (0x080004005) autodiscover to https://autodiscover.mydomain.co.za/autodiscover/autodiscover.xml FAILED (0x80004005) Local autodiscover for mydoamin.co.za FAILED (0x8004010F) SRV Record lookup for d-v.co.za FAILED (0x8004010F)

404 means webmail.mydomain.co.za is not found. Start with DNS. -- Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." . "Xisingwana [MCSE]" wrote in message news:56a6abdf-2aed-424d-a850-a9f576375196... Autodiscover fails with the following errors: autodiscover to https://webmail.mydomain.co.za/autodiscover/autodiscover.xml FAILED (0x0800c8203) autodiscover request completed with http status code 404 autodiscover to https://mydomain.co.za/autodiscover/autodiscover.xml FAILED (0x080004005) autodiscover to https://autodiscover.mydomain.co.za/autodiscover/autodiscover.xml FAILED (0x80004005) Local autodiscover for mydoamin.co.za FAILED (0x8004010F) SRV Record lookup for d-v.co.za FAILED (0x8004010F) Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Hi, Please check whether the webmail.mydomain.co.za record is existing in the internal DNS. Thanks Allen

Oh, sorry. Sorted. What lead me to the solution was that the returned certifcate was localhost.localdomain, which happens to be the default Linux certificate, which happens to be our firewall, which runs the proxy server. Set GPOs to bypass the proxy for local IP addresses and that solved the problem. Thanks.