Exchange cerficaate error

[anything I don't mind]

I replaced the exchange cert with one that does not include the internal domain and changed all the internal url but some outlook 2010 clients are still getting site mismatch error.

I also have a lot of schannel alerts in the syslog on exchange server.

Here is a more detail post about the problem on technet.

https://social.technet.microsoft.co...local-domain-and-cas-array?forum=exchange2010

Anyone have any ideas?

 

[Xez]

Did you do it via the console or the shell? The console doesn't show all URL's for exchange such as the client access server and autidiscover URL's.

 

[anything I don't mind]

I did it all through the shell. I have checked every url there is, all have been updated correctly.

Strange it has worked for my accounts and test profiles but some users still getting it even if i try repair their profile.

 

[Ploppy2k3]

is it the mismatch showing a .local address or a full FQDN?

 

[traveyb]

Is the new certificate assigned correctly? Run Get-ExchangeCertificate and see if the correct certificate is running the IIS services (the certificate will usually have IP.WS.. in the services column).

 

[anything I don't mind]

It is assigned correctly to all services and in iis. I didn't add the cert myself but everything seems to be fine with it. I have removed the old one. Only the self signed cert is left and the main cert.

 

[anything I don't mind]

is it the mismatch showing a .local address or a full FQDN?

The mismatch is showing the cas fqdn which is exchangeserverhostname.domain.local. This has been removed from the cert and when the problem started. I have been told the cas server fqdn and the rpccas mailboxdatabase property should not cause ssl mismatch.

 

[anything I don't mind]

Had not changed the client receiver fqdn to the external url. Think this might have been causing the problem.

 

[traveyb]

Have you tried iisreset yet?
I can't see why it isn't working if all your URL's are set to the external address and the certificate is setup.
Only other things are if you have a load balancer setup with the cert or a dodgy DNS CNAME entry somewhere

 

[anything I don't mind]

Actually it is still not fixed.

I thought that would do it as its the only url that was not changed. However i have since found out that has nothing to do with outlook or ssl so wouldn't fix it even if it was wrong.

So back to investigating the problem.

I have done iisreset, recycle autodiscover pool and restart transport service.

I am out of ideas at this point.

I have since removed the dns cname and the srv records that i created in hope to fix the problem.

 

[Ploppy2k3]

if you check Get-OutlookProvider are the EXCH and EXPR's hard coded to a .local cert?

 

[anything I don't mind]

[PS] C:\Windows\system32>Get-OutlookProvider
Creating a new session for implicit remoting of "Get-OutlookProvider" command...

Name Server CertPrincipalName TTL
---- ------ ----------------- ---
EXCH 1
EXPR 1
WEB 1

Looks like its not even set...?

Set-OutlookProvider EXPR -CertPrincipalName msstd:mail.contoso.com
Set-OutlookProvider EXCH -CertPrincipalName msstd:mail.contoso.com

I should run this is that right?

If i do get-outlookprivder | fl

it all looks fine apart from the server and CertPrincipalName being blank.


I have another site that i manage exchange on and get-outlookprovider is also blank there, but they don't have any problems.

 

[traveyb]

Is it just Outlook that is having issues or does OWA also complain? Also does Exchange anywhere work off the network?
If it does, then it certainly points to either a SRV record or something.
Might be worth enabling the logging function in Outlook so see what it's trying to do and also try the Exchange connectivity tester: https://testconnectivity.microsoft.com