Outlook Client Certificate Issue

When I start Outlook 2013, my client connects to Exchange 2013 and runs for about 30 seconds. Once it hits 30 seconds, I get a Security Alert dialog has the internal server name "mail.domain.local" and a red "X" next to "The name of the security certificate is invalid or does not match the name of the site." The client connects properly, and autodiscover works.

I did the Test E-Mail AutoConfiguration Settings on my outlook client and all URLs point to https://mail.externaldomain.com as they should. I copied the XML data and could not find "mail.domain.local" or the internal server name in any of it.

All virtual directories including autodiscover (and the non-virtual director autodiscover) is set to mail.externaldomain.com and works as it should.

April 21st, 2015 12:27pm

Have you checked the Exchange Certificates youre using for services? This can be done in EMC and EMS.

EMC: Click 'Server Configuration' and run through your servers in this list to view what certs you have assigned to what services (if any).

EMS:

$servers=(get-ExchangeServer).name

ForEach($server in $servers){Get-ExchangeCertificate | fl accessrules,certificatedomains,isselfsigned,issuer,services,status,subject}

Both of these will display your Exchange Certificates. To me it sounds like a certificate issue assigned to your CAS'. But, let me know.

Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 12:36pm

I should say that when I select view certificate, it shows up with the GoDaddy cert.

Output from Server:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.domain.com, www.mail.domain.com, autodiscover.domain.com}
IsSelfSigned       : False
Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,
                     O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.domain.com, OU=Domain Control Validated

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
Services           : SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail-server, mail-server.domain.local}
IsSelfSigned       : True
Issuer             : CN=mail-server
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=mail-server

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-MAIL-SERVER}
IsSelfSigned       : True
Issuer             : CN=WMSvc-MAIL-SERVER
Services           : None
Status             : Valid
Subject            : CN=WMSvc-MAIL-SERVER

April 21st, 2015 1:03pm

Here are my URLs.

[PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory | fl Identity,InternalURL,ExternalUrl
Identity    : MAIL-SERVER\Autodiscover (Default Web Site)
InternalUrl : https://mail.domain.com/autodiscover
ExternalUrl : https://mail.domain.com/autodiscover

[PS] C:\Windows\system32>Get-webservicesVirtualDirectory | fl Identity,InternalURL,ExternalUrl
Identity    : MAIL-SERVER\EWS (Default Web Site)
InternalUrl : https://mail.domain.com/ews/exchange.asmx
ExternalUrl : https://mail.domain.com/ews/exchange.asmx

[PS] C:\Windows\system32>Get-OabVirtualDirectory | fl Identity,InternalURL,ExternalUrl
Identity    : MAIL-SERVER\OAB (Default Web Site)
InternalUrl : https://mail.domain.com/OAB
ExternalUrl : https://mail.domain.com/OAB

[PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl Identity,InternalURL,ExternalUrl
Identity    : MAIL-SERVER\owa (Default Web Site)
InternalUrl : https://mail.domain.com/owa
ExternalUrl : https://mail.domain.com/owa

[PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl Identity,InternalURL,ExternalUrl
Identity    : MAIL-SERVER\ecp (Default Web Site)
InternalUrl : https://mail.domain.com/ECP
ExternalUrl : https://mail.domain.com/ECP

[PS] C:\Windows\system32>Get-ActiveSyncVirtualDirectory | fl Identity,InternalURL,ExternalUrl
Identity    : MAIL-SERVER\Microsoft-Server-ActiveSync (Default Web Site)
InternalUrl : https://mail.domain.com/Microsoft-Server-ActiveSync
ExternalUrl : https://mail.domain.com/Microsoft-Server-ActiveSync

[PS] C:\Windows\system32>Get-ClientAccessServer | fl Identity,AutoDiscoverServiceInternalUri
Identity                       : MAIL-SERVER
AutoDiscoverServiceInternalUri : https://mail.domain.com/Autodiscover/Autodiscover.xml


Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 1:58pm
Can you run Get-OutlookProvider and post the results?
April 21st, 2015 2:19pm

Is this a single server Exchange deployment? Are there previous versions of Exchange Deployed?

Also are there multiple Active Directory sites? Is AD replication working properly?

As this is Exchange 2013, you can also verify the Outlook Anywhere settings:

Get-OutlookAnywhere | select internalhostname,externalhostname

Free Windows Admin Tool Kit Click here and download it now
April 21st, 2015 8:29pm

@Hinte: 

[PS] C:\Windows\system32>Get-OutlookProvider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                                                      1
EXPR                                                                                      1
WEB                                                                                       1


  • Edited by ThatBeerITGuy 19 hours 28 minutes ago Added reply to Scott's post.
April 22nd, 2015 7:59am

@Sean Greenlee:

This is the only Exchange Server. I couldn't find any previous versions of Exchange in ADSI. There is only one AD Site and only one Domain Controller in this site. I checked the SCP in Sites and Services and it is pointing to mail.domain.com.

[PS] C:\Windows\system32>Get-OutlookAnywhere | select internalhostname,externalhostname

InternalHostname                                            ExternalHostname
----------------                                            ----------------
mail.domain.com                                          mail.domain.com

Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2015 7:59am

I should say that when I select view certificate, it shows up with the GoDaddy cert.

Output from Server:

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.domain.com, www.mail.domain.com, autodiscover.domain.com}
IsSelfSigned       : False
Issuer             : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/,
                     O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=mail.domain.com, OU=Domain Control Validated

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {}
IsSelfSigned       : True
Issuer             : CN=Microsoft Exchange Server Auth Certificate
Services           : SMTP
Status             : Valid
Subject            : CN=Microsoft Exchange Server Auth Certificate

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail-server, mail-server.domain.local}
IsSelfSigned       : True
Issuer             : CN=mail-server
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=mail-server

Hi,

I noticed that there are two Exchange certificates enabled with IIS service. Please remove\delete the self-signed certificate (mail-server.domain.local) which is enabled with IIS service and check whether the issue persists.

Regards,

April 22nd, 2015 8:52am
I deleted the Self Signed Cert yesterday and the issue still occurs. That portion can be ignored. I also performed an IISReset.
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2015 9:12am
If you navigate to the ECP or OWA from this same machine in a web browser do you get any certificate errors? If you click on the certificate itself does it validate properly? When you installed the GoDaddy Certificate, did you also install the appropriate intermediate certificates? From the Exchange Server side your configuration appears to be correct. If everything checks out with the certificate, then I would suggest running a Fiddler trace while launching Outlook: http://www.telerik.com/fiddler. You can also use the option to decrypt the SSL traffic: http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS. Once you have the trace running, you can look for any traffic going to the internal server name, and attempt to determine what that traffic is.
April 22nd, 2015 9:32am

Thanks for the output.  I don't think you have to worry about the self signed certificate being assigned to IIS, I checked a multirole installation I did yesterday, and I saw the same thing with my certificates.  I checked the bindings in IIS and the self signed one was assigned to the Exchange Backend Website, so that should probably be left alone.  Also if you check the bindings on the default website you should see your GoDaddy Cert bound there. 

Anyway, it looks like you don't have a cert selected in your outlook provider.  I have seen mixed results with not having a cert specified here. I would try the following:

Set-OutlookProvider EXPR msstd:mail.domain.com
Set-OutlookProvider EXCH msstd:mail.domain.com

What this does is tell Outlook to accept only a certificate with the mail.domain.com subject.

If it doesn't work or creates more problems you can roll the change back by changing the msstd:mail.domain.com to $null.

Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2015 9:42am

@Hinte: I tried those commands and that disconnectedOutlook, but it appeared to force a change that fixed the issue. It gave me the error before I manually set the certs; after I set the certs, it couldn't connect to Exchange. When I put them back to null, it could connect and I did not get the certificate issue after restarting Outlook and IIS.

Thank you everyone for the assistance!

April 22nd, 2015 11:23am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics