After my exchange 2010 server crashed earlier this week I decided to go ahead and setup an exchange 2013 server. I completed the setup and installed the SSL certificate but I am having issues with outlook connecting. I can manage to get my account setup in outlook but every time I open I receive the error in the pic.

Sounds like you need to change you virtual directories to match the cert you have.  Here are a few things that should help with your issue. 

These first links do a pretty good job explaining planning what names need to be on your certificate

http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx

http://exchangeserverpro.com/exchange-server-2013-ssl-certificates/

Here's another forum post that should be some hope as well with changing the required directories.

https://social.technet.microsoft.com/Forums/exchange/en-US/34c86143-a6ed-4f1c-a668-deb3395102e3/ssl-certificate?forum=exchangesvrclients

Looking at my server in the Exchange Admin Center I see four Certificates.

Godaddy: has the SMTP, IMAP, POP, and IIS services checked

MS Exchange Server Auth Certificate: has the SMTP service checked.

MS Exchange: has SMTP and IIS checked

WMSVC: does not have any services checked.

It seems odd to me that some of the services are assigned to multiple certificates.

That should be ok... One pother thing to run is Get-OutlookProvider and see if there are any certs assigned here.

Here are the results of Get-OutlookProvider.

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                                                      1
EXPR                                                                                      1
WEB                                                                                       1

can you run:

Get-ClientAccessServer | select identity, *autodiscover*

Get-OutlookAnywhere | select servername, *host*

Get-ClientAccessServer | Select Servername, *host*

Identity                       : servername
AutoDiscoverServiceCN          : servername
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://servername.domain.local/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}

Get-OutlookAnywhere | Select servername, *host*

ServerName                              ExternalHostname                        InternalHostname
----------                              ----------------                        ----------------
server                                mail.domain.org                         mail.domain.org

I should also add that we are not having any issues connecting devices such as cell phones and iPads to this.

Get-ClientAccessServer | Select Servername, *host*

Identity                       : servername
AutoDiscoverServiceCN          : servername
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://servername.domain.local/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}

Get-OutlookAnywhere | Select servername, *host*

ServerName                              ExternalHostname                        InternalHostname
----------                              ----------------                        ----------------
server                                mail.domain.org                         mail.domain.org

Ok the AutodiscoverServiceInternalURi is the issue here.  IT is still set to domain.local which is why you are getting the getting the error. 

To fix it you can Run:

Set-ClientAccessServer <servername> -AutodiscoverServiceInternalURi "https://mail.domain.org/Autodiscover/autodiscover.xml"

Results

Identity                       : server
AutoDiscoverServiceCN          : server
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://mail.domain.org/Autodiscover/autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}

That should take care it.  

That does seem to have helped however they are still getting the message below when they open Outlook. If they click yes they are able to continue. My SSL cert is for mail.domain.org, www.mail.doamin.org, activesycn.domain.org, and autodiscover.domain.org. Should I also add server.domain.local to the certificate?

This is what the server settings look like in the account settings. This is very different from what they were.

Give IIS a recycle.  and give it some time.  Outlook needs to query autodiscover again for settings.  It's not usually instantaneous.  I forget the actual interval, I think it's every couple of hours or so.

Also, you cant add any tld to an external cert that is not publicly accessible.  To test this, if you create a new profile do you get the cert error?

 

I re-booted the server and I still receive the error message.

Yes, If I create a new profile I get the cert error.

• Edited by sapper12 16 hours 29 minutes ago

Should I also add server.domain.local to the certificate?

It's usually recommended to NOT add your internal hostname to the cert.

I re-booted the server and I still receive the error message.

Yes, If I create a new profile I get the cert error.

Now it's a matter of Outlook querying autodiscover again.  The new profile not prompting is a good sign that it should be corrected.

As I stated above, a new profile DOES get the cert error.

I am not sure if this will help but I went back and ran Get-OulookProvider. Here are the results

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                                                      1
EXPR                                                                                      1
WEB                                                                                       1

How many CAS servers (any version) do you have? 

I re-booted the server and I still receive the error message.

Yes, If I create a new profile I get the cert error.

• Edited by sapper12 Monday, March 23, 2015 2:54 PM

Hi,

In your case, I recommend you disable the third-party add-ins and check the result.

1. Use Outlook safe mode to help isolate the issue.

2. Check for third-party COM add-ins and disable them.

For more information, here is a helpful KB for your reference.

https://support.microsoft.com/en-us/kb/923575

Hope this can be helpful to you.

Best regards,

This is what the server settings look like in the account settings. This is very different from what they were.

I just looked harder at this screen shot. What are the primary email addresses in your domain? Are they username@domain.local? or username@domain.org?

Do you have any email address policies in place?

We have one exchange server period in our environment.

Our Primary email addresses are username@domain.org.

What if you get the certificate re-issued from your CA (GoDaddy)?  I know a lot of CAs will offer to re-issue your cert for free; you'd have to go through the cert request process again, but then you'd be generating the info from the new Exchange 2013 server and not recycling the cert from Exchange 2010.

A work around would be to push the cert out through group policy to the clients; once it's in their personal cert store, it shouldn't throw the hostname cert mismatch error when they open Outlook.  I've done this in the past with self-signed certs.

How is OWA working; any cert errors there?

I went through the process of re-issuing the cert when I setup the new server so the cert should be good.

OWA does not give any cert errors.

Has to still be something with the URLs your Exchange server is advertising.  Run the following command in the shell:

Get-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" | FL

In the output, look for "InternalUrl" and "ExternalUrl"; do they say https://servername.domain.local/EWS/Exchange.asmx or do they say https://mail.domain.org/EWS/Exchange.asmx ?  If it shows the internal FQDN, you'll need to change that to mail.domain.org like you did for autodiscover.  Give the link below a look, I really think it will help you with your setup.  If I understand correctly, you're using a SSL cert and not a SAN/UC cert, which matches what this article talks about.  Let us know how it goes and good luck.

http://exchangeserverpro.com/avoiding-exchange-2013-server-names-ssl-certificates/

Here is the output. I can see a couple places where this may need to be changed.

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" | FL


RunspaceId                      : 6b83ecd1-412e-4aa5-b729-9ffc85efffd9
CertificateAuthentication       :
InternalNLBBypassUrl            :
GzipLevel                       : Low
MRSProxyEnabled                 : False
Name                            : EWS (Default Web Site)
InternalAuthenticationMethods   : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods   : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication   :
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : False
DigestAuthentication            : False
WindowsAuthentication           : True
OAuthAuthentication             : True
AdfsAuthentication              : False
MetabasePath                    : IIS://server.domain.local/W3SVC/1/ROOT/EWS
Path                            : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
AdminDisplayVersion             : Version 15.0 (Build 847.32)
Server                          : server
InternalUrl                     : https://server.domain.local/EWS/Exchange.asmx
ExternalUrl                     : https://mail.domain.org/EWS/Exchange.asmx
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=EXCH2010,CN=Servers,CN=Exchange
                                  Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
                                  Groups,CN=domain,CN=Microsoft
                                  Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity                        : server\EWS (Default Web Site)
Guid                            : 04543764-0089-4c58-9f4b-f33471bfe935
ObjectCategory                  : domain.local/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged                     : 3/20/2015 10:59:32 AM
WhenCreated                     : 3/19/2015 6:07:09 PM
WhenChangedUTC                  : 3/20/2015 3:59:32 PM
WhenCreatedUTC                  : 3/19/2015 11:07:09 PM
OrganizationId                  :
OriginatingServer               : domaincontroller.domain.local
IsValid                         : True
ObjectState                     : Changed

Yes, your internal url is referencing server.domain.local.  The commands to change this are contained in the link I mentioned before, but here it is again.  I think after you get the various URLs ironed out, your cert error will go away.

http://exchangeserverpro.com/avoiding-exchange-2013-server-names-ssl-certificates/

And the certificate I am using is a Standard UCC SSL certificate if that changes anything.

It shouldn't.

Here is how the out put looks now. It seems to have cleared up the certificate issue but now I have not mail flow in or out.

RunspaceId                      : 6b83ecd1-412e-4aa5-b729-9ffc85efffd9
CertificateAuthentication       :
InternalNLBBypassUrl            :
GzipLevel                       : Low
MRSProxyEnabled                 : False
Name                            : EWS (Default Web Site)
InternalAuthenticationMethods   : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods   : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
LiveIdNegotiateAuthentication   :
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : False
DigestAuthentication            : False
WindowsAuthentication           : True
OAuthAuthentication             : True
AdfsAuthentication              : False
MetabasePath                    : IIS://server.domain.local/W3SVC/1/ROOT/EWS
Path                            : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
AdminDisplayVersion             : Version 15.0 (Build 847.32)
Server                          : server
InternalUrl                     : https://mail.domain.org/EWS/Exchange.asmx
ExternalUrl                     : https://mail.domain.org/EWS/Exchange.asmx
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=EXCH2010,CN=Servers,CN=Exchange
                                  Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
                                  Groups,CN=domain,CN=Microsoft
                                  Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity                        : server\EWS (Default Web Site)
Guid                            : 04543764-0089-4c58-9f4b-f33471bfe935
ObjectCategory                  : domain.local/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged                     : 3/20/2015 10:59:32 AM
WhenCreated                     : 3/19/2015 6:07:09 PM
WhenChangedUTC                  : 3/20/2015 3:59:32 PM
WhenCreatedUTC                  : 3/19/2015 11:07:09 PM
OrganizationId                  :
OriginatingServer               : domaincontroller.domain.local
IsValid                         : True
ObjectState                     : Changed

Mail flow is backup and it had nothing to do with changing the internal URL. But I am still getting the certificate error.

Were the web services recycled (ie. IISRESET)? If not, do that.  Did you follow all of the steps outlined in the Exchange Server Pro article?  Are you using split brain DNS? Can internal hosts resolve the mail.domain.org hostname?  Try running ExBPA and see if that throws any warnings or errors.

Just had to be patient. I have not been seeing the cert error for a few hours now. And mail is flowing as expected. Thanks everyone.

Glad to hear you got it working.