Server Name in Certificate

Similar Messages

• There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site "Mailserver"

  Good day Guys
  First of all I am not an Exchange Expert, and I might be asking a very stupid question, but please bare with me. :) 
  While I was on leave our Mail server fell over and The company got a Specialist to help out for the time being.
  We where\are on Microsoft Exchange 2007 , which Fell over, and the specialist was able to recover as much data as he could.
  They then installed Exchange 2013 and tried to migrate everything from 2007 to 2013 and not everything migrated over.
  But the problem is, Outlook Anywhere was enable on 2007 and worked a 100% (before the disaster)
  With Exchange 2013 I get the following error message when trying to connect With Outlook 2013, using an external connection:
  "There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site "Mailserver"
  Outlook is unable to connect to the Proxy server. (Error Code 0)"
  Has anyone had the Similar when migrating over from 2007 to 2013 or is this an Issue on IIS and nothing to do with Exchange migration?
  Your assistance will be greatly appreciated.

  Hi,
  Firstly, I would suggest we use Exchange 2013 FE as the Outlook Anywhere proxy server.
  For the certificate issue, it mostly occurs because the host name that Outlook are trying to access does not match the certificate SAN. Please check with this point. If they do not match, you
  can change the host name by referring to the following article:
  https://support.microsoft.com/kb/940726/en-us?wa=wsignin1.0
  Thanks,
  Simon Wu
  TechNet Community Support

• Internal server name .local and having a certificate mismatch

  I have one RD server with all the roles on it and I'm receiving a SSL certificate error because my internal server name is a .local and the SSL has been assigned to my apps.domainname.com address.
  I've ran the powershell cmdlet Set-RDPublishedName to reflect the apps.domainname.com, but this doesn't seem to make a difference.

  Hi Bill,
  1. We know Set-RDPublishedName worked because it shows apps.domainname.com for Remote computer in the prompt.
  2. In Server Manager -- RDS -- Overview -- Tasks -- Deployment Properties -- Certificates tab, please make sure you have set your certificate for all purposes (RDCB Single Sign On, RDCB Publishing, RDWeb, RDG).  We know it is not set (at least) for
  publishing because you are seeing the Unknown publisher warning.
  3. On the client PC, please make sure you have mstsc.exe version 6.2.9200 or later installed.  For Windows 7 you need to download and install the DTLS and RDP 8.0 updates.  Windows 8 and later already includes the new client.
  4. On your server, please enter the following in an administrator command prompt:
  wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="e2f034c171b92afc96b23b7f4da15728c1e461a9"
  Substitute your certificate's thumbprint for the Hash listed above.  The quickest way to get your cert's thumbprint is to open the certificate, on the Details tab highlight the thumbprint with your mouse, press Ctrl-C to copy it, then paste it
  into the command prompt using the system menu Edit--Paste command.  After pasting simply delete out the spaces in the thumbprint using backspace and the left arrow key.
  5. For best results with RD Web Access, please use IE and Allow and Run the Activex control when prompted.  Selecting the Private option on the RD Web logon page is preferred.
  Once you finished with the above items please test again and reply back here with your results, whether positive or negative.
  Thanks.
  -TP

• IIS Create a Certificate with Server Name

  Dears,
  I have IIS 2012 , I want to create Non Self-signed certificate with Server FQDN Name and NetBIOS name from my Local CA.
  I have tried to create Domain Certificate from IIS (IIS Console > Open Server Certificates > Create Domain Certificate) unfortunately this certificate does not include the FQDN Server name nor NetBIOS Name.
  Thank you

  Please follow the below url  that provides details of
  Request a Certificate
  Create a Custom Certificate Request
  Save a Certificate Request in a File
  Sign Certificate Requests
  Obtain a Certificate
  http://technet.microsoft.com/en-in/library/cc754490.aspx
  For more graphical view ....http://www.petenetlive.com/KB/Article/0000840.htm
  Exchange Queries

• Server Name VS Outlook Anywhere Proxy Server and the behaviour I should expect when using SAN certificates...

  (I'll upload screen captures if needed once my account gets verified)
  I have a basic (as in freshly installed single exchange server 2010 SP3) Exchange Server installation. I've setup Outlook Anywhere. I've also setup a SAN (SubjectAltName) certificate.
  My setup:
  ex01.eci.XXXX.XX = is the server name and also the CN of my SAN certificate
  mail.eci.XXXX.XX = an A record I've setup to access my exchange server. It is also a subjectAltName in my SAN certificate
  When setting up Outlook, I enter the server name and specify the Outlook Anywhere proxy server in the Outlook Anywhere section. This works fine and I connect to my exchange server using RPC over HTTPS.
  Now, I was under the impression that specifying SANs in the certificate would allow me to enter the SAN alt name (mail.eci.XXXX.XX) in the field reserved for the Server Name, in Outlook..
  But it does not work. The proxy will give me an error each time, like that:
  HTTP    544    RPC_IN_DATA /rpc/rpcproxy.dll?mail.eci.XXXX.XX:6002 HTTP/1.1 , NTLMSSP_NEGOTIATE
  HTTP    635    HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)
  HTTP    123    HTTP/1.0 503 RPC Error: 6ba
  My question is: is this the behaviour I should expect? Or should I be able to specify the SAN alt name in the Server Name in Outlook?
  Thanks!

  Hi,
  Firstly, I’d like to explain, the server name tab should be filled with your mailbox server name in the process of configuring Exchange 2010 account.
  And the Outlook Anywhere proxy server is configured at the server side and cannot be randomly defined at the client side. To check it, we can run: get-outlookanywhere |fl externalhostname
  Thus, it’s an expected behavior that we would get error if we randomly enter name in the server name tab when we configure an account. If I misunderstand your meaning, please feel free to let me know.
  Additionally, Autodiscover service can help us automatically complete the configuration of the Outlook account. And how about the result if you use the Autodiscover to automatically configure the account?
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Server name SSL does not match subject of certificate Server-Cert

  Sun Java System Web Server 7.0U1 B06/12/2007 22:13
  We see the following warning in the startup log everytime. We have been ignoring this for awhile now since SSL is working fine and browsers don't complain. But recently we found some mobile browsers are not happy with our SSL pages. So we are thinking this may be the casue.
  warning ( 3256): CORE1251: On HTTP listener http-listener-2, server name SSL does not match subject "www.ourdomain.com" of certificate Server-Cert.
  What does this warning really mean? Do we need to rename the server name "SSL" to match the domain name?
  Thanks

  AFAIK That warning is a result of the fact that the hostname doesn't match the certificate.
  The cert has a Common Name (CN) attribute of the certificate's Subject Name or Subject Alternative Name (SAN) of type DNS name
  should match with the server's DNS name.
  hostname == machines name
  I don't know if we need to change the instances server name as well.
  I will try on my machine and and will let you know.
  Are you sure this warning is the source of your problem? Look at what Joe has written :
  "If most of your users are not getting browsers complaining of a mis-match then this is likely not the source of your mobile device problem."
  Which mobile model and browsers are you getting complains from? We can try testing it here.

• Intermittent proxy error "There is a problem with the proxy server's security certificate. Outlook is unable to connect to the proxy server "

  Hi all,
  From time to time (at least once a day), the following message pops up on the user's screen:
  "There is a problem with the proxy server's security certificate. Outlook is unable to connect to the proxy server . Error Code 80000000)."
  If we click "OK" it goes away and everything continues to work although sometimes Outlook disconnects. It is quite annoying...
  Any ideas?
  Thank you in advance

  Hi,
  For the security alert issue, I'd like to recommend you check the name in the alert windows, and confirm if the name is in your certificate.
  Additionally, to narrow down the cause, when the Outlook client cannot connect again, I recommand you firstly check the connectivity by using Test E-mail AutoConfiguration. For more information, you can refe to the following article:
  http://social.technet.microsoft.com/Forums/en-US/54bc6b17-9b60-46a4-9dad-584836d15a02/troubleshooting-and-introduction-for-exchange-20072010-autodiscover-details-about-test-email?forum=exchangesvrgeneral
  Thanks,
  Angela Shi
  TechNet Community Support

• Does Safari on iPad support SNI (Server Name Indication)

  Hi,
  I am testing name-based virtual host with apache 2.2 over SSL and noticed that this is only supported using SNI (server name indication). I have updated openSSL to include the SNI extensions on the apache but the client browser is also required to support this. I wanted to know if there is any indication as to when SNI will be supported by the Safari browser on iPad and/or if anyone else has experienced this issue.
  I know of 1 additional work around is to use wildcard certs but I am not to keen on using those unless I really have to.
  I verified that this is not support by hitting the site: https://sni.volex.ch from the iPad safari browser - it fails. However, using Opera on iPad worked.
  Thanks

  From what I understand SNI is largely reliant on client support. It is just an extension of the TLS SSL protocol. One of our Escalation Engineers wrote up a pretty good post explaining SNI.
  http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx
  "SNI is an extension to the TLS SSL protocol that allows the client to include the Hostname the client is connecting to in the SSL Client Hello. A server can then use the SNI header to determine which certificate to serve to the client. A key benefit
  of SNI is that is allows a server to host multiple certificates on the same IP/port pair instead of needing an IP per certificate (assuming you are using port 443)."
  A few questions I would have is what client and browser combination have you attempted on this? Also, are you using a wildcard certificate on your Web Listener? Have you taken network traces to see if client is sending SNI? Ian does a good job of explaining
  how to do that in his blog post.

• Project server and exhcnage certificate or EWS url problem

  We are having trouble enabling synchronization between our Project 2010 Server and our Exchange 2010 CAS server. 
  When we initially saw this error below,
  “The root of the certificate chain is not a trusted root authority.”, we then downloaded the GoDaddy intermediates certificate that goes with the “mail.sfbcic.com” cert and    imported it as a trusted root authority
  on the project server.  However, we are still getting the error you see below. 
  You can see that we have two certificates that are valid. 
  Our CAS server has 2 certificates: (Both are valid certificates)
                  1 – Self-Signed      HOSEXCHCAS4
                  2 – Third-party (GoDaddy) certificate      mail.sfbcic.com
  Our Questions:
  1. In PWA, do the computer names of the cas servers need to match the third party certificate (is that what's causing the error)?  Currently, we have the CAS server names listed (cas2, cas3, cas 4).  The Go Daddy certificate
  is for mail.ourdomain.com
  2 If the answer is no, do you have any idea what we are missing?
  3. Do we need to get a new third party certificate and not use the self-signed certificate?
  4.  Would one of the CAS servers not being active right now cause this issue?
  -------  Event logs ---------------------
  Log Name:      Application
  Source:        Microsoft-SharePoint Products-SharePoint Foundation
  Date:          4/18/2012 4:11:08 PM
  Event ID:      8311
  Task Category: Topology
  Level:         Error
  Keywords:     
  User:          DOMAIN1\svc_spfarm
  Computer:      HOPROJECTSVR.sfbcic.com
  Description:
  An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=mail.sfbcic.com, OU=Information Technology, O=Southern Farm Bureau Casualty Insurance Company, L=Ridgeland, S=MS, C=US\nIssuer Name:
  SERIALNUMBER=xxxxxx, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US\nThumbprint:
  xxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\nErrors:\n\n The root of the certificate chain is not a trusted root authority..
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-SharePoint Products-SharePoint Foundation" Guid="{6FB7E0CD-52E7-47DD-997A-241563931FC2}" />
      <EventID>8311</EventID>
      <Version>14</Version>
      <Level>2</Level>
      <Task>13</Task>
      <Opcode>0</Opcode>
      <Keywords>0x4000000000000000</Keywords>
      <TimeCreated SystemTime="2012-04-18T21:11:08.362997800Z" />
      <EventRecordID>12044</EventRecordID>
      <Correlation ActivityID="{09F06ACB-9929-4F57-A7E8-9786C165ECAE}" />
      <Execution ProcessID="5424" ThreadID="1200" />
      <Channel>Application</Channel>
      <Computer>HOPROJECTSVR.sfbcic.com</Computer>
      <Security UserID="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" />
    </System>
    <EventData>
      <Data Name="string0">CN=mail.sfbcic.com, OU=Information Technology, O=Southern Farm Bureau Casualty Insurance Company, L=Ridgeland, S=MS, C=US</Data>
      <Data Name="string1">SERIALNUMBER=xxxxxxxxx, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository,
  O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US</Data>
      <Data Name="string2">xxxxxxxxxxxxxxxxxxxxxxxxxxx</Data>
      <Data Name="string3">The root of the certificate chain is not a trusted root authority.</Data>
    </EventData>
  </Event>
  Exchange queue errors…..
  ExchangeSync() failed to retrieve specified user_s      (c3d0c753-21b3-4ff1-8312-61fba2defe8e) Exchange Server url. No exception     
  was thrown, but EWS url came back empty.:
  ExchangeSyncEWSUrlFailed (40509). Details: id='40509'      
  name='ExchangeSyncEWSUrlFailed' uid='42585c0c-d4b2-4dfc-9303-af128e5e3a00'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
  ExchangeSyncEWSUrlFailed (40509). Details: id='40509'      
  name='ExchangeSyncEWSUrlFailed'       uid='5a607457-2eb4-4d53-a80e-13e538fb46ff'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
  ExchangeSyncEWSUrlFailed (40509). Details: id='40509'      
  name='ExchangeSyncEWSUrlFailed'       uid='490d7241-a2b9-42f5-b81b-a4f3ee67c2a6'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
  ExchangeSyncEWSUrlFailed (40509). Details: id='40509'      
  name='ExchangeSyncEWSUrlFailed'       uid='eefd753b-a3da-4a17-a278-bf12fc68e58c'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
  ExchangeSyncEWSUrlFailed (40509). Details: id='40509'      
  name='ExchangeSyncEWSUrlFailed' uid='f525cd5e-2a57-414b-a20d-1dc2528733e9'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
  ExchangeSyncEWSUrlFailed (40509). Details: id='40509'      
  name='ExchangeSyncEWSUrlFailed'       uid='34f74c12-a812-4a80-85a3-0ece1e426f33'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'.
  ExchangeSync() handle ExchangeSyncStatusingMessage for      user c3d0c753-21b3-4ff1-8312-61fba2defe8e queue message caused an     
  exception.:
  ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512'      
  name='ExchangeSyncGeneralProcessingFailure' uid='7b7ab045-ba46-47cd-8504-23272e09dbcc'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'       exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
        Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks
        exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket,
  MessageContext mContext)'.
  ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512'      
  name='ExchangeSyncGeneralProcessingFailure'       uid='a3783e9a-2b39-4878-8099-20681a4715d3'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'       exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
        Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks
        exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket,
  MessageContext mContext)'.
  ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512'      
  name='ExchangeSyncGeneralProcessingFailure'       uid='71656d71-38d4-4acf-a26d-9f0d6f84da0b'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'       exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
        Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks
        exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket,
  MessageContext mContext)'.
  ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512' name='ExchangeSyncGeneralProcessingFailure'
        uid='2454abb1-6a2b-4716-bd45-03a7edf80347'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'       exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
        Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks
        exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket,
  MessageContext mContext)'.
  ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512'      
  name='ExchangeSyncGeneralProcessingFailure'       uid='3dbd4f65-f478-47e7-aeb3-d05575be69fe'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e'       exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
        Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks      
  exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket, MessageContext mContext)'.
  ExchangeSyncGeneralProcessingFailure (40512). Details: id='40512'      
  name='ExchangeSyncGeneralProcessingFailure'       uid='17a05fda-8702-4e20-93d1-068bf9182cf1'       teamMemberUid='c3d0c753-21b3-4ff1-8312-61fba2defe8e' exception='Microsoft.Office.Project.Server.BusinessLayer.Queue.ExchangeSyncEmailAddressInvalidException:
        Could not find Exchange server for resource       c3d0c753-21b3-4ff1-8312-61fba2defe8e at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.ExecuteSync(ExchangeSyncTasks
        exchangeSyncTasks) at       Microsoft.Office.Project.Server.BusinessLayer.Queue.ProcessExchangeSyncMessage.HandleMessage(Message       msg, Group messageGroup, JobTicket jobTicket,
  MessageContext mContext)'.
  Queue:     
  GeneralQueueJobFailed (26000) -
  ExchangeSyncTasks.ExchangeSyncTasks. Details: id='26000' name='GeneralQueueJobFailed' uid='cfd94c57-78c0-4c1a-b343-22e36d940276' JobUID='11ff22eb-364b-4ff6-a05f-10e29407e04a' ComputerName='HOPROJECTSVR' GroupType='ExchangeSyncTasks' MessageType='ExchangeSyncTasks'
  MessageId='1' Stage=''. For more details, check the ULS logs on machine
  HOPROJECTSVR for entries with JobUID 11ff22eb-364b-4ff6-a05f-10e29407e04a.
  Cletus51

  We found the problem. 
  We downloaded the "Go Daddy Class 2 Certification Authority Root Certificate".  Via Sharepoint 2010 Central Administration, we created a new trust relationship using the certificate we downloaded. 
  Cletus51

• Error in uploading BDC Models (Server name missing from URL in Property wcfmexURL)

  Hi,
  We are using multiple Dialogue Instances in DUET Enterprise.
  Problem: Before we did the Reverse Proxy Configuration for App Servers, Our BDC Models got imported in SharePoint Successfully (Correct WSS Setup and STS Urls) but After doing the Reverse Proxy Configurations, when we regenerated the BDC Models, apparently Server Name is missing from URL of the Propoerty "wcfmexurl".
  Below is the Error Text:
  [ERROR] The LobSystem (External System) / LobSystemInstance (External System Ins
  tance) Property with Name 'WcfMexDocumentUrl' has an invalid value 'https/sap/bc
  /srt/wsdl/bndg_CF37C550B825080AE1000000AC1F18FD/soap12/wsdl11/allinone/ws_policy
  /document?sap-client=400'.
      Error was encountered at or just before Line: '65' and Position: '20'.
  Failed to import model: Role
  [ERROR] The LobSystem (External System) / LobSystemInstance (External System Ins
  tance) Property with Name 'WcfMexDocumentUrl' has an invalid value 'https/sap/bc
  /srt/wsdl/bndg_CE38C550B825080AE1000000AC1F18FD/soap12/wsdl11/allinone/ws_policy
  /document?sap-client=400'.
      Error was encountered at or just before Line: '42' and Position: '20'.
  Failed to import model: UserRoles

  Hi Holger,
  Thanks a lot!
  This Error is gone after implementing the Note. Now the generated BDC Models have the correct URL for wcfmexURL property.
  now we have the Following Error:
  [ERROR] Error loading URL 'https://sapbwX.srv.XXX.com/sap/bc/srt/wsdl/bndg_92
  38C550B825080AE1000000AC1F18FD/soap12/wsdl11/allinone/ws_policy/document?sap-cli
  ent=XXX'. This normally happens when URL does not point to a valid discovery doc
  ument, service description, or XSD schema.
      Error was encountered at or just before Line: '48' and Position: '20'.
  Failed to import model: Account
  For this Error, our SharePoint Administrator is checking below Steps.
  1.    1) Open “wcfmexDocumentUrl” URL in the browser and copy all SSL certificates (including Root Certificates) to a file. Then import these certificates in the Trust Relationships section. Then try the import of the BDC Models
  2.   
  2) 2) Verifying Your server uses a virtual hostname and all the configuration (e.g. SSL certificate) is done for this virtual hostname. Also the URLs that are created and used in the BDC model are Same virtual hostnames, but not the ones from the physical server.
  3.  3)Re-verify SAML Authentication type and transport security at SAP.
  4) 4) Browse WSDL at SharePoint Server and verify “WSP:Policy”  and in WSDL make sure that it contains an entry:
  <sp:RequestSecurityTokenTemplate>
  <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
  <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
  </sp:RequestSecurityTokenTemplate>
  I will update the Results after these checks!
  Thanks,
  Saumil

• Autodiscover server name configuration?

  I'm running Exchange 2010 with Outlook clients.  I have Autodiscover configured and working.  However, when a new user uses the autodiscover and does a "check name", the server returns a different server name from what's on my SSL certificate,
  so when the user subsequently opens Outlook, he/she will receive the security alert saying the names don't match.  How do I configure the server name being returned by the autodiscover service?  I need to tweak it to match what's on my certificate. 
  I've run "Set-OutlookProvider -CertPrincipalName" for both EXPR and EXCH, and whereas they now appear correct when I run "Get-OutlookProvider", this has made no difference to clients.
  Any help would be much appreciated!  Thanks!
  Brad.
  P.S.  If this question has already been answered numerous times, please resist the urge to swear at me and simply point me to the other posts.  Once again, thanks a lot!

  Thanks for the quick response!
  However, according to
  http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/6432dea0-e5a2-4cc2-afb8-24c89c18dc47/, "Set-ClientAccessServer AutoDiscoverServiceInternalUri" is for domain-joined machines.  My clients are not domain-joined.
  That same discussion mentions "Set-AutodiscoverVirtualDirectory -ExternalUrl", but quite frankly I don't think the URL is the issue.  It's the server name specifically that I want to change.  I'd like Outlook to be trying to connect to secure.mydomain.com,
  rather than servername.mydomain.com.
  Thoughts?
  Brad.

• SSLException: Name in certificate "host1" does not match host name "host2"

  Hi all,
  I am using a hosted WebDAV/Subversion service to store my files. The provider has connected my domain name to the service, so now I can access the service through my domain name :-)
  However, the provider cannot assign a static dedicated IP for the server which provides my content, hence he cannot set an SSL certificate for my domain name. Any time I access the service I am getting an SSL warning telling me that the domain name does not match that on the certificate... So far had no problem with that. The Web browser, the Windows Explorer, and the Subversion client allow me to accept the connection.
  Now I need to set up some automatic build software (Maven) and it appears that the JRE has a problem with these name mismatches -- it just throws an exception and does not allow me to accept the connection :-( In order to ensure that this is a JRE problem, I have tried to connect to the service with a Java-based WebDAV client (DAVExplorer) -- same thing -- here is the message thrown by DAVExplorer:
  javax.net.ssl.SSLException: Name in certificate "his.domain.name" does not match host name "my.domain.name"
  Is there some configuration file, system property or switch that I can use to make the JRE ignore the domain name mismatch thing?
  Please help,
  Adrian.

  Here is a quick example I put together. Most of the code was autogenerated by Eclipse "Generate Delegate Methods" on the urlConn field of the class. This is just an example; I haven't given it much thought; it probably opens up other security holes and I take no responsibility for it.
  In my example, I have an SSL server with the name "dawntreader" in the certificate, but my URL is https://192.168.10.7/ which triggers the name mismatch. I have not actually tested it with maven, but looking at these docs (http://maven.apache.org/guides/mini/guide-repository-ssl.html) I think that you should be able to add the following to the MAVEN_OPTS environment variable: -Djava.protocol.handler.pkgs=MyHttpsUrlConnection and make sure the MyHttpsUrlConnection.class file is on the classpath
  import java.io.IOException;
  import java.io.InputStream;
  import java.io.OutputStream;
  import java.net.MalformedURLException;
  import java.net.ProtocolException;
  import java.net.URL;
  import java.security.Permission;
  import java.security.Principal;
  import java.security.cert.Certificate;
  import java.util.List;
  import java.util.Map;
  import javax.net.ssl.HostnameVerifier;
  import javax.net.ssl.HttpsURLConnection;
  import javax.net.ssl.SSLPeerUnverifiedException;
  import javax.net.ssl.SSLSession;
  import javax.net.ssl.SSLSocketFactory;
  import javax.security.auth.x500.X500Principal;
  public class MyHttpsURLConnection extends HttpsURLConnection
      static class MyHostnameVerifier implements HostnameVerifier
          private static final String EXPECTED_HOSTNAME = "dawntreader";
          private String getCN(String DN)
              String [] dnComponents = DN.split(",");
              // Find one that starts with CN=
              for (String component : dnComponents)
                  if (component.startsWith("cn="))
                      return component.substring(3);
              return "";
          @Override
          public boolean verify(String hostname, SSLSession session)
              try
                  X500Principal peerPrincipal = (X500Principal) session.getPeerPrincipal();
                  String DN = peerPrincipal.getName("CANONICAL");
                  // now parse the CN out of the effing DN
                  // We should also get the subject alternative names
                  // from the peer certificate
                  String CN = getCN(DN);
                  return CN.equals(EXPECTED_HOSTNAME);
              } catch (SSLPeerUnverifiedException e)
                  return false;
      private final HttpsURLConnection urlConn;
      public MyHttpsURLConnection(URL url) throws IOException
          super(url);
          urlConn = (HttpsURLConnection) url.openConnection();
          urlConn.setHostnameVerifier(new MyHostnameVerifier());
      public void addRequestProperty(String key, String value)
          this.urlConn.addRequestProperty(key, value);
      public void connect() throws IOException
          this.urlConn.connect();
      public void disconnect()
          this.urlConn.disconnect();
      public boolean equals(Object obj)
          return this.urlConn.equals(obj);
      public boolean getAllowUserInteraction()
          return this.urlConn.getAllowUserInteraction();
      public String getCipherSuite()
          return this.urlConn.getCipherSuite();
      public int getConnectTimeout()
          return this.urlConn.getConnectTimeout();
      public Object getContent() throws IOException
          return this.urlConn.getContent();
      public Object getContent(Class[] classes) throws IOException
          return this.urlConn.getContent(classes);
      public String getContentEncoding()
          return this.urlConn.getContentEncoding();
      public int getContentLength()
          return this.urlConn.getContentLength();
      public String getContentType()
          return this.urlConn.getContentType();
      public long getDate()
          return this.urlConn.getDate();
      public boolean getDefaultUseCaches()
          return this.urlConn.getDefaultUseCaches();
      public boolean getDoInput()
          return this.urlConn.getDoInput();
      public boolean getDoOutput()
          return this.urlConn.getDoOutput();
      public InputStream getErrorStream()
          return this.urlConn.getErrorStream();
      public long getExpiration()
          return this.urlConn.getExpiration();
      public String getHeaderField(int n)
          return this.urlConn.getHeaderField(n);
      public String getHeaderField(String name)
          return this.urlConn.getHeaderField(name);
      public long getHeaderFieldDate(String name, long Default)
          return this.urlConn.getHeaderFieldDate(name, Default);
      public int getHeaderFieldInt(String name, int Default)
          return this.urlConn.getHeaderFieldInt(name, Default);
      public String getHeaderFieldKey(int n)
          return this.urlConn.getHeaderFieldKey(n);
      public Map<String, List<String>> getHeaderFields()
          return this.urlConn.getHeaderFields();
      public HostnameVerifier getHostnameVerifier()
          return this.urlConn.getHostnameVerifier();
      public long getIfModifiedSince()
          return this.urlConn.getIfModifiedSince();
      public InputStream getInputStream() throws IOException
          return this.urlConn.getInputStream();
      public boolean getInstanceFollowRedirects()
          return this.urlConn.getInstanceFollowRedirects();
      public long getLastModified()
          return this.urlConn.getLastModified();
      public Certificate[] getLocalCertificates()
          return this.urlConn.getLocalCertificates();
      public Principal getLocalPrincipal()
          return this.urlConn.getLocalPrincipal();
      public OutputStream getOutputStream() throws IOException
          return this.urlConn.getOutputStream();
      public Principal getPeerPrincipal() throws SSLPeerUnverifiedException
          return this.urlConn.getPeerPrincipal();
      public Permission getPermission() throws IOException
          return this.urlConn.getPermission();
      public int getReadTimeout()
          return this.urlConn.getReadTimeout();
      public String getRequestMethod()
          return this.urlConn.getRequestMethod();
      public Map<String, List<String>> getRequestProperties()
          return this.urlConn.getRequestProperties();
      public String getRequestProperty(String key)
          return this.urlConn.getRequestProperty(key);
      public int getResponseCode() throws IOException
          return this.urlConn.getResponseCode();
      public String getResponseMessage() throws IOException
          return this.urlConn.getResponseMessage();
      public Certificate[] getServerCertificates() throws SSLPeerUnverifiedException
          return this.urlConn.getServerCertificates();
      public SSLSocketFactory getSSLSocketFactory()
          return this.urlConn.getSSLSocketFactory();
      public URL getURL()
          return this.urlConn.getURL();
      public boolean getUseCaches()
          return this.urlConn.getUseCaches();
      public int hashCode()
          return this.urlConn.hashCode();
      public void setAllowUserInteraction(boolean allowuserinteraction)
          this.urlConn.setAllowUserInteraction(allowuserinteraction);
      public void setChunkedStreamingMode(int chunklen)
          this.urlConn.setChunkedStreamingMode(chunklen);
      public void setConnectTimeout(int timeout)
          this.urlConn.setConnectTimeout(timeout);
      public void setDefaultUseCaches(boolean defaultusecaches)
          this.urlConn.setDefaultUseCaches(defaultusecaches);
      public void setDoInput(boolean doinput)
          this.urlConn.setDoInput(doinput);
      public void setDoOutput(boolean dooutput)
          this.urlConn.setDoOutput(dooutput);
      public void setFixedLengthStreamingMode(int contentLength)
          this.urlConn.setFixedLengthStreamingMode(contentLength);
      public void setHostnameVerifier(HostnameVerifier v)
          this.urlConn.setHostnameVerifier(v);
      public void setIfModifiedSince(long ifmodifiedsince)
          this.urlConn.setIfModifiedSince(ifmodifiedsince);
      public void setInstanceFollowRedirects(boolean followRedirects)
          this.urlConn.setInstanceFollowRedirects(followRedirects);
      public void setReadTimeout(int timeout)
          this.urlConn.setReadTimeout(timeout);
      public void setRequestMethod(String method) throws ProtocolException
          this.urlConn.setRequestMethod(method);
      public void setRequestProperty(String key, String value)
          this.urlConn.setRequestProperty(key, value);
      public void setSSLSocketFactory(SSLSocketFactory sf)
          this.urlConn.setSSLSocketFactory(sf);
      public void setUseCaches(boolean usecaches)
          this.urlConn.setUseCaches(usecaches);
      public String toString()
          return this.urlConn.toString();
      public boolean usingProxy()
          return this.urlConn.usingProxy();
      public static void main(String[] args) throws MalformedURLException, IOException
          MyHttpsURLConnection urlConn = new MyHttpsURLConnection(new URL(
                  "https://192.168.10.7/"));
          urlConn.connect();
          InputStream is = urlConn.getInputStream();
          int nread = 0;
          byte[] buf = new byte[8192];
          while ((nread = is.read(buf)) != -1)
              System.out.write(buf, 0, nread);
  }

• Server name in outlook profile stay the same after SSL changed from local to public fqdn

  Hi,
  I switched our UCC certificate for exchange 2010 so that it is no longer include .local in it. I used different FQDN url for external and internal (i.e externaURL is ExSrv.abc.com and internalURL is InSrv.abc.com). After I changed all settings, I found that
  the outlook profiles are still using the internal server name (i.e. myexchangesrv.abc.local). Is this normal? Should I expect the server name to be the new internalURL? The following are the commands I used and I also used EMC to change the OWA and ECP's internal
  URL to "InSrv.abc.com" as well. Did I missing anything?
  Set-ClientAccessServer -Identity MyExchangSrv -AutodiscoverServiceInternalUri https://InSrv.abc.com/autodiscover/autodiscover.xml
  Set-WebServicesVirtualDirectory -Identity "MyExchangSrv\EWS (Default Web Site)" -InternalUrl https://InSrv.abc.com/ews/exchange.asmx
  Set-OABVirtualDirectory -Identity "MyExchangSrv\OAB (Default Web Site)" -InternalUrl https://InSrv.abc.com/oab
  set-ActiveSyncVirtualDirectory -Identity "MyExchangSrv\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl "https://InSrv.abc.com/Microsoft-Server-ActiveSync
  Thank you,
  Aldous

  Hi,
  When an Outlook client goes to connect to an Exchange 2010 database, it looks at an attribute associated with the mailbox database called RPCClientAccess to determine which client access server/client access server array to use for connectivity.
  Outlook 2007 and Outlook 2010 clients do not pickup this change automatically when you change the value of RPCClientAccess server, you need to repair Outlook Profile to update new RPC endpoint.
  However, be careful to Change this property, because this can broke Outlook Clients to Exchange:
  http://blogs.technet.com/b/exchange/archive/2012/05/30/rpc-client-access-cross-site-connectivity-changes.aspx
  Meanwhile, this attribute must be point to client access server or client access server array. You must have an CAS array named “InSrv.abc.com” as your expected.
  Also I find an similar thread about your concern, please refer to below link as “Brian Day” mentioned:
  https://social.technet.microsoft.com/Forums/exchange/en-US/2d0c0f5f-e4ec-4f33-a37d-b94fd7a2319f/cas-array-and-autodiscover-for-internal-and-external-access?forum=exchange2010
  “The only place the clients will ever use the CAS Array name is when the value of RPCClientAccessServer on their database is looked up and returned to them so they can then resolve the name via DNS and connect through MAPI. This is why the CAS Array
  name is not required to be on a SSL cert unless an admin chose to use the same FQDN for OWA/EAS/EWS/etc...., which would not be recommened for the reason Mitch points out above.”
  Thanks
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Allen Wang
  TechNet Community Support

• ACS Server and Downloading Certificate for LDAP External DB

  Hello,
  We have a Cisco ACS appliance version 3.3 (I know, it is older).
  We have a cert7.db file located on an FTP server ready for the ACS appliance to download so it will use secure ldap.
  No matter how we enter the information to download the certificate, it returns the error: The server name or address could not be resolved.
  We are trying to use the IP address (so name resolution should not be an issue), but just cannot get the darned thing to work. We can FTP from any other machine to the server using a dos prompt - credentials should not be an issue and neither should the starting directory - which is /.
  Anyone know what I might be missing?
  Joel

  Did you ever figure this one out ? I may have the same type issue.
  thanks
  [email protected]

• Replacing Exchange 2007 with another server with new server name

  I am working with a client to move Exchange from the server it is on now to another server. This will be new hardware and new name. The current server Exchange is on will still exist by I want to move Exchange completely off of that server. 
  Current Network Setup:
  Server 1: 1 SBS 2003 server is Domain Controller, Runs AD, DNS, DHCP, File Sharing, SharePoint 2003 and Remote Desktop
  Server 2: Server 2008 running Exchange 2007, Backup Domain Controller, File Sharing, SharePoint 2007, Terminal Services. 
  Current Plan:
  Introduce Server 3 to run just Exchange 2007. I would like to completely over a short period of time move exchange from Server 2 to Server 3. I have searched over the internet and found several articles but still have a few questions. There are roughly 75
  mailboxes with 50 actual users. Some users are using Outlook 2003 that came with the SBS 2003 and others are using Later versions of office. Server 3 will be a Server 2008 R2 system.
  1. What is the best method to perform this transfer. I found article TechNet
  Article that explains with 2 remote offices how to do this but not sure if the same will apply.
  2. Since I am not immediately decommissioning Server 2 how can I safely remove all the roles and add them to Server 3?
  3. For the end user impact. Will the change make Outlook automatically pickup the new server name or will each user need to reconfigure their outlook profiles?
  4. I will be moving OWA since there are several Remote and Terminal Service users that use OWA for email. I would like to keep the same certificate and domain name setup if possible. 

  Hi,
  According to your description, I recommend you install another exchange 2007 on server 3, the exchange server role as the same as server 2.
  And then, transfer all mailboxes and configurations(OWA,DNS..) from server 2 to server 3.
  Finally, decommission the server 2 .
  Thanks.
  Niko Cheng
  TechNet Community Support