Certificate name mismatch in Outlook while running Exchange Server 2007
If you have installed Exchange 2007 Client Access Servers in your organization, and if you have installed your SSL certificates (even commercial ones) on IIS, Outlook MAPI users may receive ‘Security Alert’ messages similar to the above in Outlook.
The name on the security certificate is invalid or does not match the name of the site.
This is because of the certificate that you have installed on IIS. Outlook 2007 MAPI clients use Client Access Servers for the Autodiscover service. The Autodiscovery web service (a virtual directory on the Client Access Server) is used for automatically finding the mailbox server for a given user. When the Autodiscover service is accessed by Outlook, and the name on the security certificate installed in IIS doesn’t match the internal FQDN of the Client Access server (CAS), this error results.
Suppose your company’s public domain name is mycompany.com. You may have obtained a certificate for webmail.mycompany.com and installed on the IIS of your Client Access Server. This is correct because users on the internet will type the public name.
However, the same IIS on the CAS is hosts the Autodiscover virtual directory as well and this certificate applies. Your internal domain name might be mycmpny.local and the client access server FQDN might be CAS1.mycmpny.local. Outlooks 2007 uses this internal name to connect to Autodiscovery, and hence the mismatch error.
To fix this problem, open Exchange Management Shell and type the following commands:
Set-ClientAccessServer -Identity CAS1 -AutodiscoverServiceInternalUri https://webmail.mycompany.com/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity “CAS1\EWS (Default Web Site)” -InternalUrl https://webmail.mycompany.com/ews/exchange.asmx
Set-OABVirtualDirectory -Identity “CAS1\oab (Default Web Site)” -InternalUrl https://webmail.mycompany.com/oab
Set-UMVirtualDirectory -Identity “CAS1\unifiedmessaging (Default Web Site)” -InternalUrl https://webmail.mycompany.com/unifiedmessaging/service.asmx
Pay attention to the text in red, you will need to change it to reflect your server’s running parameters. Recycle the MSExchangeAutodiscoverAppPool. Your users should no longer receive the security alert.
Shijaz Abdulla is a Partner Technology Advisor at Microsoft, helping their top tier partners build on their Microsoft practice. He is also a trusted advisor to medium enterprise customers in Qatar. He is a blogger, tech enthusiast, and a Microsoft evangelist.
Thanks
Exactly what I needed!
Amen! I have been looking for this information for ever… Microsoft wasn’t any help. Just kept telling me to buy a certificate.
Well, actually you need a certificate with multiple SAN (Subject Alternative Names) if you intend to offer Outlook Anywhere (aka RPC over HTTPS) services to your users. May be that was what MS Support was trying to tell you?
You rock! This information is EXACTLY what I needed to get rid of our certificate error. Popped up after I bought us a commercial SSL for OWA email access.
Thanks to this info, no more internal errors.
we just add outlook.yourdomain.com to our local dns, same address internally and externally then.
Brilliant This works perfectly.
Sorry follow this to the letter without any errors, restarted outlook all users on the Lan still recieve the same message…
Back to the drawing board
Works Great! Awesome!
i was getting two prompts on start, and now i'm down to one. better, but still wish i could find what that last cert error was for.
Works like a charm. Thank you.
According to the text, if my owa site is office.domain.com, what would be the (Default Web Site) that I would need to enter?
Please help…desperate!!
Thanks alot
If you are referring to the text in red above, it should be office.domain.com – assuming this is your company’s internet domain name already mentioned on your SSL certificate.
Only the first command works for some reason. The others return an error. However when changing the command, the second for example, to GetWebServicesVirtualDirectory the correct address is returned (webmail.mycompany.com or whatever yours is). I found the following article from Microsoft that lists the same steps and has the same results. http://support.microsoft.com/kb/940726
However, the make mention of DNS as a possible problem at the end. That’s what did it for me. I opened my DNS server and went to the Forward Lookup Zone and found a folder for webmail.mycompany.com Inside this there should be a Host(A)record pointing to your server. In my case it’s the typical 192.168.16.2 Open the properties for that entry and be sure to check “Update associated Pointer(PTR)record” Then go to the Reverse Lookup Zones and got to the folder for your subnet. It’s confusing looking. Mine is 16.168.192.in-addr.arpa Scan the data column and look for the webmail.mycompany.com entry and then look to the left to see that it points back to your server (192.168.16.2 in my case)
I still did the recycle for good measuer and it seems to be working fine now. FYI recycle is done by opening IIS manager and clicking on the Application Pools. THen click on MSExchangeAutodiscoverAPPPool. Right click and select recycle. This is not putting it in the recycle bin. It just refreshes the service.
Hope this helps someone. It’s a real head scratcher
Well, thanks, but no thanks. First there are too many typos in the resolution to be of use. What the heck is “-AutodiscoverServiceInternalUri”? But everyone makes typos, and I have nothing against the OP. It proves my point once again of the pathetic POS that Exchange 2007 is with its retrograde command line BS. I don’t know what cancer infected Microsoft around that time but they put out Exchange 2007 and Vista at the same time. ‘Nuf said.
What typos? It is URi indeed, and not URL.
@Yeah:
Actually, if you reference: http://support.microsoft.com/kb/940726 you’ll see that the text the author here posted looks to be right on, despite your personal disapproval of Exchange’s naming conventions.
Perfect, this is what, i was looking for. Thanks
KICK ASS.
Works like a charm on Exchange 2010.
THANK YOU!
How can you fix this in exchange 2003 server?
I installed power shell on the server but these commands mentioned above aren’t included?
Hello all,
I followed the procedure as mentioned above and also as per the link http://support.microsoft.com/kb/940726. It works perfectly for my requirement, but the problem i faced after that was funny, My Blackberry users use https://mail.domain.com/owa as the pointer for the BB devices on BIS, and it kicked all saying password error. i reset the internaluri etc to the default by reversing the above commands and the Blackberry were back to normal.
Is there any other way whereby i can achieve both. Remove error message and have BB working as well
Note – if you’re running SBS, you’ll need to replace (Default Web Site) in the commands with (SBS Web Applications).
Otherwise, works like a charm!
Pingback: Exchange & Outlook certificate error « Scotty's Blog
Pingback: Erreur de certificat de sécurité SSL non valide sur Outlook 2007 et 2010 | Blog-Note
Works great
Thanks
Hello Shijaz,
this works if you get the error internally. We are getting a certificate error when user connect outlook anywhere. do you have a solution for this?
Dear brother,
i am very new to exchange i installed MS ecahnge 2010 and configured certificate but Same problem i am facing , and i run this commands but i am getting error,
“the operation couldn’t be performed because object CAS1 couldn’t be found on “domaindc.jasco.corp”
please help me
Regards
Mohammed Faiyaz
Very excellent thank you for the solution!
Thanks a bunch! this has been driving me crazy trying to figure out how to fix this for a client of mine! This works like a charm!
OK, I am having this issue on Outlook 2010 and Exchange 2010. So I ran the first 3 commands without issue, the last one gave me an error, but when I looked it up, microsoft stated it doesn’t work in Exchange 2010. I was receiving 2 security errors when opening Outlook, now I only receive 1. Any other ideas? Thanks in advance…
HI Shijaz,
Internally the problem is resolved, but does this work for Outlook Anywhere users???
I’m getting the message now only on my Citrix terminal server profiles. Locally, I’m fine. If I goof up the above paths for fun, my local Outlook cries right away, so it is responsive and presumably reading what it should. I’m not sure why my Citrix profiles would not be reading the cert. I notice that what they’re picking up is a totally different cert – diff host server, diff dates, diff encryption.
Thanks for any wisdom.
I should add – Exchange 2010. Outlook 2010. Citrix is 2003 Server, but still Outlook 2010. Thanks.
That absolutely worked perfectly for our mail server that had been switched to a new public FDQN.
If you are using Exchange 2007 (does not apply to Exchange 2010) you also need to do this:
Open IIS Manager.
Expand the local computer, and then expand Application Pools.
Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Sorry man this fat lady just pissed me off….HZc http://t.co/nQd8KlMR
Always curious how people living in subsidized housing r driving _very_ expensive cars. shi1thatturnO0h4 http://t.co/Ot97nqUW
I have resolved the issue of “Security Alert of SSL Certificate Mismatch” as guided by Shijaz and now there is no alerts anymore and all Exchange 2010 servervices are OK.
Last Command is not for the Exchange 2010 instead that is for Exchange 2007.
Thanks Shijaz Abdulla and everyone who share their experience.
Great!! It works except for the last command:
Set-UMVirtualDirectory -Identity “CAS1\unifiedmessaging (Default Web Site)” -InternalUrl https://webmail.mycompany.com/unifiedmessaging/service.asmx
where i get an error because command is not found in my exchange server 2010
Anyway, i don’s see the annoying message anymore.
Thanks a lot, really!
Looks like the feedback has dried up. However, this seems to work for mailboxes already on Exch2010 but those moved from Exch2007 are asking user to authenticate against the url domain on the certificate after running the above commands.
If you configure non-SSL internal access to OWA etc. (scenario like -SSL–non-SSL- with different internal and external names), you should issue certificate with internal and external name. But don’t forget to rerun final cmdlet (then assign services) with -DoNotRequireSSL parameter! In other way Web Services will not accept connection from OWA and your OWA users will have no ability to delete messages etc.
Certificate name mismatch in Outlook while running Exchange Server 2007 http://t.co/AAGaHkVf
Well I be damned, I wasnt sure this would work but I just had to try it. Im working with a live Exchange 2010 server so this is pretty sensitive.’
Ran all commands except the last since we dont use unifiedmessaging, got one of the cert error popups to disapear, typed “UMMailbox” and then it worked.
THANKS!
Thank you so much. Had me bugged for months and I could not find this solution anywhere.