• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

BPA certificate mismatch

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2010] >> Installation >> BPA certificate mismatch Page: [1]
Login
Message << Older Topic   Newer Topic >>
BPA certificate mismatch - 20.Sep.2010 6:34:23 PM   
AndrewKeil

 

Posts: 3
Joined: 20.Sep.2010
Status: offline
System Details:
- Windows SBS 2008 - with all the latest updates (and optional updates applied)
- Exchange 2007 (Version: 08.01.0340.000)
- OWA working correctly with no prompting for extra security credentials
- 3rd Party Certificate setup for only "remote.askinteractive.net"
- Results from Get-ExchangeCertificate:
[PS] C:\Windows\system32>Get-ExchangeCertificate

Thumbprint Services Subject
---------- -------- -------
9874CF54BF296D1B583C20D3E920CFBDDB1D35A9 ...WS CN=remote.askinteractiv...
D9D243D4C20F96156BFE0041544F6DA8727B6A88 IP..S CN=remote.askinteractiv...
FC9619053F20B0DD458B0C10B61604A2E7FCB19B IP..S CN=ASKSERVER.asksbs.local
0DCDF0F69FC49C3DAE4F222181F514FA2CDAAD91 IP..S CN=Sites
B09918ACCDE477525CCC5CEE46E807913D84929B ..... CN=asksbs-ASKSERVER-CA
5FFE1279838A6784AA4CB21F2281E7782C28628C ..... CN=WMSvc-WIN-B4O97L2HGXE

When I run Best Practices Analyzer (BPA) on Exchange Server 2007 (EMC) I received the following two issues:

(1) The principal for SSL certificate 'https://askinteractive.net' does not appear to match the host address. Host address: askinteractive.net. Principal: O=remote.askinteractive.net, OU=Domain Control Validated, CN=remote.askinteractive.net.

(2) The principal for SSL certificate 'https://asksbs.local' does not appear to match the host address. Host address: asksbs.local. Principal: O=remote.askinteractive.net, OU=Domain Control Validated, CN=remote.askinteractive.net.

Questions:
Q1) Is there a way to fix these?
Q2) Where does BPA source these host addresses ('https://askinteractive.net' & 'https://asksbs.local') from?
Post #: 1
RE: BPA certificate mismatch - 22.Sep.2010 4:51:10 AM   
rishishah

 

Posts: 784
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
Basically you need to implement a SAN certificate which has the name of your external domain and within the alternative name, the name of your local server with the domain.

i.e. hostname.askinteractive.net (external access) and servername.asksbs.local (internal access)

_____________________________

Rishi Shah, MCP

Remember to backup before applying the advice. www.saiconsult.co.uk. Happy to provide Professional Exchange Server Consultancy to anywhere in the world.

(in reply to AndrewKeil)
Post #: 2
RE: BPA certificate mismatch - 22.Sep.2010 6:12:28 AM   
AndrewKeil

 

Posts: 3
Joined: 20.Sep.2010
Status: offline
My next question is a simple one. If I ignore these warnings what affect will this have on my SBS 2008 Exchange 2007 server receiving and processing e-mails?

Since OWA works fine using my single certificate from a 3rd Party for my main address: https://remote.askinteractive.net.

Thanks.

Andrew

(in reply to rishishah)
Post #: 3
RE: BPA certificate mismatch - 22.Sep.2010 6:33:00 AM   
rishishah

 

Posts: 784
Joined: 14.Nov.2006
From: Surrey, UK
Status: offline
autodiscover when using RPC over HTTPS will fail.

But if you are simply sending and receiving email (without TLS encryption) and using Outlook from inside your Domain or through a VPN (no RPC over HTTPS) you should have no issues. 

_____________________________

Rishi Shah, MCP

Remember to backup before applying the advice. www.saiconsult.co.uk. Happy to provide Professional Exchange Server Consultancy to anywhere in the world.

(in reply to AndrewKeil)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2010] >> Installation >> BPA certificate mismatch Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter