Tip

Error: 'The name of the security certificate is invalid or does not match the name of the site'

When Microsoft Outlook 2007 users connect to an Exchange 2007 server, they may experience the error: The name of the security certificate is invalid or does not match the name of the site. Fortunately, this doesn't mean a third party has hijacked your Exchange server for nefarious ends or monkeyed around with your security certificate.

    Requires Free Membership to View

VIEW MEMBER FEEDACK TO THIS EXCHANGE SERVER TIP

The security certificate error only occurs when a Microsoft Outlook 2007 user connects to Exchange Server from within the local network and when one of the following conditions is present:

  1. The default self-signed Exchange Server 2007 certificate, which is generated when Exchange 2007 is installed, has been replaced with a new one.
  2. The common name on the new certificate does not match the fully qualified domain name (FQDN), of the URL for:
    • The Service Connection Point object for the Autodiscover service
    • The InternalURL attribute of the Exchange 2007 Web Service (EWS), the Offline Address Book Web service, or the Exchange Unified Messaging (UM) Web service.

The URL that stores these objects employs the NetBIOS name of the server. So if you change the NetBIOS name of the Exchange server, the URL changes as well.

If your Exchange server is named utena and you're in the domain ohtori.org, the Autodiscover service's URL will be https://utena.ohtori.org/autodiscover/autodiscover.xml.

If the FQDN in the replacement certificate uses something like mail.ohtori.org, this will create a mismatch and you'll get the aforementioned error.

Related resources:

Tip: How to move an SSL certificate between Exchange servers

Expert Advice: Setting up a front-end certificate server

Tip: Watch out for a Microsoft Outlook 2007 indexing issue in Windows Vista

Reference Center: Exchange Server 2007 tips and resources

The best way to fix this is not to create a new security certificate -- that would involve too much hassle. Instead, you need to replace the URLs for the affected Exchange 2007 components.

You do this from the command line by using the Exchange Management Shell. Exact instructions are documented in Microsoft Knowledge Base article 940726. The commands can be copied out, modified as needed, and then pasted into a shell session to make the job all that much easier.

If you're thinking about replacing the native Exchange 2007 security certificate with a third-party certificate to preemptively avoid this problem, look for a certificate authority that supports Subject Alternative Names (this link describes how to add a certificate to Exchange 2007 that supports SAN fields, since the process requires some manual work to implement correctly).

Using Subject Alternative Names allows a certificate to provide multiple namespace references for objects. This means you can have the same object covered with multiple name references through a single certificate.

About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.

MEMBER FEEDBACK TO THIS EXCHANGE SERVER TIP

This tip is excellent. Everywhere else I have read stated that a new certificate was required. I have made these simple changes and now both internal and external users are getting a true secure connection to the Exchange server. Thanks.
—Eric M.

Do you have comments on this tip? Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

This was first published in September 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.