Author Topic: Outloook Anywhere -The name on the security certificate is invalid  (Read 5788 times)

jodel

  • Zen Monk
  • **
  • Posts: 52
  • Karma: +2/-0
    • View Profile
Hi,
I have Zentyal 4.1 set up with openchange.  Internal lan computers can connect Outlook to the Zentyal server and mail in and out is OK.  Webmail log in  from external computers also works fine.  Activesync from Android and Iphone also works.

I am having problems getting Outlook Anywhere to connect.  The error is:

"There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site
Outlook is unable to connect to the proxy server. (Error Code 10)"

I think this has arisen because when setting up OpenChange I used  "mydomain.com" as the virtual mail domain where as it should have been "mail.mydomain.com" . 
"mydomain.com" and "mail.mydomain.com" are on two different  servers with two separate external ip addresses.  The Zentyal server is on the "mail.mydomain.com".  This is what I put into outlook when setting up the remote connections.  Outlook connects to the server but the cert has "mydomain.com" instead of "mail.mydomain.com" hence the error.
In attempting to get over this, I have set up a second virtual domain on Zentyal called "mail.mydomain.com"  However the cert still seems to be only referring to "mydomain.com".  I also tried an alias in the virtual domain but to no avail.

Do I need to re-setup OpenChange and if so I presume I will loose all my data?
How do I tell OpenChange to use a different virtual mail domain?

Any suggestions as to how I might solve this?

Jodel

avfccolin

  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #1 on: October 31, 2015, 03:48:04 pm »
I have the same problem can anyone help with this please

avfccolin

  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #2 on: November 03, 2015, 04:10:32 pm »
Is there anyone who can help with this please .
I've issued a new certificate for mail."mydomain" . I still cannot connect to outlook anywhere ,when I run the exchange connectivity wizard I receive an error "Certificate name validation failed" listing the name on my authority certificate "mydomain" not mail."mydomain" .
How can I change this!

avfccolin

  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #3 on: November 16, 2015, 11:01:15 am »
I have been unable to sort this out and cannot connect using ssl . I'm sure I'm missing something and there's a simple solution to this. Can anyone help please.

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #4 on: November 16, 2015, 02:08:15 pm »
Hello:

I would suggest opening the certificate and checking for which SANs it is a valid cert.

avfccolin

  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #5 on: November 16, 2015, 09:36:29 pm »
Thank you for your reply.
what I would like to do is change the name on the certificate from "mydomain.co.uk" to mail.mydomain.co.uk as a cannot connect with SSL
I receive the following error when I run exchange connectivity wizard.

Testing the SSL certificate to make sure it's valid.
    The SSL certificate failed one or more certificate validation checks.
        Additional Details
    Elapsed Time: 487 ms.

        Test Steps
        The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.mydomain.co.uk on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
        Additional Details
    Remote Certificate Subject: CN=zentyal-domain.lan, O=mydomain, L=sUTTON COLDFIELD, S=Undefined, C=UK, Issuer: CN=mydomain Authority Certificate, O=mydomain, L=sUTTON COLDFIELD, S=Undefined, C=UK.
Elapsed Time: 466 ms.

    Validating the certificate name.
    Certificate name validation failed.
      Tell me more about this issue and how to resolve it

        Additional Details
    Host name mail.mydomain.co.uk doesn't match any name found on the server certificate CN=zentyal-domain.lan, O=mydomain, L=sUTTON COLDFIELD, S=Undefined, C=UK.
Elapsed Time: 0 ms.






cheesyking

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +1/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #6 on: November 16, 2015, 10:12:19 pm »
I don't think just changing the certificate is the right way to go. The correct certificate should get generated if you setup zentyal with the correct hostname and domain, sure you can just generate a new cert and install it but there are almost certainly other things wrong. NB changing stuff like the hostname and domain of the server will probably mean redoing the setup for openchange (email should be left in place but I'm not sure about calendar /  contacts).

Basically your internal domain should be a subdomain of a real domain you own. Using something like zentyal.lan is bad because these days it's possible for tlds like .lan to suddenly become active on the internet. If you use a subdomain of something you own you don't have to worry about this. Anyhow, if you have mydomain.com you might use mylan.mydomain.com. I really wish the zentyal documentation didn't use zentyal-domain.lan as an example or at least mentioned what you're supposed to use.

Next you need to make sure your hostname matches what you want want your server to be seen as outside. So if you want to use mail.mydomain.com you should make "mail" your hostname.

Provided you've got the domain and hostname of the server properly configured zentyal should automatically create the correct certificates.

When you're dealing with microsoft stuff like domain controllers and exchange getting your DNS right from the start is absolutely critical.


Having said all this... I've only configured a single test server so far so don't shout at me too much if this is all dud advice  ;)

BTW to check the SANs (Server Alternate Name) on your certificate you can use this command from the terminal:
openssl s_client -connect your_mailserver's_hostname.yourdomain.com:443 | openssl x509 -noout -text | grep DNS:

Which will list something like:
DNS:your_mailserver's_hostname.yourmaildomain.com
DNS:autodiscover.yourdomain.com
« Last Edit: November 17, 2015, 02:02:16 am by cheesyking »

avfccolin

  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #7 on: November 17, 2015, 10:48:45 pm »
Thank you.I've checked the cert as advised and I get this !
Can you advise how to repair?
CONNECTED(00000003)
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = mydomain, CN = zentyal-domain.lan
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = mydomain, CN = zentyal-domain.lan
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = mydomain, CN = zentyal-domain.lan
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=UK/ST=Undefined/L=SUTTON COLDFIELD/O=mydomain/CN=zentyal-domain.lan
i:/C=UK/ST=Undefined/L=SUTTON COLDFIELD/O=mydomain/CN=mydomain Authority Certificate
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwIBAgIJAJW1ZuCJpcepMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD
VQQGEwJVSzESMBAGA1UECBMJVW5kZWZpbmVkMRkwFwYDVQQHExBzVVRUT04gQ09M
REZJRUxEMRcwFQYDVQQKEw5zaGF2ZXItcmVwYWlyczEtMCsGA1UEAxMkc2hhdmVy
LXJlcGFpcnMgQXV0aG9yaXR5IENlcnRpZmljYXRlMB4XDTE1MTEwMjE3MTQwM1oX
DTI1MTAxOTEwMjUwMlowcjELMAkGA1UEBhMCVUsxEjAQBgNVBAgTCVVuZGVmaW5l
ZDEZMBcGA1UEBxMQc1VUVE9OIENPTERGSUVMRDEXMBUGA1UEChMOc2hhdmVyLXJl
cGFpcnMxGzAZBgNVBAMTEnplbnR5YWwtZG9tYWluLmxhbjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANee/kTFDso/FDqt8uKoAzw4i9HJ6rU0Hqwkyjsy
w5Jr7IzyayuH8QLy2So9MP+PkjgraXDLjCppgH/ixcjmlyns8/laOKd2i6XBDDLB
JMXo0OJfZksprsEOu67QLubKrf0tljbC3ms0KlgJ1zjHNWRgt/MNnFYXiPT+0aW8
UjTHNlW9RXZjM1uEq9WeTapL/2D6/9COZusf+Y6YRS67Csc3/A7zkqo6AZa+3xcJ
PB++wa2oEdPm+qpg4OtUZmNb2SZ4gPQbywEKf6gRRLZIGtLnJuA28hbNeHqJXM5R
9PbqBZEILUrf5gBBeFP8c3iSOcfUkFhb7RidkHYFns3ddGMCAwEAAaOB4zCB4DAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwRgYDVR0RBD8wPYIac2VydmVy
NC56ZW50eWFsLWRvbWFpbi5sYW6CH2F1dG9kaXNjb3Zlci56ZW50eWFsLWRvbWFp
bi5sYW4wHwYDVR0jBBgwFoAUSQBWPlpDqwLr7JftyZelMw31eGEwHQYDVR0OBBYE
FFY836EmPTu0EN9sLVIaa417D+oGMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdl
bmVyYXRlZCBDZXJ0aWZpY2F0ZTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IB
AQCOu4U40VIrkWU5DVIOI0MDyOvI96DSLVGdM8EYFxSfjr9P92HkN2zMK2BBQLiu
PSpPBj9jrF67TADgzJ6lrLOpc4pLQRk3k46ltZZnUbQC0s8A+1QJYmRXkLxjfYA5
q2yk4Y/ZoF9eAE7bMZyZiQ7J08qa985MNBcjHgXAw3paJea9uL1LLE34kNE0cCwh
VVliJSeos52O9FPaoH1XtKRIpazkopNAWFqwq27li78sNv6y4BMICWqe1Il8/sZJ
XbBVcTnoVC9WdalgZti0keBEPBIHpoffUqpy/LVUulf5hA+DYetA9TGqgBwXgVWa
+VtoG2gexMoPIGU4Kykidf4J
-----END CERTIFICATE-----
subject=/C=UK/ST=Undefined/L=SUTTON COLDFIELD/O=mydomain/CN=zentyal-domain.lan
issuer=/C=UK/ST=Undefined/L=SUTTON COLDFIELD/O=mydomain/CN=mydomain Authority Certificate
---
No client certificate CA names sent
---
SSL handshake has read 1813 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7348AC0F4D3E18EC40B82670F0F12FC7EFC84BF53EC87C51F616CC351D273781
Session-ID-ctx:
Master-Key: A69A96B7C650CD2F20AF34DEE53EDEE77F7F1E234F4EA02407BFF54035F73D480257BBF8E4286EAC974FE55899D6FDA8
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 26 a6 fd 5c 20 b0 67 e7-fb d8 06 c2 08 69 83 55 &..\ .g......i.U
0010 - 56 ce 70 71 a6 85 25 99-48 95 98 8f 40 10 71 7d V.pq..%.H...@.q}
0020 - 5d 28 02 db 76 71 eb 10-d7 ac 01 c9 60 1f 4e c5 ](..vq......`.N.
0030 - 27 aa 3b 81 50 2f 73 41-6a e6 66 6d be 1e a6 22 '.;.P/sAj.fm..."
0040 - 20 ed 3a 87 fe 99 22 6e-f1 a4 5e db 03 e4 ab ba .:..."n..^.....
0050 - 31 24 45 7a 6e fb 29 f4-59 b0 67 a1 a6 4d 3a e8 1$Ezn.).Y.g..M:.
0060 - 9b 4a c6 4d d5 8f a1 80-ac a3 ab 87 44 86 3c 1d .J.M........D.<.
0070 - 5c cc f1 38 df ce 0a e5-1b 6c 03 4c 2c b5 1f 75 \..8.....l.L,..u
0080 - 17 24 ab 6c aa 77 e8 2c-53 1b fe 17 e4 53 f1 38 .$.l.w.,S....S.8
0090 - 2d d3 83 14 03 83 3b d4-7a 1f 2e bf 95 7e 5a 56 -.....;.z....~ZV
00a0 - 43 f1 05 7c cc 02 b7 4e-5f 92 5e 70 89 90 dd dc C..|...N_.^p....
00b0 - ca 2c 1e ba 2c e6 4a ff-64 f6 31 87 6d 9d 48 42 .,..,.J.d.1.m.HB

Start Time: 1447780445
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---

« Last Edit: November 18, 2015, 10:44:50 pm by avfccolin »

cheesyking

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +1/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #8 on: November 19, 2015, 02:24:06 am »
That doesn't look like the output of the command I gave you.

Code: [Select]
openssl s_client -connect your_mailserver's_hostname.yourdomain.com:443 | openssl x509 -noout -text | grep DNS:
Basically if you setup your server's hostname and domain properly and rerun the setup of openchange I think you should get the correct certificates automatically generated. (I also seem to remember that if your change the hostname and domain of the server the openchange setup has to be rerun anyway.)

avfccolin

  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #9 on: November 26, 2015, 04:03:09 pm »
I've configure a new server as you suggested with a domain "lan.mydomain.co.uk" and a hostname  "mail"
the san is then lan.mydomain.co.uk and still does not match . what am I missing here?

cheesyking

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +1/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #10 on: November 26, 2015, 05:28:22 pm »
I'm not too sure then. I'll try setting up another server myself in a VM and see what happens.

cheesyking

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +1/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #11 on: November 26, 2015, 06:00:39 pm »
Just ran through the setup again in a VM and it worked as I expected. The SANs on the cert are mail.mydomain.com and autodiscover.mydomain.com which is correct.

Here is what I entered in the setup:

Hostname:
mail

Domain:
lan.mydomain.com

Mail Domain:
mydomain.com
(NB by default the installer wants this to be "lan.mydomain.com" and you have to change this)

First Organisation:
MyOrganisation

That's it.

Can you setup a VM so you can go through the install process quickly (maybe do a snapshot after the first reboot and before starting the package installation of domain services, mail, groupware etc)

If you hover your mouse over the "Access Webmail" link on the openchange page does the domain in the URL match properly like they do in that image?



avfccolin

  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #12 on: November 30, 2015, 05:08:32 pm »
Yes that is all as discribed.
this is the output from command to check SAN;
oadmin@mail:~$ openssl s_client -connect mail.shaver-repairs.co.uk:443 | openssl x509 -noout -text |grep DNS:
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = First Organization, CN = lan.shaver-repairs.co.uk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = First Organization, CN = lan.shaver-repairs.co.uk
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = First Organization, CN = lan.shaver-repairs.co.uk
verify error:num=21:unable to verify the first certificate
verify return:1
                DNS:mail.lan.shaver-repairs.co.uk, DNS:autodiscover.lan.shaver-repairs.co.uk

cheesyking

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +1/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #13 on: November 30, 2015, 07:41:47 pm »
Well I'm sure it's something silly rather than anything else. Here's a video I made going through an install that gets the right SANs in the certificates.

https://youtu.be/KYJLsAOUr9k

Hope it helps

jodel

  • Zen Monk
  • **
  • Posts: 52
  • Karma: +2/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #14 on: January 20, 2016, 03:06:34 pm »
Hi,
This relates to connecting outlook locally but follows on from the above post.
I have set up Zentyal on a virtual following exactly as described in the previous post and video.
I have checked the cert as suggested and the DNS refers to mail.mydomain.com and mydomain.com.
I have installed the cert into the trusted root in windows 7.
I an using the Zentyal machine for dns and it pings correctly for mail.maydomain.com and mydomain..com

I set up the mail in outloook as
Name **********
Email   username @mydomain.com
Password *******

It pops up a dialog box asking me to log in.

I try       lan,mydomain.com\myusername
and password  **********

But it just keeps popping up the same log in dialogue.

I have tried numerous options to no avail.

Any suggestions as to how I can get this to work would be much appreciated.

Jodel