Outlook Certificate "Security Alert" issue with Exchange

By -

 

Another common issue with Exchange and Outlook is that end users see pop ups complaining about the name on the certificate not matching the cert itself.

"The name on the security certificate is invalid or does not match the name on the site"

Or

"The security certificate has a valid name" is marked with a red X

 

This tends to happen when the InternalURL does not match the certificate names.

What this means in plain English is that the server name is either not on the certificate or does not match up. In many cases the servers will be built and use a single public wildcard certificate, however this wildcard certificate domain does not match the internal domain name. E.g. Mydomain.ie is the public SMTP name and wildcard cert *.mydomain.ie but the Active Directory domain is mydomain.local .

We can "trick" the Exchange System into thinking that it is mydomain.ie and respond as such (No need to change domain name etc…) especially since we can't have non registered domain names (such as .local) on public certificates any more.

We can check the following items to ensure all names are correct.

First ensure that you have an internal DNS registered with the name you are going to use such as Autodiscover.mydomain.ie (You can do this with a simple PinPoint DNS entry in your local DNS server). This name should point at your CAS Array or single CAS server.

Run all of the following commands and check! Even missing one could be the cause of your issue.

1.       Get-AutoDiscoverVirtualDirectory | fl

 

In this instance of Get-AutoDiscoverVirtualDirectory, both InternalURL and ExternalURL should not be empty or reference the internal domain name or server name itself, they should read as follows:

https://autodiscover.mydomain.ie/Autodiscover/Autodiscover.xml

                                  

2.       Get-ClientAccessServer | fl

        

In  In this instance of Get-ClientAccessServer, AutoDiscoverServiceInternalUri should not be empty or reference the internal domain name or server name itself, it should read as follows:

https://autodiscover.mydomain.ie/Autodiscover/Autodiscover.xml

3.       Get-WebServicesVirtualDirectory | fl 

        

In this instance of Get-WebServicesVirtualDirectory, both InternalURL and ExternalURL should not be empty or reference the internal domain name or server name itself, they should read as follows:

https://autodiscover.mydomain.ie/EWS/Exchange.asmx

 

 

4.       Get-OABVirtualDirectory |fl


In this instance of Get-OABVirtualDirectory, both InternalURL and ExternalURL should not be empty or reference the internal domain name or server name itself, they should read as follows:

https://autodiscover.mydomain.ie/OAB

 

5.       Get-OWAVirtualDirectory | fl


In this instance of Get-OWAVirtualDirectory, both InternalURL and ExternalURL should not be empty or reference the internal domain name or server name itself, they should read as follows:

https://autodiscover.mydomain.ie/OWA

 

6.       Get-ECPVirtualDirectory | fl

In this instance of Get-ECPVirtualDirectory, both InternalURL and ExternalURL should not be empty or reference the internal domain name or server name itself, they should read as follows:

https://autodiscover.mydomain.ie/ECP

 

7.       Get-ActiveSyncVirtualDirectory | fl


In this instance of Get- ActiveSyncVirtualDirectory, both InternalURL and ExternalURL should not be empty or reference the internal domain name or server name itself, they should read as follows:

https://autodiscover.mydomain.ie/Microsoft-Server-ActiveSync

 

This should remove all instances of the annoying popup for users!

 

Comments

Post a Comment

Popular posts from this blog

Teams Device Health Monitoring and Reporting

By -
Image
 Microsoft have snuck in a nice new feature into the Teams Admin Center (TAC). We now see a new Notifications and Alerts  menu tree and below this Rules. When we go in here, we find only a single Default  Device State Rule with no option to create any new rules (yet at least...) When we edit this rule, we can see that we now have an option to monitor specific devices (think meeting room devices, collaboration bars etc.. here) Under Device users  we click on +ADD  then enter the name of the account, or accounts if you are monitoring multiple devices, associated with the device, such as the resource account. Then under Actions  we can choose either Channel alert  - to have a nice alert sent to our Teams Channel   OR Webhook  to use webhooks for alerting. Finally ensure to select Active  then Save. Once set up this will take maybe 15 mins to replicate and set up. Then once a device has gone offline, the alert will be sent "Immediately", how...
Read more

Unassigned Numbers in Microsoft Teams using Audiocodes SBC

By -
Image
Unlike Skype for Business, Microsoft Teams does not natively support the handling of Unassigned numbers in the system. So if someone leaves your organisation and you remove the number from them and someone tries to call it, the call will drop. Technically, Teams will return a "404 Not Found" back to the SBC and back on to the telco. What we can do here is to then assign the 404 error to a Route, change the Destination Number (to a call queue or to your main Reception number for example) and route it back to Teams. To do this there are a few simple steps: Step 1 – Create an Alternative Reasons Set Step 2 – Configure existing Teams IP Group to use the SBC Alternative Routing Reason Set Step 3 - Create new IPG Step 4 – Create a new route in IP-to-IP Routing Step 5 - Manipulate Numbers Step 6 – Test  Step 1 – Create an Alternative Reasons Set The first thing we need to do is create an " Alternative Routing Set ", we find this under Setup >> Signaling & Media ...
Read more

Skype for Business Edge Server replication troubleshooter

By -
Image
Many times in Skype for Business/Lync the main issue I come across is the deployment is that the edge server(s) fails to replicate. We see this when we run the command in Skype for Business Management Shell : Get-CsManagementStoreReplicationStatus and we see that the edge servers have False and no LastStatusReport or ProductVersion is shown as below. There are a number of things which can cause this and I am going to list them here. Try them in order here as this will contain the most common to the least common issues I found. Ø   Routing Ø   Firewall rules Ø   DNS suffix Ø   DNS (Local and LAN) Ø   Registry entries for SCHANNEL Ø   Certificates A check we can use to see if the replication is working can be done by trying to connect to the following URL from the Front End Server whish hosts the CMS: https://edgeinternalfqdn.domain.ie:4443/Replicationwebservice You should get the following screen: Without thi...
Read more