Announcement

Collapse
No announcement yet.

Certificate Error "the name on the security certificate is invalid..."

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate Error "the name on the security certificate is invalid..."

    Where to start. We had 2 servers. 1 2008 SBS and a 2008 R2 Standard. I moved exchange off of the SBS on the 2008 R2 Standard and installed Active Directory on the 2008 R2 Standard server. I just kind of left the SBS standing, doing other random services. Well the SBS died hard and wouldn't come back up. No biggy really. The 2008 R2 Standard seized FSMO roles and continued on hosting exchange and authenticating users etc. I thought the case closed until a few weeks ago I got a complaint that outlook was popping up an error. I can't verify exactly when this error started. Could have been immediately after ther SBS died. It could have been a few weeks later.



    I've rekeyed the godaddy certificate removing the old server's name completely. The new server was and still is on the certificate.

    I've performed the steps outlined here

    And I verified nslookup mail.domain.com from a client computer results in the IP of the mail server.

    Externally everything works fine. OWA and phones have no Certificate Errors.

    What other things should I be looking at to resolve this issue?

  • #2
    Re: Certificate Error "the name on the security certificate is invalid..."

    You should really have recovered the SBS server.
    Somewhere in the configuration of Exchange there is a reference to Sites. "Sites" was an SBS 2008 thing, so it could be coming from that.

    Check the URL configuration, don't forget to check get-clientaccessserver | fl as well.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Certificate Error "the name on the security certificate is invalid..."

      Originally posted by Sembee View Post
      Check the URL configuration, don't forget to check get-clientaccessserver | fl as well.

      Simon.
      Thanks Simon!!

      I ran the ggetclientaccess as suggested and yep there is some references to the old server in there. How can I change it?

      RunspaceId : 2d2b3080-6c40-4540-98cb-f3f0ee25f4ef
      Name : OLDSERVER
      Fqdn : OLDSERVER.DOMAIN.LOCAL
      OutlookAnywhereEnabled : True
      AutoDiscoverServiceCN : OLDSERVER
      AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
      AutoDiscoverServiceInternalUri : https://sites/Autodiscover/Autodiscover.xml
      AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
      AutoDiscoverSiteScope : {Default-First-Site-Name}
      AlternateServiceAccountConfiguration :
      IrmLogEnabled : False
      IrmLogMaxAge : 30.00:00:00
      IrmLogMaxDirectorySize : unlimited
      IrmLogMaxFileSize : 10 MB (10,485,760 bytes)
      IrmLogPath :
      MigrationLogLoggingLevel : Information
      MigrationLogFilePath :
      MigrationLogMaxAge : 180.00:00:00
      MigrationLogMaxDirectorySize : 10 GB (10,737,418,240 bytes)
      MigrationLogMaxFileSize : 100 MB (104,857,600 bytes)
      IsValid : True
      ExchangeVersion : 0.1 (8.0.535.0)
      DistinguishedName : CN=OLDSERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Ad
      ministrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=C
      onfiguration,DC=DOMAIN,DC=local
      Identity : OLDSERVER
      Guid : 51c724fd-f0c5-4f06-a237-b99079312f24
      ObjectCategory : DOMAIN.LOCAL/Configuration/Schema/ms-Exch-Exchange-Server
      ObjectClass : {top, server, msExchExchangeServer}
      WhenChanged : 10/20/2012 6:40:00 PM
      WhenCreated : 5/21/2009 11:56:05 AM
      WhenChangedUTC : 10/20/2012 11:40:00 PM
      WhenCreatedUTC : 5/21/2009 4:56:05 PM
      OrganizationId :
      OriginatingServer : NEWSERVER.DOMAIN.LOCAL

      RunspaceId : 2d2b3080-6c40-4540-98cb-f3f0ee25f4ef
      Name : NEWSERVER
      Fqdn : NEWSERVER.DOMAIN.LOCAL
      OutlookAnywhereEnabled : True
      AutoDiscoverServiceCN : NEWSERVER
      AutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-Service
      AutoDiscoverServiceInternalUri : https://mail.DOMAIN-global.com/autod...todiscover.xml
      AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
      AutoDiscoverSiteScope : {Default-First-Site-Name}
      AlternateServiceAccountConfiguration :
      IrmLogEnabled : True
      IrmLogMaxAge : 30.00:00:00
      IrmLogMaxDirectorySize : 250 MB (262,144,000 bytes)
      IrmLogMaxFileSize : 10 MB (10,485,760 bytes)
      IrmLogPath : D:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs
      MigrationLogLoggingLevel : Information
      MigrationLogFilePath :
      MigrationLogMaxAge : 180.00:00:00
      MigrationLogMaxDirectorySize : 10 GB (10,737,418,240 bytes)
      MigrationLogMaxFileSize : 100 MB (104,857,600 bytes)
      IsValid : True
      ExchangeVersion : 0.1 (8.0.535.0)
      DistinguishedName : CN=NEWSERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=A
      dministrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=
      Configuration,DC=DOMAIN,DC=local
      Identity : NEWSERVER
      Guid : 8062c20f-965b-4d07-a4fd-8abb3d5533c8
      ObjectCategory : DOMAIN.LOCAL/Configuration/Schema/ms-Exch-Exchange-Server
      ObjectClass : {top, server, msExchExchangeServer}
      WhenChanged : 12/15/2013 11:19:42 AM
      WhenCreated : 10/21/2012 10:12:47 AM
      WhenChangedUTC : 12/15/2013 5:19:42 PM
      WhenCreatedUTC : 10/21/2012 3:12:47 PM
      OrganizationId :
      OriginatingServer : NEWSERVER.DOMAIN.LOCAL

      Comment


      • #4
        Re: Certificate Error "the name on the security certificate is invalid..."

        Go through my article here:
        http://semb.ee/hostnames

        That will ensure that you have everything changed correctly.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: Certificate Error "the name on the security certificate is invalid..."

          Nice article, but...

          In my IIS Manager i don't have a properties option when right clicking owa under Sites, Default Web Site.

          I created the ps1 script and ran it but it failed as well. The output of the Script
          You can't make this change because 'CN=OLDSERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admin
          istrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC =local' is read-only
          to the current version of Exchange.
          + CategoryInfo : InvalidOperation: ( [Set-ClientAccessServer], CannotModifyCrossVersionObjectException
          + FullyQualifiedErrorId : 8C90AC4A,Microsoft.Exchange.Management.SystemConfi gurationTasks.SetClientAccessServer

          The task wasn't able to connect to IIS on the server 'OLDSERVER.DOMAIN.LOCAL'. Make sure that the server exists and can be
          reached from this computer: The RPC server is unavailable.
          + CategoryInfo : ReadError: (OLDSERVER\EWS (SBS Web Applications):ADObjectId) [Get-WebServicesVirtualDire
          ctory], IISNotReachableException
          + FullyQualifiedErrorId : 8FBA8A69,Microsoft.Exchange.Management.SystemConfi gurationTasks.GetWebServicesVirtualDir
          ectory

          WARNING: The command completed successfully but no settings of 'NEWSERVER\owa (Default Web Site)' have been modified.
          The task wasn't able to connect to IIS on the server 'OLDSERVER.DOMAIN.LOCAL'. Make sure that the server exists and can be
          reached from this computer: The RPC server is unavailable.
          + CategoryInfo : ReadError: (OLDSERVER\OAB (SBS Web Applications):ADObjectId) [Get-OabVirtualDirectory],
          IISNotReachableException
          + FullyQualifiedErrorId : 8FBA8A69,Microsoft.Exchange.Management.SystemConfi gurationTasks.GetOabVirtualDirectory

          WARNING: The command completed successfully but no settings of 'NEWSERVER\OAB (Default Web Site)' have been modified.
          WARNING: The command completed successfully but no settings of 'NEWSERVER\ecp (Default Web Site)' have been modified.
          The task wasn't able to connect to IIS on the server 'OLDSERVER.DOMAIN.LOCAL'. Make sure that the server exists and can be
          reached from this computer: The RPC server is unavailable.
          + CategoryInfo : ReadError: (OLDSERVER\Micro...b Applications):ADObjectId) [Get-ActiveSyncVirtualDirector
          y], IISNotReachableException
          + FullyQualifiedErrorId : 8FBA8A69,Microsoft.Exchange.Management.SystemConfi gurationTasks.GetMobileSyncVirtualDire
          ctory

          WARNING: The command completed successfully but no settings of 'NEWSERVER\Rpc (Default Web Site)' have been modified.
          Googling "The task was not able to connect to IIS on the server" "Make sure that the server exists and can be reached from this computer: The RPC server is unavailable." really wasn't particularly helpful either.

          Comment


          • #6
            Re: Certificate Error "the name on the security certificate is invalid..."

            You still have traces of the old server on your network. That may well be part of the problem.
            If you run get-clientaccessserver for example, you will probably find that both servers are listed.

            You didn't read the article properly - nowhere does it say to make changes in IIS Manager - it is all done through Exchange.

            There are no manual removal instructions for Exchange 2007 and higher that are supported by Microsoft - as already stated, the old server should have been recovered and that is what you need to do now.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: Certificate Error "the name on the security certificate is invalid..."

              There is no recovery of the old server. To make a long story short, it had a catastrophic hard drive crash. And its backups were corrupted. The only alternative would have been a complete rebuild of the old SBS.

              Comment


              • #8
                Re: Certificate Error "the name on the security certificate is invalid..."

                That is what I meant - hard recovery of the server. You need to remove the traces of the old server from the domain - the only supported way to do that is to recover the server and then remove it.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: Certificate Error "the name on the security certificate is invalid..."

                  *facepalm* Is there an 'unsupported way'? I mean, this sounds pretty ridiculous of Microsoft to design it that way.

                  Comment


                  • #10
                    Re: Certificate Error "the name on the security certificate is invalid..."

                    That is the only supported method - it isn't ridiculous either - have you seen how much is in ADSIEDIT for an Exchange server? The uninstaller does a much better job of removing it all without causing a problem for the new server.

                    I can turn round a removal in less than three hours using a virtual machine. It isn't hard but it is clean and supported. Anything else isn't something that I want to do.

                    You may well find unsupported methods, but that isn't something I am going to get involved in. I only work on supported methods, that is what my clients expect.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment

                    Working...
                    X