Outlook clients report a Certificate name Mismatch after an SSL Certificate is added to an Exchange Server

Scenario

"The name on the security certificate is invalid or does not match the name of the site"

This message appears frequently, usually within a few moments of opening Outlook.

Cause

The cause is that Outlook clients are passed the certificate by the server, and have noted that the webmail address of the certificate does not match the internal name of the server.

For example:

Internal Server name: exchange.local

Webmail address: http://webmail.company.net/owa

Recommendations

Certificates are now usually not available which reference domains which companies do not own. For example, you will likely not be able to purchase a certificate that contains your webmail address (a domain which you own) and your internal addressing scheme (for example, .local) which you do not own.

One solution to this is to use an internal addressing scheme which matches the domain that you own. For many companies, this is not practical without an entire forest migration.

Solution

The solution is to modify settings within the Exchange server so that Outlook clients reach the resources that they need to using the external address.

Steps:

Tip: You can use the "get" version of the commands, for example get-ClientAccessServer -Identity exchange to see what the current setting is, and make a note of it first.


Set-ClientAccessServer -Identity exchange -AutodiscoverServiceInternalUri https://webmail.company.net/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "exchange\EWS (Default Web Site)" -InternalUrl https://webmail.company.net/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "exchange\oab (Default Web Site)" -InternalUrl https://webmail.company.net/oab

This last command is not required on Exchange 2010:

Set-UMVirtualDirectory -Identity "exchange\unifiedmessaging (Default Web Site)" -InternalUrl https://webmail.company.net/unifiedmessaging/service.asmx

Testing

Always test changes immediately, ensuring that both Outlook clients and webmail clients function correctly.

If you require additional informatin please contact Stone support. A range of support services are available to assist customers.

Applies to:



Article ID: 208
Last updated: 22 Oct, 2013
Revision: 6
Third Party Products -> Windows Server -> Frequently Asked Questions (FAQ) -> Outlook clients report a Certificate name Mismatch after an SSL Certificate is added to an Exchange Server
https://kb.stonegroup.co.uk/index.php?View=entry&EntryID=208