Checklist for Exchange Certificate issues

Similar Messages

• [Forum FAQ] Introduce the Windows Essentials Connector software and checklist for its configuration issues

  Introduction
  The Connector software for the Windows Server Essentials OS connects the computers in your network to the Windows Server Essentials server. When you connect computers to the server via Connector
  software, it will help you to automatically back up the computers and monitor their health. Meanwhile, you will be able to configure and remotely administer the Windows Server Essentials server. The Connector software is installed when you connect a client
  computer to the server. You can start by typing http://<your_server_name>/connect
  Example: Windows 8.1 connects to Windows Server 2012 R2 Essentials
  1. Open the Dashboard on Windows Server 2012 Essentials, navigate to USERS tab. Right click and select Add a user account (Figure 1). Then follow the Add a User Account wizard to configure
  and add the user account (Figure 2).
  Figure 1: Add a user account -1
  Figure 2: Add a user account -2
  2. Logon the client computer, type the http://<your_server_name>/connect in IE. Then you will see the download page for Connector software (Figure 3).
  Figure 3：Download the
  Connector software
  3. Click Download software for Windows and download the Connect software (ComputerConnector), then run it.
  After restart automatically, please follow the Windows Server Essentials Connector Configuration Wizard (Figure 4 – Figure 7).
  Figure 4: Windows Server Essentials Connector Configuration Wizard -1
  Figure 5: Windows Server Essentials Connector Configuration Wizard -2
  Figure 6: Windows Server Essentials Connector Configuration Wizard -3
  Figure 7: Windows Server Essentials Connector Configuration Wizard -4
  4. When complete the configuration wizard and logon the client computer, you will be able to use the Launchpad (Figure 8).
  Figure 8: Launchpad
  5. Meanwhile, when you open Dashboard, will be able to find that the Windows 8.1 is listed under DEVICES. It will help administrators to manage the client computer (Figure 9).
  Figure 9: Clients listed in the Devices panel
  For Windows XP
  You can type http://<your_server_name>/connect in IE. Then the download page will appear (Figure 10).
  Figure 10: Download page
  However, it will encounter the error: “xxx.exe is not a valid Win32 application” (Figure 11).
  Figure 11: Error message on Windows XP
  Windows XP is not a supported OS for client computer. For more details, please refer to
  Get Connected in Windows Server Essentials.
  In addition, please note:
  Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options.

  Checklist for the configuration issues
  First of all, when we want to connect the client computers to Windows Server Essentials, please check if the date and time settings for the client computer is consistent with the server.
  Meanwhile, please also check the Regional and Language settings.
  Issue 1: Installation did not succeed
  When accept the license terms to continue in the configuration wizard, you may encounter the error (Figure 12).
  Installation did not succeed
  Windows Server Essentials Connector has not been installed because:
  Cannot download the package.
  Verify that your device is connected to the Internet, and then install the Windows Server Essentials Connector.
  Figure 12: Installation did not succeed
  Checklist:
  1. Verify the DNS client settings.
  2. Check the communication between DNS server and the client.
  3. Check if you can ping server via IP address and server name successfully
  Issue 2: Cannot connect this computer to the network (Network related)
  This computer is already connected to another Windows Server network. Before connecting this computer to the Windows Server Essentials network, you must remove this computer from the
  current network.
  To resolve this issue, contact the person responsible for your network.
  Figure 13: Cannot connect this computer to the network (Network related)
  Checklist:
  1. Check if the client computer is a member of another server network.
  2. Change the client computer to Workgroup via administrator. Then check if you can connect it to the new Windows Server Essentials network.
  Issue 3:
  Cannot connect this computer to the network (Account related)
  The computer cannot be connected to the server using the user name and password credentials provided. This may be because an existing computer account having name “ComputerName” was previously
  created using a different set of credentials. Rename this computer and then try to connect this computer to the server again, or contact your administrator to remove any old conflicting account.
  When you connect the client computer to server essentials with a new user account, please check if the client computer has been connected to the server essentials, and didn’t remove from
  Dashboard. You may encounter the following error.
  Figure 14: Cannot connect this computer to the network (Account related)
  Checklist:
  1. Check if the client computer has been connected to the server essentials, and didn’t remove from Dashboard.
  2. Remove the client computer from the Dashboard, then try again.
  Additional resource:
  Troubleshoot connecting computers to the server in Windows Server Essentials
  Windows 2012 Server Essentials ConnectComputer
  Troubleshooting

• Cisco Jabber for Windows Certificate Issues

  Hi,
  I have configured a Cisco Jabber with device security mode "Encrypted". Once I use this mode I am getting a error message in Cisco Jabber as:
  "The certificate enrollment for secure computer calling has not been activated. Contact your system administrator."
  The softphone feature is not working because of this.
  Do you have any fix for this issue?
  Thanks,
  VJ

  Hi Jonathan,
  I have one more issue with Cisco Jabber using authentication string. The authentication string works fine with the Jabber and softphone functionality is working.
  Now the problem is: if the single user has two Jabber clients, one installed on laptop and second on desktop, the authentication string window is presented to the jabber client which logs in first. For example is I login from my laptop the window pops up to enter the authentication string. But now when I open the Jabber on my desktop it doesn't give me option to enter the authentication string and the softphone doesn't work.
  Thanks,
  Vaijanath

• Exchange certificate error

  Hi Guys,
  I am in the process of upgrading my exchange 2007 to 2013. i now have setup a 2013 server successfully. However, i seem to be having problems with my exchange certificate. Everytime i open my outlook it comes up with the dialogue gox below
  The old server is still in the envirnoment so i was thinking its certificate is the one being picked up. could this be that the CAS is still on the old server? if yes, how to i transfer it. if otherwise, please assist.
  Regards,
  BJ

  Hi,
  I suggest try to re-create profile to refresh the caches for testing.
  If doesn't work, please try to check following checkpoints:
  1. Open IE and browse RPC URL, https://mail.domain.com/rpc, to examine the certificate.
  2. Install the trusted root certificate.
  3. Disable the 3rd party add-in or the 3rd party browser add-in.
  More details to refer following KB:
  Error message when Outlook tries to connect to a server by using an RPC connection or an HTTPS connection: "There is a problem with the proxy server's security certificate"
  https://support.microsoft.com/kb/923575?wa=wsignin1.0 
  Also provide an FAQ for your reference:
  Checklist for Exchange Certificate issues
  https://social.technet.microsoft.com/Forums/en-US/fa78799b-5c55-4c71-973b-0e186612ff6f/checklist-for-exchange-certificate-issues?forum=exchangesvrgeneral
  Thanks
  Mavis Huang
  TechNet Community Support

• Netbios names on exchange certificates

  Hi, 
  Is it not best practice to include the server netbios name in the SAN on the Exch 2013 SSL cert? Also is it even supported as I see some suggestions that netbios names on exchange certs is not often supported by online certificate authorities.
  Thanks 

  Hello,
  Since the certificate SAN name can be seen by public. If any security issues are not cared, it’s fine to add it to the SAN name.
  More information and best practices for Exchange Certificate in:
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  Thanks,
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Simon Wu
  TechNet Community Support

• Exchange 2003 to 2010 Migration and Certificate Issue

  Good Day All -
  This is my first post on here, so if I post to the wrong spot or something is incorrect, please forgive and redirect me.
  I have a small working knowledge of Exchange and even less about Certificates.
  I did an Exchange 2003 to Exchange 2010 migration last weekend, and, for the most part, everything went well.  Initially when users first launched Outlook for the first time, (post mailbox move), the received a Security Alert to install the Self-Signed
  Certificate for the new Exchange Server.  This was a one time deal and everything was good after that.  Also, I exported the non-self-signed certificate, (for external mail, purchased from Network Solutions), from the Exchange 2003 Server, and imported
  it into the Exchange 2010 Server. Again, no issue.
  Jump ahead to today. It was brought to my attention that some mobile devices were unable to connect, and in my infinite wisdom ,<sarcasm>, I thought the issue had to do with the certificate(s).  I started troubleshooting and it seems like I've
  fixed the the mobile devices being able to connect, but now every time users launch Outlook, they receive the Security Alert for the non-self-signed certificate, over and over again. (or it just pops up while connected to Outlook)
  They go through the motions of installing it, but it just keeps coming back.
  I have referenced several articles on here, and other sites, but nothing has worked and I'm stuck and fried on this one. 
  http://support.microsoft.com/kb/940726/en-us
  http://exchangeserverpro.com/how-to-issue-a-san-certificate-to-exchange-server-2010-from-a-private-certificate-authority/
  Would someone please help. Thanks very much, (in advance).

  Thanks for the reply.  Yeah, I have read many articles, (especially from exchangeserverpro), and have learned alot, but I am definitely a cert novice here.
  The cert "error" on my internal Outlook Clients is a Security Alert for
  mylocalservername.mydomain.lcl.  When I click to view this certificate it points to
  webmail.mydomain.com, which is what the external
  devices use for SSL verificartion.
  I'm not understanding why my internal Outlook clients are prompting for this external certificate. 
  I have the self signed certificate that auto-installed with Exchange 2010, which points to the DNS Names:
  mylocalservername.mydomain.lcl and mylocalservername.  This was the server certificate that the Outlook clients installed after they launched Outlook post mailbox migration to the new Exchange
  2010 server and everything was good internally. 
  For my external connection then, I exported the webmail.mydomain.com
  from the old Exchange 2003 server, and  imported it on the new Exchange 2010 server; (EMC\Server Configuration\Import Exchange Certificate (Actions Pane)).  Ever since doing this, all Outlook clients, (2007 & 2010)
  receive the Security Alert for mylocalservername.mydomain.lcl, but is for the
  webmail.mydomain.com cert.
  I have two certs on the Exchange 2010 server; one self signed and one not, (The non-self-signed purchased from a CA and thus the one I imported from Exchange 2k3). 
  The services assigned to the two certs are:
  Self-Signed, (mylocalservername.mylocaldomain.lcl and
  myservername):
  IMAP, POP, SMTP
  Non-Self-Signed, (webmail.mydomain.com, Purchased from CA)
  IIS
  Please let me know if there's anything glaring here that I'm missing, and if not, what you think the problem may be.  Thanks very much.

• Ramifications of assigning a wildcard certificate to the SMTP service (needed for Exchange 2010 Hybrid Configuration - Office 365)

  Hello All:
  I am receiving an error when I run the Manage Hybrid Configuration wizard - ERROR:Updating hybrid configuration failed with error 'Subtask NeedsConfiguration execution failed: Configure Recipient Settings. I have opened a SR, but figured I'd try the forums,
  too. I have a wildcard certificate from GoDaddy (MS says they support wildcards from GoDaddy) & that cert has only the IIS service applied to it on the CAS. I've read in the Exchange Server Deployment Assistant that it should have the SMTP & IIS services
  assigned to it, but my question is - SMTP on the CAS (separate server) or on the Mailbox/Hub Transport (separate server)? And what are the ramifications of assigning the SMTP service to, let's say, the CAS? We have had multiple issues every time the servers
  get updated/changed; I do not want to disrupt services further, as the Manage Hybrid Configuration will be done during business hours.
  If anyone can provide any assistance/clarification, it would be most appreciated.
  Thank you.

  Hi,
  We can enable a Wildcard certificate with SMTP service for Exchange Hybird Deployment. The SMTP service can be assigned to multiple certificates. For some Exchange services such as OWA, Ecp, ActiveSync, Autodiscover service, OOF, it is used with Exchange
  certificate with IIS service. And there is usually only one certificate can be assigned with IIS service.
  Please just make sure your Wildcard certificate can contain all namespaces which are used for all internal URL and External URL configuration in Exchange services. About how to import an existing wildcard certificate on the Exchange 2010 Hybird servers,
  please refer to the Import & Enable Third Party Certificate on Hybrid Servers
  part in the following article:
  http://www.msexchange.org/articles-tutorials/office-365/exchange-online/configuring-exchange-hybrid-deployment-migrating-to-office-365-exchange-online-part9.html
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Regards,
  Winnie Liang
  TechNet Community Support

• Preparing new Certificate for Exchange - how to cover the .local domain names

  I need to plan out our new certificate for our CAS servers. Exchange 2010 SP3. Our current SAN certificate has several names including our Exchange FQDN's which are exserver.domain.local. I know our CA will not let me generate SAN's with a .local anymore
  so how do I cover the Exchange internal FQDN's in the certificate? 
  I did a get-exchangecertificate and the only certificates I have are the public CA with all the SAN's and Services are IP.WS. The other two Exchange certificates are self signed but only for SMTP "S".
  You can only have one certificate for web services "W" so how do you get around the Exchange FQDN? Our internal autodiscover, availability and OOF etc....that Outlook uses all use the Exchange internal FQDN of servername.domain.local.
  Even if I generate another Exchange certificate for the server FQDN and submit it to our internal CA, I cannot enable web services on this certificate because my public certificate is already enabled for web services.
  Need some help here. I am really stumped on this one.

  Hi Shadowtuck,
  It is suggested to post in the Exchange forum:
  https://social.technet.microsoft.com/Forums/en-US/home?category=exchangeserver
  In addition, hope the link below could be helpful for you:
  Global changes in legislation regarding SAN SSL Certificates
  http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• Wildcard certificate for Exchange 2013

  Hello!
  I have a testing network with Exchange 2013SP1 and Windows Server 2012R2 domain controller with CA installed.
  For testing purposes I issued a wildcard certificate for my Exch2013 from my local CA using Web server template and installed it on the Exchange server.
  Now when I open, for example, ecp or owa page I'm getting the error stating my certificate is wrong:
  Q1) Is Windows CA capable of issuing a wildcard certificates?
  Q2) If Q1=yes then what can be the cause of the problem?
  Thank you in advance,
  Michael

  Hi Michael,
  Please click Certificate error in IE to view the details about the error. If the error is related to untrusted certificate, please open Internet Explorer, click Settings > Internet Option > Content option > Certificate. In the
  Certificates dialog box, click the Trusted Root Certification Authorities
  tab and check if your certificate is in the list.
  If the certificate is not in the list, we can install the certificate in Trusted root certificate store by the following KB:
  http://support2.microsoft.com/kb/2006728
  If the error certificate is related to mismatch issue, please confirm if this certificate is assigned with IIS service. If not, please enable it with IIS service and restart IIS service to have a try. To double check about the Exchange certificate, we can
  run the following command to check it:
  Get-ExchangeCertificate | FL
  Regards,
  Winnie Liang
  TechNet Community Support

• N97 - Mail for Exchange self signed certificate

  I would like to use my N97 for sychronizing my nokia with my office e-mails (MfE 2003). Sync keeps on failing. I assume that my n97 does not accept the self-signed certificate we are using (unlike the iPhone and any other HTC or Windows mobile based device). I tried to install the certificate on my nokia - however all versions offered for conversion by my internet explorer are not recognized as a certificate by the n97 (either unkown format or just displayed as text).
  Can anyone help? (I am afraid I have to deal with our self-signed certificate - so there is no chance to approach the problem from that end)
  Many thanks!

  I am also having the exact same problem.  My company uses Exchange Server 2003, but I cannot get the Nokia N97 to sync using Mail for Exchange.  I too am guessing that it might be related to the fact that we are using a self signed certificate.
  When the sync failed, I tried to browse to our web exchange access on the N97 web browser, but that wouldn't work either (I have successfully been able to do this on a Sony Ericsson C905 and a BlackBerry Pearl, but the Nokie N97 says it is unable to perform the operation).
  Can anyone confirm if the issue is in fact the self signed certificate, or make any other suggestions?  I do not want to push my company down the path of getting the certificate signed if it's not going to solve the problem.
  Thanks!

• Best Buy exchange with rewards certificate issue

  Hi,
  I have been a loyal customer of Best Buy over the years and go out of my way to shop there for my electronics. I hope someone can assist me with my problem. Below I have given a brief synopsis of what is going on. Thank you for your time.
  On 01/10/15 I purchased a Bose headset using some of my best buy rewards certificates and the rest of the balances on my credit card. I forgot to use a $50.00 gift card that I had received, towards the purchase that day. On 01/13/15 I returned to the same store to ask that the receipt be credited and re rung so I could apply my $50.00 gift card. The customer representative advised that since I used best buy rewards certificates I would not be able to do the exchange since the rewards take 8 days to return to my account. I asked if the rewards could just go onto a best buy gift card and he stated they were not able to. I had no intention of returning my item; all I wanted was to get the $50.00 gift card applied to my receipt. Instead I was forced to return my headset and now wait 8 days to then repurchase the same headset in order to be able to use my best buy rewards certificates plus my $50.00 gift card. I find it ironic that best buy is willing to take in a returned item (never intended for return), make customers wait 8 days, and then have the customers travel back to the store to buy the same item over again just to be able to use their rewards certificates that were returned.
  I did advise the customer service representative of how absurd the process is and he stated “I know I’ve been dealing with it for the entire holiday season but this is the only way it can be done.”   Best Buy should really take a step back and look at this process since they are incurring a loss on the returned product and the overall poor customer experience.
  Thank You

  Hi jonchiarito,
  Thank you for signing up for the forum and connecting with us.
  I can imagine feeling frustrated after hearing that your certificates would be returned to your My Best Buy™ account, which may cause you to have to make another trip to the store to redeem them.  The only way we could have applied the $50 gift card to your existing purchase is to process a return and repurchase, which would cause the certificates point value to repost to your account.  Since certificates have no actual monetary value, they cannot be put onto a gift card.
  It can usually take between 3 - 6 business days for a certificates point value to repost to a member's account following a return, and it pretty common for the point value to repost the same day that a return is processed.  I looked over your My Best Buy™ account using the email address you registered with the forum, and from what I can see, the point value for the certificates you redeemed reposted to your account yesterday following the return.  It may take 24 hours for your account to update though.
  If after 24 hours you for some reason are unable to access those points or if you have any other program related questions, then do not hesitate to send me a private message and I will see what I can do to further assist.  You can send a private message by clicking on the blue button in my signature labeled "Private Message."  Also, please feel free to post any ideas or suggestions you have to the IdeaX section of the forum.
  Returns When a My Best Buy™ Certificate was Used
  I hope you enjoy the rest of your day.
  Derek|Social Media Specialist | Best Buy® Corporate
   Private Message

• Certificates issued by communications server for client authentication

  Hi,
  we ran into problem with those certificates, that are being issued by the lync server itself.  In our enteprise we have CX600 and CX3000 phones, and i know that certificate authentication is required for the phones to work (both for registrar and webservice).
  However, now that users have lync installed, they have their communications server certificate assigned as well. The problem is when a user needs to sign a document with the certificate from our private CA, for most of the users, word or excel suggests to
  use a certificate issued by communications server, not our ent CA. Maybe there is a way for LYNC to trust private enteprise CA and not give out its own certificates and STILL use certificate authentication?
  Thanks!

  Facing almost the same issue, Lync (server) issues ClientAuth certs from "Communication Server", (btw
  is not trusted of course), and in turns forces users to make a selection of which VPN cert to use when dialing in, instead of only one ClientAuth cert installed, they now have 2 ClientAuth certs installed, which our internal CA's should care about and NOT
  the Lync (server).
  Don’t get how an MS product of this caliber can be built without proper PKI integration, how can it NOT utilize internally issued certs for client authentication???
  Not the first though, SCCM and OSD is another example....
  However, are you saying that Lync communication can’t be used without certificate authentication,
  without the user being spammed with credential prompts?
  Trying to get clarification on this…

• Secure connection failed: The Certifying Authority for this certificate is not permitted to issue a certificate with this name. (Error code: sec_error_cert_not_in_name_space) PLEASE HELP ME!!

  I have gone to this website almost everyday for years and I have not changed anything in my internet settings, but now I'm getting this message: secure connection failed: The Certifying Authority for this certificate is not permitted to issue a certificate with this name. (Error code: sec_error_cert_not_in_name_space) The only thing I KNOW I did differently, was I installed a CAC reader to my computer, since then, this has been happening. Is there a setting I can change?? E-mail is: [email protected] Thanks! Megan

  There were recently several users getting this error code who use AVAST 2015. If you recently got that program, please see:
  * [https://support.mozilla.org/questions/1029578 Can NOT access https://www.google.com for google voice, mail etc.]
  * [https://support.mozilla.org/questions/1028985 Avast Forum connection failed - works in Chrome etc.]
  * [https://support.mozilla.org/questions/1028190 Since last FF update I can't sign out of Yahoo and when I close FF it tells me it has crashed.]

• Certificate issues in ACS 4.0 for Windows

  Hi,
  One of the ACS is configured as CA using third party Certificate, But the server certificate on ACS was self generated and is expired.
  I tried using the same third party certificate to replace the existing expired server certificate on ACS both by generating CSR on ACS and install new certificate using local storage and read from file options but failed.It gives the following error while using CSR generated private key
  "private key doesnt fit for this certificate"
  Next assuming that the installed third party certificate with its own private key can be used to install certificate from the storage gives the following error:
  "Cannot get the private key from certificate. It's absent or not marked as exportable"
  Again assuming that third party certificate has multi server/seat licences.
  Any solution to this issue will be of great help.
  Thanks
  Regards,
  Ahmed

  Re-installing the certificate may resolve this issue.
  Install CA Certificate on your Appliance
  ===============================
  A. Go to System Configuration > ACS Certificate Setup > ACS Certification Authority
  Setup
  B. Click "Download CA certificate file"
  C. Type the IP address or hostname of the FTP server in the FTP Server field
  D. Type a valid username that Cisco Secure ACS can use to access the FTP server in the
  Login field
  E. Type the above user's password in the Password field
  F. Type the relative path from the FTP server root directory to the directory containing
  the CA certificate file in the Remote FTP Directory field
  G. Type the name of the CA certificate file in the Remote FTP File Name field
  H. Click Submit
  I. Verify the filename in the field and click Submit
  J. Restart the ACS services in System Configuration > Service Control

• Forefront Protection 2010 for Exchange and CorruptedCompressedFile issue

  Hi
  I have an issue where a third-party vendor is using Cisco Prime management software to email zipped reports to various recipients on our system. However, when it hits our system, Forefront is tagging this as a "CorruptedCompressedFile"
  and stripping it from the emails.
  I've had the email sent to a personal email account and the attachment looks ok - it opens normally and there is no password. If I use Windows 7 to extract the single file and then create a new zip file, this new zip file is delivered fine to users in our
  system.
  We are running Exchange 2010 (14.03.0174.001) and Forefront Protection for Exchange (11.0.727.0).
  The file is a csv, and one example is only 2.5MB compressed, and 15MB uncompressed.
  Does anyone know what could be causing the issue here?
  Thanks
  Paul

  HI,
  In general, the files that FPE is unable to parse will be scanned as a corrupted compressed file and it can be due to multiple reasons.
  Please check the FSEAgentLog under %Program Files (x86)%\Microsoft Forefront Protection for Exchange Server\Data
  to see if any detailed information exists.
  Firstly, I recommend you to check the maximum compressed file size to make sure that it is larger than that file. You can clickPolicy
  Management in the FPE Administrator Console, and under
  Global Settings, click Advanced Options, then in the
  Global Settings - Advanced Options pane, under the Threshold Levels section.
  In addition,
  files identified as corrupted are quarantined by default. You can override quarantining for these file types by clearing the
  Quarantine corrupted compressed files
  check box under the
  Deletion Criteria
  section in the Global Settings - Advanced Options pane,,
  and then clicking
  Save. However, it is not recommended to do this as it may cause all the files identified as corrupted are not quarantined.
  Best regards,
  Susie