http://support.microsoft.com/kb/940726

 

When you start Microsoft Office Outlook 2007, and then try to connect to a mailbox that is hosted on a mailbox server that is running Microsoft Exchange Server 2007 or Exchange Server 2010, you receive the following security warning:

The name of the security certificate is invalid or does not match the name of the site.

2683283

Note This scenario applies only to Outlook clients that connect to Exchange from inside the local network. This scenario does not apply to remote Outlook clients that connect to Exchange by using Outlook Anywhere.

Collapse imageCause

This issue occurs if the following conditions are true:

  • You replace the default self-signed Exchange Server 2007 certificate or Exchange Server 2010 certificate with a different certificate.

    2683283

    Note The Setup program in Exchange Server 2007 or in Exchange Server 2010 creates a default self-signed certificate when Exchange Server 2007 or Exchange Server 2010 is installed.

  • The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:
    • The Service Connection Point object for the Autodiscover service
    • The InternalUrl attribute of Exchange Web Service (EWS)
    • The InternalUrl attribute of the Offline Address Book Web service
    • The InternalUrl attribute of the Exchange unified messaging (UM) Web service

By default, the URL that is stored in these objects references the NetBIOS name of the server. For example, a URL that resembles the following URL is stored:

https://NetBIOS_name.contoso.com/autodiscover/autodiscover.xml

This may differ from the host name that is used in the FQDN of the replacement certificate. For example, the replacement certificate may have an FQDN that resembles the following FQDN:

mail.contoso.com

This issue causes a name mismatch error to occur. Therefore, you receive the security warning message when you try to connect Outlook 2007 or Outlook 2010 to the mailbox.

Collapse imageResolution

To resolve this issue, change the URLs for the appropriate Exchange 2007 or 2010 components. To do this, follow these steps:
Note This resolution has to be applied by an administrator. If you are not the administrator, contact your administrator.

  1. Start the Exchange Management Shell.
  2. Change the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To change this URL, type the following command, and then press Enter:
    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUrl https://mail.contoso.com/autodiscover/autodiscover.xml

    NoteContoso is a fictional company used as an example company and domain. You have to change it to your domain in this command.

  3. Change the InternalUrl attribute of the EWS. To do this, type the following command, and then press Enter:
    Set-WebServicesVirtualDirectory -Identity “CAS_Server_NameEWS (Default Web Site)” -InternalUrl https://mail.contoso.com/ews/exchange.asmx

    Note Contoso is a fictional company used as an example company and domain. You have to change it to your domain in this command.

  4. Change the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press Enter:
    Set-OABVirtualDirectory -Identity “CAS_Server_nameoab (Default Web Site)” -InternalUrl https://mail.contoso.com/oab

    Note Contoso is a fictional company used as an example company and domain. You have to change it to your domain in this command.

  5. Change the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press Enter:
    Set-UMVirtualDirectory -Identity “CAS_Server_Nameunifiedmessaging (Default Web Site)” -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx

    Note Contoso is a fictional company used as an example company and domain. You have to change it to your domain in this command.

    2683283

    Note This command is required only in an  Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose. Therefore, if you are using Exchange 2010, you can skip this step, as the WebServices URL should have been changed in step 3.

  6. Open IIS Manager. For more information about how to do this, see How to: Open IIS Manager.
  7. Expand the local computer, and then expand Application Pools.
  8. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

2684263

Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:

  • The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
    https://ServerName.contoso.com/ews/exchange.asmx
  • The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as “mail.contoso.com.”

In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.

Collapse imageMore information

The URL for the Autodiscover service is stored in the Service Connection Point object. By default, this URL references the internal FQDN of the CAS that is present when Autodiscover is installed. For example, the following URL is set:

https://servername.contoso.local/autodiscover/autodiscover.xml

In this example, the FQDN references the internal namespace. Generally, this namespace differs from the externally-accessible namespace, such as mail.contoso.com.

If the internal namespace differs from the external namespace, and if you cannot use a certificate that supports Subject Alternative Names, use the Set-ClientAccessServer task in Exchange Management Shell to change the URL. In this scenario, you must change the URL to point to the new location for Autodiscover. For example, use the following command to point to the new location for Autodiscover:

Set-ClientAccessServer –AutodiscoverServiceInternalUrl -identity <servername>
https://mail.contoso.com/autodiscover/autodiscover.xml

For more information about third-party certification authorities that provide certificates that support Subject Alternative Names, click the following article number to view the article in the Microsoft Knowledge Base:

929395 Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Microsoft

Azure Password Reset – The Password you’ve selected does not meet your Active Directory password policy

This is a common error message when you try to reset a password from Azure management port or Self service portal.  The error message is very clear here – “The Password you’ve selected does not Read more…

Microsoft

Azure – Your account is temporarily locked to prevent unauthorized use

Here is the another common error message when dealing with directory and password synchronization.  Error Message: Your account is temporarily locked to prevent unauthorized use. Try again later. Contact Customer Support if the problem persists Read more…

Microsoft

Verify Service Status Remotely Using Local Account – PowerShell Script

I have modified one of my previously published script – Stop, Start, Disable Service Remotely–PowerShell Script (http://portal.sivarajan.com/2011/05/stop-start-disable-service.html) to use Local account (instead of a domain account) to verify the status of the service.   Input Read more…