Error: 'The name of the security certificate is invalid or does not match the name of the site'

When Microsoft Outlook 2007 users connect to an Exchange 2007 server, they may experience the error: The name of the security certificate is invalid or does not match the name of the site. Fortunately, this doesn't mean a third party has hijacked your Exchange server for nefarious ends or monkeyed around with your security certificate.

VIEW MEMBER FEEDACK TO THIS EXCHANGE SERVER TIP

The security certificate error only occurs when a Microsoft Outlook 2007 user connects to Exchange Server from within the local network and when one of the following conditions is present:

1. The default self-signed Exchange Server 2007 certificate, which is generated when Exchange 2007 is installed, has been replaced with a new one.
2. The common name on the new certificate does not match the fully qualified domain name (FQDN), of the URL for:
• The Service Connection Point object for the Autodiscover service
• The InternalURL attribute of the Exchange 2007 Web Service (EWS), the Offline Address Book Web service, or the Exchange Unified Messaging (UM) Web service.

The URL that stores these objects employs the NetBIOS name of the server. So if you change the NetBIOS name of the Exchange server, the URL changes as well.

If your Exchange server is named utena and you're in the domain ohtori.org, the Autodiscover service's URL will be https://utena.ohtori.org/autodiscover/autodiscover.xml.

If the FQDN in the replacement certificate uses something like mail.ohtori.org, this will create a mismatch and you'll get the aforementioned error.

Related resources: Tip: How to move an SSL certificate between Exchange servers Expert Advice: Setting up a front-end certificate server Tip: Watch out for a Microsoft Outlook 2007 indexing issue in Windows Vista Reference Center: Exchange Server 2007 tips and resources

The best way to fix this is not to create a new security certificate -- that would involve too much hassle. Instead, you need to replace the URLs for the affected Exchange 2007 components.

You do this from the command line by using the Exchange Management Shell. Exact instructions are documented in Microsoft Knowledge Base article 940726. The commands can be copied out, modified as needed, and then pasted into a shell session to make the job all that much easier.

If you're thinking about replacing the native Exchange 2007 security certificate with a third-party certificate to preemptively avoid this problem, look for a certificate authority that supports Subject Alternative Names (this link describes how to add a certificate to Exchange 2007 that supports SAN fields, since the process requires some manual work to implement correctly).

Using Subject Alternative Names allows a certificate to provide multiple namespace references for objects. This means you can have the same object covered with multiple name references through a single certificate.

About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.

MEMBER FEEDBACK TO THIS EXCHANGE SERVER TIP

This tip is excellent. Everywhere else I have read stated that a new certificate was required. I have made these simple changes and now both internal and external users are getting a true secure connection to the Exchange server. Thanks.
—Eric M.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT User Authentication for Microsoft Outlook and OWA How to improve Outlook Web Access (OWA) security Alleviate Outlook Web Access (OWA) email attachment security issues How to customize OWA authentication logon in Exchange Server 2003 Automated redirects to OWA directories may fail when SSL is enforced Configure Windows Mobile devices to local wipe after failed logons How to set up an SSL certificate to encrypt OWA and ActiveSync traffic Password authentication works for OWA but fails for Microsoft Outlook Adding self-signed root certificates to Windows mobile devices Eliminate username and password prompt when opening Microsoft Outlook Access public folder calendars published on the Internet without prompting for login Microsoft Outlook Microsoft Outlook .PST file FAQs Tool exports messages from Microsoft Outlook to Unix .EML file format DetachPipe: Outlook add-in tool saves and restores email attachments Install the Outlook Connector to use Hotmail in Microsoft Outlook A few favorite Microsoft Exchange Server blogs Top tip of 2007: How to fix corrupt Microsoft Outlook calendar entries Can Outlook profiles share contacts using POP3 without Exchange? Control Microsoft Outlook .PST file size and usage via the registry Preview PDF files from Microsoft Outlook 2007 and Windows Vista Top 10 Microsoft Outlook and Outlook Web Access tips of 2007 Microsoft Outlook Research Microsoft Exchange Server 2007 Re-enable Exchange Server 2007 remote streaming backups in SP1 How to use Exchange Management Shell's Filter command How to use the Exchange Management Shell command syntax Secure Edge Transport servers using the Security Configuration Wizard What is Windows Server 2008's impact on an Exchange 2007 migration? Is it time to upgrade users' Windows Mobile devices? Customizing Outlook Web Access (OWA) in Exchange Server 2007 Managing an Exchange 2007 Cluster Continuous Replication (CCR) setup Monitor mail flow with the Exchange Server 2007 Queue Viewer tool Create a global Safe Senders List in Exchange 2007 to filter spam Microsoft Exchange Server 2007 Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Vouch by Reference (VBR)  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.