Investigating invalid security certificate name errors in Outlook

Creating a security certificate for Exchange Server 2007 can be tricky, especially when it comes to choosing a domain name to include. At the very least, you have to include the OWA URL (www.domain.com) and the Autodiscover URL (autodiscover.domain.com). But if you’re running a client access server

    Requires Free Membership to View

on top of that, you’ll need use references for those URLs as well as the cas-server-name.AD.local format.

If the common name on the certificate doesn’t match the Autodiscover URL's fully qualified domain name (FQDN), then clients connecting through Microsoft Outlook will receive an error messaging stating, “The name of the security certificate is invalid or does not match the name of the site.” Although this error isn’t fatal, it can be misleading.

What causes this error? By default, Autodiscover URLs and other services are referenced using an internal namespace. Take the server-name.domain.local format, for example. You’ll also get an error message if the certificate is missing the internal namespaces and the certificate doesn’t support subject alternative names (SANs). This occurs because Exchange Server is trying to be precise and will create an error message if it doesn’t see the exact FQDN listed in the certificate.

This issue affects not only the Autodiscover service, but also several other key Web services that the security certificate covers, including Exchange 2007 Web Services (EWS), the Offline Address Book and Exchange Unified Messaging.

The most obvious way to fix this problem is to replace the certificate with one that includes the necessary FQDNs. However, this may not be an option if you don’t have budget available to buy another certificate.

Microsoft has a workaround that allows Exchange administrators to reassign the URL references used for the Autodiscover service or one of the other crucial services. You simply need to go into the Exchange Management Shell and change the URL for the service to one that’s accessible externally.

Note: The Microsoft Exchange team blog discusses the process described above as well as how to how to generate a certificate from a third-party certification authority. The post covers subject alternative names and how to get the correct domains listed on the certificate the first time. If you’ve never gone through the process of generating a certificate from scratch and want to avoid these headaches, I definitely recommend reading the piece.

Serdar Yegulalp
has been writing about computers and IT for more than 15 years for a variety of publications, including SearchWinIT.com, SearchExchange.com, InformationWeek and Windows magazine.

This was first published in February 2011

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.