The Name on the security certificate is invalid or does not match the name of the site - PART 2

Once the cert has been installed you will need to enable the cert, you can run the following command to enable the certificate

Enable-ExchangeCertificate -Thumbprint 59 5e a4 7c f0 c0 4f 64 dc 3d 6d 29 95 f7 c4 b1 72 ca 0f 92 -Services "SMTP, IIS"

Note: The thumbprint needs to match the cert you have just installed, use either the get-certificate command or use the MMC, select the cert, click the details page and click on thumbprint or use the command specified in PART 1 to find the correct thumbprint

For each CAS server that is installed a Service Connection Point (SCP) record is created for the autodiscover service for internal clients

When i go into Outlook i get the following error:-

 

This is because i’m connecting to services using the NetBIOS name of mbx1 which does not match the name on the certificate. If i run Get-ClientAccessServer -Identity mbx1 | FL i’ll see that the AutoDiscoverServiceInternalUri says https://MBX1/Autodiscover/Autodiscover.xml, this does not match the certificate. I can also check the other services and see that i get the same results for OAB, EWS, Outlook Anywhere (OA) and Exchange Active Sync (EAS). So i need to update all theses internal url’s to match the name on the cert.

• Set-ClientAccessServer -Identity "mbx1" –AutodiscoverServiceInternalURI https://nlb.nwtraders.msft/autodiscover/autodiscover.xml

 

• Set-WebServicesVirtualDirectory -Identity "mbx1\EWS (Default Web Site)" –InternalUrl https://nlb.nwtraders.msft/EWS/Exchange.asmx

• Set-OABVirtualDirectory -Identity “mbx1\OAB (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/OAB

• Enable-OutlookAnywhere -Server mbx1 -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”

 

• Set-ActiveSyncVirtualDirectory -Identity “mbx1 \Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/Microsoft-Server-Activesync

 

Note: If your customer does decide to enable OA externally it is important to note that the external host name value configured for Outlook Anywhere must match the Certificate Principal Name (CPN) on the certificate used by clients and must match the end point property in the client.

In order for Subject Alternate Name (SAN) certificates to be used for clients to connect to the OA service, where the CPN does not match the msstd value configured in the Outlook client profile (but the url is listed in the SAN part of the certificate), certain conditions need to be met, these are listed below:-

• Outlook 2007 or higher
• Vista SP1

 

Then when you open Outlook you should not longer get the cert error!

 

Written by Daniel Kenyon-Smith

Comments

• Anonymous
  January 01, 2003
  What’s the error message you are getting? MBX1 in that example is the Exchange server (CAS) and nlb is load balanced name, which matches the certificate

• Anonymous
  January 01, 2003
  Have you checked all the virtual directories? you could always add the name you require into the Subject Alternate Name (SAN) part of your certificate

• Anonymous
  January 01, 2003
  All you are changing is the name the clients connect to, to match the name of cert, you can either change the certificate or update the services, either way won’t need to visit each client. If you are unsure, then I suggest you run this is a lab and run through all the scenarios you want to test

• Anonymous
  January 01, 2003
  Sounds like clients are trying to connect to remote, when the cert is called netgear. I'd have a look on the exchange servers at the their certs and see what is installed there, you can view the certs through either the console in exchange 2010 or by using the get-exchangecertificate

• Anonymous
  January 01, 2003
  Hello Kenyon87, What should I say about your article? Is there is a better word than "AWESOME". Simply superb, the same I tried given from the Microsoft KB 940726, but no go. Was having this issue for the past 3 months, now after trying your steps, it worked! You deserver a carton of beer! Thanks so much!

• Anonymous
  January 01, 2003
  You could use this something like this command Set-WebServicesVirtualDirectory MBX1* or take a look at the TechNet site, it gives you some examples technet.microsoft.com/.../aa997233.aspx. Also make sure the virtual directories are showing in IIS

• Anonymous
  January 01, 2003
  Thanks for the feedback Monica - take a look at this link it might help you configure the rule on ISA - www.microsoft.com/.../details.aspx Thanks Dan

• Anonymous
  January 01, 2003
  What is the name the Outlook clients are trying to connect?

• Anonymous
  November 01, 2010
  This was a tremendous help, Thx!!!!

• Anonymous
  March 26, 2011
  The comment has been removed

• Anonymous
  May 06, 2011
  Add an iisreset to the end and we are in business!  WOOHOO

• Anonymous
  August 16, 2011
  The comment has been removed

• Anonymous
  August 18, 2011
  I have the same issue but have been unable to resolve it even with this article! any other ideas out therE?

• Anonymous
  February 03, 2012
  I just installed a Netgear FVS318N router on a companies network and now I’m getting the Security Alert message in Outlook 07 over 20 computers. Veiwed the cert and it is Netgear FVS318n. Please someone help. I can’t tell if it’s a Netgear issue or MS Issue, but only pops up when Outlook is open?

• Anonymous
  February 06, 2012
  If you mean domain: remote.company.com which is listed on the Security Alert, but when I view the certificate, its issuer is Netgear with the model.

• Anonymous
  March 22, 2012
  We have a similar error, but when I do the command Set-WebServicesVirtualDirectory I receive the error that it can not find the EWS (Default Web Site).  I am not sure how to get around this error.  If I continue with the Set-OABVirtualDirectory commend I get the similar error about the OAB (Default Web Site).  I know I am missing something, I just can not figure it out.  Any help would be greatly appreciated.

• Anonymous
  April 27, 2012
  Oh man, this saved me a lot of headache during an Exchange 2010 migration.  Thank you!!!!

• Anonymous
  June 21, 2012
  I'm having this issue and the fix appears easy enough. What are the consequences? Will I have to re-visit each PC on the network and configure Outlook again? Thanks

• Anonymous
  November 11, 2012
  thank you very much ,this topic is very helpfull and it solve the problem in my company thank you

• Anonymous
  January 21, 2013
  Thank you. I've look everywhere for this info. You make it simple.

• Anonymous
  June 10, 2013
  The comment has been removed