Certificate name mismatch in Outlook while running Exchange Server 2007

by Shijaz Abdulla on 10.04.2008 at 13:56

If you have installed Exchange 2007 Client Access Servers in your organization, and if you have installed your SSL certificates (even commercial ones) on IIS, Outlook MAPI users may receive ‘Security Alert’ messages similar to the above in Outlook.

The name on the security certificate is invalid or does not match the name of the site.

This is because of the certificate that you have installed on IIS. Outlook 2007 MAPI clients use Client Access Servers for the Autodiscover service. The Autodiscovery web service (a virtual directory on the Client Access Server) is used for automatically finding the mailbox server for a given user. When the Autodiscover service is accessed by Outlook, and the name on the security certificate installed in IIS doesn’t match the internal FQDN of the Client Access server (CAS), this error results.

Suppose your company’s public domain name is mycompany.com. You may have obtained a certificate for webmail.mycompany.com and installed on the IIS of your Client Access Server. This is correct because users on the internet will type the public name.

However, the same IIS on the CAS is hosts the Autodiscover virtual directory as well and this certificate applies. Your internal domain name might be mycmpny.local and the client access server FQDN might be CAS1.mycmpny.local. Outlooks 2007 uses this internal name to connect to Autodiscovery, and hence the mismatch error.

To fix this problem, open Exchange Management Shell and type the following commands:

Set-ClientAccessServer -Identity CAS1 -AutodiscoverServiceInternalUri https://webmail.mycompany.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “CAS1EWS (Default Web Site)” -InternalUrl https://webmail.mycompany.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity “CAS1oab (Default Web Site)” -InternalUrl https://webmail.mycompany.com/oab

Set-UMVirtualDirectory -Identity “CAS1unifiedmessaging (Default Web Site)” -InternalUrl https://webmail.mycompany.com/unifiedmessaging/service.asmx

Pay attention to the text in red, you will need to change it to reflect your server’s running parameters. Recycle the MSExchangeAutodiscoverAppPool. Your users should no longer receive the security alert.

Trackback Permanent Link

55 Responses to Certificate name mismatch in Outlook while running Exchange Server 2007

  1. Anonymous says:

    Exactly what I needed!

  2. Anonymous says:

    Amen! I have been looking for this information for ever… Microsoft wasn’t any help. Just kept telling me to buy a certificate.

  3. Shijaz says:

    Well, actually you need a certificate with multiple SAN (Subject Alternative Names) if you intend to offer Outlook Anywhere (aka RPC over HTTPS) services to your users. May be that was what MS Support was trying to tell you?

  4. Anonymous says:

    You rock! This information is EXACTLY what I needed to get rid of our certificate error. Popped up after I bought us a commercial SSL for OWA email access.

    Thanks to this info, no more internal errors.

  5. Anonymous says:

    we just add outlook.yourdomain.com to our local dns, same address internally and externally then.

  6. Rory Binns says:

    Brilliant This works perfectly.

  7. Anonymous says:

    Sorry follow this to the letter without any errors, restarted outlook all users on the Lan still recieve the same message…
    Back to the drawing board

  8. Anonymous says:

    Works Great! Awesome!

  9. Anonymous says:

    i was getting two prompts on start, and now i'm down to one. better, but still wish i could find what that last cert error was for.

  10. Anonymous says:

    Works like a charm. Thank you.

  11. Andy says:

    According to the text, if my owa site is office.domain.com, what would be the (Default Web Site) that I would need to enter?

    Please help…desperate!!

    Thanks alot

  12. Shijaz says:

    If you are referring to the text in red above, it should be office.domain.com – assuming this is your company’s internet domain name already mentioned on your SSL certificate.

  13. jp says:

    Only the first command works for some reason. The others return an error. However when changing the command, the second for example, to GetWebServicesVirtualDirectory the correct address is returned (webmail.mycompany.com or whatever yours is). I found the following article from Microsoft that lists the same steps and has the same results. http://support.microsoft.com/kb/940726

    However, the make mention of DNS as a possible problem at the end. That’s what did it for me. I opened my DNS server and went to the Forward Lookup Zone and found a folder for webmail.mycompany.com Inside this there should be a Host(A)record pointing to your server. In my case it’s the typical 192.168.16.2 Open the properties for that entry and be sure to check “Update associated Pointer(PTR)record” Then go to the Reverse Lookup Zones and got to the folder for your subnet. It’s confusing looking. Mine is 16.168.192.in-addr.arpa Scan the data column and look for the webmail.mycompany.com entry and then look to the left to see that it points back to your server (192.168.16.2 in my case)

    I still did the recycle for good measuer and it seems to be working fine now. FYI recycle is done by opening IIS manager and clicking on the Application Pools. THen click on MSExchangeAutodiscoverAPPPool. Right click and select recycle. This is not putting it in the recycle bin. It just refreshes the service.

    Hope this helps someone. It’s a real head scratcher

  14. Yeah says:

    Well, thanks, but no thanks. First there are too many typos in the resolution to be of use. What the heck is “-AutodiscoverServiceInternalUri”? But everyone makes typos, and I have nothing against the OP. It proves my point once again of the pathetic POS that Exchange 2007 is with its retrograde command line BS. I don’t know what cancer infected Microsoft around that time but they put out Exchange 2007 and Vista at the same time. ‘Nuf said.

  15. Jeff says:

    @Yeah:
    Actually, if you reference: http://support.microsoft.com/kb/940726 you’ll see that the text the author here posted looks to be right on, despite your personal disapproval of Exchange’s naming conventions.

  16. Pranav says:

    Perfect, this is what, i was looking for. Thanks

  17. Milo145 says:

    KICK ASS.

    Works like a charm on Exchange 2010.

    THANK YOU!

  18. Nick says:

    How can you fix this in exchange 2003 server?
    I installed power shell on the server but these commands mentioned above aren’t included?

  19. Navin says:

    Hello all,

    I followed the procedure as mentioned above and also as per the link http://support.microsoft.com/kb/940726. It works perfectly for my requirement, but the problem i faced after that was funny, My Blackberry users use https://mail.domain.com/owa as the pointer for the BB devices on BIS, and it kicked all saying password error. i reset the internaluri etc to the default by reversing the above commands and the Blackberry were back to normal.
    Is there any other way whereby i can achieve both. Remove error message and have BB working as well

  20. Frank says:

    Note – if you’re running SBS, you’ll need to replace (Default Web Site) in the commands with (SBS Web Applications).

    Otherwise, works like a charm!

  21. Pingback: Exchange & Outlook certificate error « Scotty's Blog

  22. Pingback: Erreur de certificat de sécurité SSL non valide sur Outlook 2007 et 2010 | Blog-Note

  23. Joel Hale says:

    Works great
    Thanks

  24. Al Montes says:

    Hello Shijaz,
    this works if you get the error internally. We are getting a certificate error when user connect outlook anywhere. do you have a solution for this?

  25. Mohammed Faiyaz says:

    Dear brother,
    i am very new to exchange i installed MS ecahnge 2010 and configured certificate but Same problem i am facing , and i run this commands but i am getting error,
    “the operation couldn’t be performed because object CAS1 couldn’t be found on “domaindc.jasco.corp”
    please help me

    Regards
    Mohammed Faiyaz

  26. Dustin Collett says:

    Very excellent thank you for the solution!

  27. Michael Collins says:

    Thanks a bunch! this has been driving me crazy trying to figure out how to fix this for a client of mine! This works like a charm!

  28. Keith says:

    OK, I am having this issue on Outlook 2010 and Exchange 2010. So I ran the first 3 commands without issue, the last one gave me an error, but when I looked it up, microsoft stated it doesn’t work in Exchange 2010. I was receiving 2 security errors when opening Outlook, now I only receive 1. Any other ideas? Thanks in advance…

  29. Ehson says:

    HI Shijaz,
    Internally the problem is resolved, but does this work for Outlook Anywhere users???

  30. Ahmed says:

    I’m getting the message now only on my Citrix terminal server profiles. Locally, I’m fine. If I goof up the above paths for fun, my local Outlook cries right away, so it is responsive and presumably reading what it should. I’m not sure why my Citrix profiles would not be reading the cert. I notice that what they’re picking up is a totally different cert – diff host server, diff dates, diff encryption.

    Thanks for any wisdom.

  31. Lisa says:

    That absolutely worked perfectly for our mail server that had been switched to a new public FDQN.

    If you are using Exchange 2007 (does not apply to Exchange 2010) you also need to do this:
    Open IIS Manager.
    Expand the local computer, and then expand Application Pools.
    Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

  32. Moffit Evans says:

    Sorry man this fat lady just pissed me off….HZc http://t.co/nQd8KlMR

  33. Always curious how people living in subsidized housing r driving _very_ expensive cars. shi1thatturnO0h4 http://t.co/Ot97nqUW

  34. I have resolved the issue of “Security Alert of SSL Certificate Mismatch” as guided by Shijaz and now there is no alerts anymore and all Exchange 2010 servervices are OK.
    Last Command is not for the Exchange 2010 instead that is for Exchange 2007.
    Thanks Shijaz Abdulla and everyone who share their experience.

  35. Great!! It works except for the last command:

    Set-UMVirtualDirectory -Identity “CAS1unifiedmessaging (Default Web Site)” -InternalUrl https://webmail.mycompany.com/unifiedmessaging/service.asmx

    where i get an error because command is not found in my exchange server 2010

    Anyway, i don’s see the annoying message anymore.

    Thanks a lot, really!

  36. Rhys says:

    Looks like the feedback has dried up. However, this seems to work for mailboxes already on Exch2010 but those moved from Exch2007 are asking user to authenticate against the url domain on the certificate after running the above commands.

  37. andycpp says:

    If you configure non-SSL internal access to OWA etc. (scenario like -SSL–non-SSL- with different internal and external names), you should issue certificate with internal and external name. But don’t forget to rerun final cmdlet (then assign services) with -DoNotRequireSSL parameter! In other way Web Services will not accept connection from OWA and your OWA users will have no ability to delete messages etc.

  38. Marcos says:

    Certificate name mismatch in Outlook while running Exchange Server 2007 http://t.co/AAGaHkVf

  39. Daniel says:

    Well I be damned, I wasnt sure this would work but I just had to try it. Im working with a live Exchange 2010 server so this is pretty sensitive.’

    Ran all commands except the last since we dont use unifiedmessaging, got one of the cert error popups to disapear, typed “UMMailbox” and then it worked.

    THANKS!

  40. Stanley says:

    Thank you so much. Had me bugged for months and I could not find this solution anywhere.

  41. Andre Morris says:

    I’ve been tearing my hair out looking for this information when resolving a certificate error on SBS 2008 and Exchange 2007. What ultimately led me here was the Exchange Best Practices Analyzer showing a Certificate SAN Mismatch.

    Thank you for putting this up it’s helped solve several problems that had me awake all night.

  42. Thanks, this was the solution to a long running problem (and the final point on the Exchange migration I did.)

  43. Rayb says:

    I show the certificate listed as *.domainname.com, when I do a get-exchangecertificate. I don’t think this is right, because if I try to use the ‘*.domainname.com’ in your first command set, it returns an error, ‘cannot process arguement transformation on parameter…invalid URi, the hostname could not be parsed.’
    I am thinking the wildcard cert should have an actual name and not the ‘*’.

  44. Steve R says:

    I have just installed Exchange 2013 on Server 2012. I have installed and configured 3 SSL certificates authorised by godaddy, mail.domainname.com, autodiscover.domainname.com and .domainname.com. Mail.domainname.com has the assigned services; IIS & SMTP. I am able to access webmail with no security prompts i.e. mail.domainname.com, but when I open up outlook it says there is a certificate name mismatch with an error code 10. Outlook anywhere also doesn’t work. I tried some of the suggesstions above but nothing has fixed this problem yet. Any suggesstions would be much appreciated.

  45. BG says:

    Hi,

    This works for internal issues. What if user is using Outlook Anywhere from outside? I am getting error that says certificate name is not matching for autodiscover.domain.com…Do I need to purchase new certificate for autodiscover domain?

  46. Mike says:

    I WILL PAY SOMEONE TO REMOTE IN AND HELP ME!!!

    SERIOUSLY!

    I AM SO STUCK AND NEED HELP ASAP

    PLEASE EMAIL

    mike.newhook@gmail.com

  47. Pingback: Certificate name mismatch in Outlook while running Exchange Server 2010 | Welcome to My World

  48. Henrik says:

    I dont get it. I wish I did and I hope someone can help me out with my issue.

    THank you all in advance 🙂
    iandk(a)hotmail.com

  49. Michael A says:

    Thanks for the tip about recycling the MSExchangeAutodiscoverAppPool
    I found this is a good way to make sure Exchange is sending the most up to date Autodiscover settings to the client

Leave a Reply