Replaced Cert now Outlook giving error.

Our existing SAN Cert expired so I bought and installed a new one from godaddy. The old Cert had SAN Names for the internal name of the server I'll say server.internal.local. The new ICANN rules persuaded me to not include the internal name of the server on the replacement Cert and only use publicly accessible names, I'll say mail.public.org.

Now our Outlook Clients in our internal network are throwing an error at startup saying:

There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site server.internal.local.

Outlook is unable to connect to the proxy server. (Error Code 10)

I looked at the settings of the Outlook email Account and sure enough under the Exchange Proxy Settings, the Use this URL... and the Only connect to... are showing server.internal.local. 

I followed the instructions here:  http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/managing-certificates-exchange-server-2013-part1.html

Which led me through creating a split brain DNS zone so the internal clients will find the server using the public name that matches the cert and also (theoretically) modifying the autodiscover so the clients will look for the server at the new address.

Apparently, I'm missing something because even when configuring a new Outlook profile I still get the certificate error and the proxy settings are still being set to the old internal name and I am unable to change them.  

  To further complicate things, this environment has a SBS2011 that Exchange has been mostly migrated to the new Exchange 2013 machine but Exchange has not been decommissioned from it yet. I'll call it OLDSERVER. I did go into Sites and Services and delete the Autodiscover serviceconnection point for OLDSERVER thinking it would simplify the issue. No Bueno.     
  • Edited by kidwon Wednesday, April 29, 2015 8:31 PM
April 29th, 2015 8:17pm

There are two things that don't seem to make sense here.  1 is the fact I don't see an internal host name for Outlook Anywhere on your 2013 server.  The other is the cert principal name for Server.local.  Something seems like its not configured right.

Can you run:

Get-ClientAccessServer | Get-OutlookAnywhere | FL Server, *hostname, *SSL
Get-OutlookProvider

While we're at it might as well get an output of:

Get-ExchangeServerCertificate -Server SERVER

Free Windows Admin Tool Kit Click here and download it now
April 30th, 2015 9:41am

I think you're on to something. The Get-OutlookAnywhere definitely doesn't seem right. The internal Hostnames are still the old internal names.

[PS] C:\Windows\system32>Get-ClientAccessServer | Get-OutlookAnywhere | FL Server, *hostname, *SSL
WARNING: Warning: "Rpc (Default Web Site)" was not found. Please ensure that the RPC over HTTP Proxy feature has been
added to server "OLDSERVER".


Server                    : OLDSERVER
ExternalHostname          : mail.public.org
InternalHostname          : SERVER.internal.local
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True

Server                    : SERVER
ExternalHostname          : mail.public.org
InternalHostname          : SERVER.internal.local
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True



[PS] C:\Windows\system32>Get-OutlookProvider

Name                          Server                        CertPrincipalName             TTL
----                          ------                        -----------------             ---
EXCH                                                                                      1
EXPR                                                        msstd:mail.public.org   1
WEB                                                                                       1

[PS] C:\Windows\system32>Get-ExchangeCertificate -Server SERVER

Thumbprint                                Services   Subject
----------                                --------   -------
FD016572B237FC3EF5075F97053001E64AFC6C01  ...WS..    CN=mail.public.org, OU=Domain Control Validated
4B1086F73CAA84A0373C48196188B203DB0FC2CD  ....S..    CN=Microsoft Exchange Server Auth Certificate
2E63291D0CE6D663DE7E5183338EB8460DE57B2D  IP.WS..    CN=SERVER
31C13A872C12D3198EE3F03CD3B7F1108D98AE3B  .......    CN=WMSvc-SERVER

April 30th, 2015 10:25am

Should I change the Internal Hostnames for OutlookAnywhere?

I'm thinking

Set-OutlookAnywhere -InternalHostname mail.public.org

on both servers.

Free Windows Admin Tool Kit Click here and download it now
April 30th, 2015 10:34am

Ahh... the internalhostname on Server is causing the issue. to fix..

Get-ClientAccessServer | Set-OutlookAnywhere -InternalHostName mail.public.org -InternalClientsRequireSSL $True

Also since you set the EXPR value, might as well do the same for the exch provider

Set-OutlookProvider EXPR msstd:mail.public.org

April 30th, 2015 10:34am

Seems logical but I'm getting a nice red error message when I try to run the command on SERVER's powershell.

[PS] C:\Windows\system32>Get-ClientAccessServer | Set-OutlookAnywhere -InternalHostName mail.public.org -InternalC
lientsRequireSSL $True
The operation couldn't be performed because object 'OLDSERVER' couldn't be found on 'OLDSERVER.internal.local'.
    + CategoryInfo          : NotSpecified: (:) [Set-OutlookAnywhere], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=SERVER,RequestId=bea45772-4654-4e2e-9d7f-0cf15e1a4ec5,TimeStamp=4/30/2015 2:35:11
    PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] 70E3C900,Microsoft.Exchange.Management.SystemConfi
  gurationTasks.SetRpcHttp
    + PSComputerName        : SERVER.internal.local

The operation couldn't be performed because object 'SERVER' couldn't be found on 'OLDSERVER.internal.local'.
    + CategoryInfo          : NotSpecified: (:) [Set-OutlookAnywhere], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=SERVER,RequestId=bea45772-4654-4e2e-9d7f-0cf15e1a4ec5,TimeStamp=4/30/2015 2:35:11
    PM] [FailureCategory=Cmdlet-ManagementObjectNotFoundException] FF68D37C,Microsoft.Exchange.Management.SystemConfi
  gurationTasks.SetRpcHttp
    + PSComputerName        : SERVER.internal.local

Free Windows Admin Tool Kit Click here and download it now
April 30th, 2015 10:40am

Correction from my first post, turns out OLDSERVER is actually SBS2008 running Exchange 2007and it appears the -InternalHostName parameter is not available on the Exchange 2007 server. Sorry about the mistake, it's been a while since I spent much time with this client. Let's just say there were some billing problems that caused the migration from SBS to Exchange 2013 to get put on hold for a while.

I'm starting to think we'll have to complete the migration and completely decommission Exchange 2007 before we can resolve this problem.

  • Edited by kidwon 16 hours 26 minutes ago
April 30th, 2015 10:53am

Ugh, my command was fubared.

Try Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostName mail.public.org -InternalClientsRequireSSL $True

Free Windows Admin Tool Kit Click here and download it now
April 30th, 2015 1:08pm

Looks like that got it. I can't thank you enough!

The command set the InternalHostName to the correct mail.public.org for both servers.

I did a quick IIS Reset and tested it from a client and no error message.

Thanks again, you are a lifesaver!

April 30th, 2015 2:33pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics