Investigating invalid security certificate name errors in Outlook

Creating a security certificate for Exchange 2007 can be tricky. Include one incorrect piece of info, and you’ll get an error message. This tip explains common mistakes and a workaround.

Creating a security certificate for Exchange Server 2007 can be tricky, especially when it comes to choosing a

domain name to include. At the very least, you have to include the OWA URL (www.domain.com) and the Autodiscover URL (autodiscover.domain.com). But if you’re running a client access server on top of that, you’ll need use references for those URLs as well as the cas-server-name.AD.local format.

If the common name on the certificate doesn’t match the Autodiscover URL's fully qualified domain name (FQDN), then clients connecting through Microsoft Outlook will receive an error messaging stating, “The name of the security certificate is invalid or does not match the name of the site.” Although this error isn’t fatal, it can be misleading.

What causes this error? By default, Autodiscover URLs and other services are referenced using an internal namespace. Take the server-name.domain.local format, for example. You’ll also get an error message if the certificate is missing the internal namespaces and the certificate doesn’t support subject alternative names (SANs). This occurs because Exchange Server is trying to be precise and will create an error message if it doesn’t see the exact FQDN listed in the certificate.

This issue affects not only the Autodiscover service, but also several other key Web services that the security certificate covers, including Exchange 2007 Web Services (EWS), the Offline Address Book and Exchange Unified Messaging.

The most obvious way to fix this problem is to replace the certificate with one that includes the necessary FQDNs. However, this may not be an option if you don’t have budget available to buy another certificate.

Microsoft has a workaround that allows Exchange administrators to reassign the URL references used for the Autodiscover service or one of the other crucial services. You simply need to go into the Exchange Management Shell and change the URL for the service to one that’s accessible externally.

Note: The Microsoft Exchange team blog discusses the process described above as well as how to how to generate a certificate from a third-party certification authority. The post covers subject alternative names and how to get the correct domains listed on the certificate the first time. If you’ve never gone through the process of generating a certificate from scratch and want to avoid these headaches, I definitely recommend reading the piece.

ABOUT THE AUTHOR:
Serdar Yegulalp
has been writing about computers and IT for more than 15 years for a variety of publications, including SearchWinIT.com, SearchExchange.com, InformationWeek and Windows magazine.

This was first published in February 2011

Dig deeper on Microsoft Exchange Server 2007

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close