Outlook clients report a Certificate name Mismatch after an SSL Certificate is added to an Exchange Server

Scenario

You are running Exchange 2007 or Exchange 2010
Your client PCs are running Outlook 2007 or higher
You add an SSL certificate to your Exchange Server so that users do not see a certificate warning when connecting to your Outlook Web Access (OWA) web site.
Your Outlook clients then start reporting a certificate error as per below.

"The name on the security certificate is invalid or does not match the name of the site"

This message appears frequently, usually within a few moments of opening Outlook.

Cause

The cause is that Outlook clients are passed the certificate by the server, and have noted that the webmail address of the certificate does not match the internal name of the server.

For example:

Internal Server name: exchange.local

Webmail address: http://webmail.company.net/owa

Recommendations

Certificates are now usually not available which reference domains which companies do not own. For example, you will likely not be able to purchase a certificate that contains your webmail address (a domain which you own) and your internal addressing scheme (for example, .local) which you do not own.

One solution to this is to use an internal addressing scheme which matches the domain that you own. For many companies, this is not practical without an entire forest migration.

Solution

The solution is to modify settings within the Exchange server so that Outlook clients reach the resources that they need to using the external address.

Steps:

Use an NSLOOKUP command to ensure you have the correct internal IP address for your Exchange server. For example, exchange.local resolves to 10.0.0.10.
Add a DNS zone and host record which ensures that the webmail address of your Exchange server resolves to the same IP address. This means that when you do an NSLOOKUP against webmail.company.net it must resolve to the same IP address of 10.0.0.10.
Modify the following commands to include your local server names and webmail addresses (substitute the server names and web address in red)
Run the commands on your Exchange Server Power Management Console

Tip: You can use the "get" version of the commands, for example get-ClientAccessServer -Identity exchange to see what the current setting is, and make a note of it first.

Set-ClientAccessServer -Identity exchange -AutodiscoverServiceInternalUri https://webmail.company.net/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "exchange\EWS (Default Web Site)" -InternalUrl https://webmail.company.net/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "exchange\oab (Default Web Site)" -InternalUrl https://webmail.company.net/oab

This last command is not required on Exchange 2010:

Set-UMVirtualDirectory -Identity "exchange\unifiedmessaging (Default Web Site)" -InternalUrl https://webmail.company.net/unifiedmessaging/service.asmx

Testing

Always test changes immediately, ensuring that both Outlook clients and webmail clients function correctly.

If you require additional informatin please contact Stone support. A range of support services are available to assist customers.

Applies to:

Outlook 2007 and Exchange 2007 or Exchange 2010