Stone Computers Knowledgebase

Outlook clients report a Certificate name Mismatch after an SSL Certificate is added to an Exchange Server

Article ID: 208
Last updated: 22 Oct, 2013
Article ID: 208
Last updated: 22 Oct, 2013
Revision: 6
Views: 45515
Posted: 22 Oct, 2013
by Andrew Sharrad
Updated: 22 Oct, 2013
by Andrew Sharrad


  • You are running Exchange 2007 or Exchange 2010
  • Your client PCs are running Outlook 2007 or higher
  • You add an SSL certificate to your Exchange Server so that users do not see a certificate warning when connecting to your Outlook Web Access (OWA) web site.
  • Your Outlook clients then start reporting a certificate error as per below.

"The name on the security certificate is invalid or does not match the name of the site"

This message appears frequently, usually within a few moments of opening Outlook.


The cause is that Outlook clients are passed the certificate by the server, and have noted that the webmail address of the certificate does not match the internal name of the server.

For example:

Internal Server name: exchange.local

Webmail address:


Certificates are now usually not available which reference domains which companies do not own. For example, you will likely not be able to purchase a certificate that contains your webmail address (a domain which you own) and your internal addressing scheme (for example, .local) which you do not own.

One solution to this is to use an internal addressing scheme which matches the domain that you own. For many companies, this is not practical without an entire forest migration.


The solution is to modify settings within the Exchange server so that Outlook clients reach the resources that they need to using the external address.


  • Use an NSLOOKUP command to ensure you have the correct internal IP address for your Exchange server. For example, exchange.local resolves to
  • Add a DNS zone and host record which ensures that the webmail address of your Exchange server resolves to the same IP address. This means that when you do an NSLOOKUP against it must resolve to the same IP address of
  • Modify the following commands to include your local server names and webmail addresses (substitute the server names and web address in red)
  • Run the commands on your Exchange Server Power Management Console

Tip: You can use the "get" version of the commands, for example get-ClientAccessServer -Identity exchange to see what the current setting is, and make a note of it first.

Set-ClientAccessServer -Identity exchange -AutodiscoverServiceInternalUri 

Set-WebServicesVirtualDirectory -Identity "exchange\EWS (Default Web Site)" -InternalUrl

Set-OABVirtualDirectory -Identity "exchange\oab (Default Web Site)" -InternalUrl

This last command is not required on Exchange 2010:

Set-UMVirtualDirectory -Identity "exchange\unifiedmessaging (Default Web Site)" -InternalUrl


Always test changes immediately, ensuring that both Outlook clients and webmail clients function correctly.

If you require additional informatin please contact Stone support. A range of support services are available to assist customers.

Applies to:

  • Outlook 2007 and Exchange 2007 or Exchange 2010

This article was:  
Article ID: 208
Last updated: 22 Oct, 2013
Revision: 6
Views: 45515
Posted: 22 Oct, 2013 by Andrew Sharrad
Updated: 22 Oct, 2013 by Andrew Sharrad
Attached files