locked
I cannot contact the autoattendant in Exchange, even though I created a new exchange certificate with FQDN RRS feed

  • Question

  • Hi there,

    I get several errors when trying to call my exchange voice service.

    Errors like:

    The target principal name is incorrect

    or

    504  Server time-out
    ms-diagnostics:  1010;reason="Certificate trust with next-hop server could not be established";source="CS02.domain.local";ErrorType="The peer certificate does not contain a matching FQDN";HRESULT="80090322"

    or

    RemoveSessionDueToFailure (serverName=CS01.domain.local, faulureDetails=Failure occurred while connecting. The target principal name is incorrect outgoing TLS negotiation failed; HRESULT=-2146893022)

    The situation is like this:

    I have 1 Exchange 2007 SP1 server with 2 certificates imported. (Server CS01)
    Cert 1 : 2 public certificate and alternate names, webmail.domain.com and somethingelse.domain.com.
    Cert 2: FQDN of the server, CS01.domain.local.

    Cert 1 is activated for SMTP POP IIS.
    Cert 2 is activated for UM

    Cert 1 on cs01 has been provided by a public CA Authority.
    Cert 2 has been provided by a standalone CA, which is installed on CS02.


    CS02, is my OCS 2007 Standard server. It has 1 Cert with only its FQDN and sip domain names in it.

    I have installed the root certificate of the cs02 CA on the Exchange server in the trusted root container.


    To me it sounds like its still using the other certificate, which doesnt contain the FQDN of cs01.itvise.local.

    You guys have any idea? I really did this by the book.

    One thing to note though, is that i added the cs01 Cert 2 after I configured the whole thing for UM. Maybe I need to reset something somewhere so it starts using the other certificate?

    Thanks a lot in advance.
    Thursday, November 27, 2008 9:00 PM

Answers

  • The problem has been resolved. Since I run Exchange 2007 on server 2007 with firewall enabled, I added a firewall rule in 2008 to allow all traffic from the OCS server. At the same moment I also registered a new certificate..

    Not sure atm yet if it was the certificate or the firewall rule, but the problem is resolved.
    • Marked as answer by R Stevens Sunday, May 31, 2009 7:04 AM
    Saturday, November 29, 2008 2:29 PM

All replies

  • You did restart the UM Server right?

    It should say in the eventlog which certificate is used for UM when startup has completed

    Thursday, November 27, 2008 10:21 PM
  • Yep I did restart the server. I cannot find the eventlog message you said though, I will do another reboot just to be sure now.

    Is it enough for me to configure only the Unified Messaging role on the FQDN certificate, and use another certificate which doesnt have the FQDN in it for IIS POP SMTP and IMAP?


    Thursday, November 27, 2008 10:44 PM
  • The problem has been resolved. Since I run Exchange 2007 on server 2007 with firewall enabled, I added a firewall rule in 2008 to allow all traffic from the OCS server. At the same moment I also registered a new certificate..

    Not sure atm yet if it was the certificate or the firewall rule, but the problem is resolved.
    • Marked as answer by R Stevens Sunday, May 31, 2009 7:04 AM
    Saturday, November 29, 2008 2:29 PM
  • It was most probably the cert

    Firewall would have given time out problems instead of FQDN issues

     

    Monday, December 1, 2008 9:22 PM