Did that already - and double-checked. -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Knoch, James W Sent: Wednesday, October 22, 2014 2:56 PM To: exchange@lists.myitforum.com Subject: [Exchange] RE: Certificate prompt after upgrading cert to SHA2
Make sure to check with your certificate provider and see if there was an intermediate certificate that needs to be installed as well on the servers. They are usually different than the previous ones if they were required before. If it is a Digicert certificate, they provide a utility that will help check for it and install any missing intermediates. -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Maglinger, Paul Sent: Wednesday, October 22, 2014 12:49 PM To: New Exchange List (exchange@lists.myITforum.com) Subject: [Exchange] Certificate prompt after upgrading cert to SHA2 Hoping for some help to understand what is going on here. Rekeyed my SHA1 certs to SHA2 and imported them into my certificate store. They showed up in Exchange and I assigned IMAP, POP, IIS and SMTP to it. So much for that. Exchange 2010 SP2 UR8 - 2 sites, flat domain. Each site has 2 CAS/HUB, 2 MB, and 1 CAS/HUB/MB. The 2 CAS/HUB servers are configured as a CAA. What I'm seeing is that SOME users that are opening Outlook 2010 in site A are getting a certificate error "The name of the security certificate is invalid or does not match the name of the site" from the CAS/HUB/MB server (ROMAIL3) in site A. All things working correctly they shouldn't even see that server. The CAS/HUB servers have 2 NICs - one of which on each is set up with Windows Load Balancing for the CAA (designated as LB in the name). DNS is set up as the attached diagram shows. The LB IP addresses are not in DNS. When the problem started showing up the event logs on HQMAIL1 were getting 2601, 2604, and 2501 errors every 15 minutes - all having to do with the MSEXCHANGEADTOPOLOGY service: 2501 - The site monitor API was unable to verify the site name for this Exchange computer - Call=DsctxGetContext Error code=8007077f. Make sure that Exchange server is correctly registered on the DNS server. 2604 - When updating security for a remote procedure call (RPC) access for the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the security descriptor for Exchange server object HQMAIL1 - Error code=8007077f. The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions. 2601 - When initializing a remote procedure call (RPC) to the Microsoft Exchange Active Directory Topology service, Exchange could not retrieve the SID for account <WKGUID=1A9E54D37856378B478743286FF00932782,CN=Microsoft Exchange,CN=Services,CN=Configuration,...> - Error code=8007077f. The Microsoft Exchange Active Directory Topology service will continue starting with limited permissions. I checked DNS and the entries for HQMAIL1 and HQMAIL2 were missing. I re-added them and pushed out the changes. I then rebooted HQMAIL1 and the error went away in the event log - but on rebooting Outlook I still got the certificate pop-up. I left to get supper and figured I'd work from home using VPN. Coming in that way my Outlook didn't throw the cert error. Going through things on HQMAIL1 I found that if I pinged HQMAIL1 by name from itself it returned with a 123.100.200.31 instead of what DNS should have returned as 123.100.200.1. Searching I found that I could change the priority of the NICs, which I did and it started pinging correctly from itself. I rebooted HQMAIL1 to clear up any lingering effects of the NIC priority and started getting the 2501, 2604, and 2601 errors again. They occurred until I restarted the MS Exchange AD Topology service (which restarted a boat-load of others) and then it cleared up. I'm still hearing from some users, not all, about getting the certificate pop-up. I'm not getting it myself currently. I'm not understanding where or why people are getting pointed to ROMAIL3. Hopefully this makes sense to you guys. -Paul
