Udostępnij za pośrednictwem


The Name on the security certificate is invalid or does not match the name of the site - PART 2

Once the cert has been installed you will need to enable the cert, you can run the following command to enable the certificate

Enable-ExchangeCertificate -Thumbprint 59 5e a4 7c f0 c0 4f 64 dc 3d 6d 29 95 f7 c4 b1 72 ca 0f 92 -Services "SMTP, IIS"

Note: The thumbprint needs to match the cert you have just installed, use either the get-certificate command or use the MMC, select the cert, click the details page and click on thumbprint or use the command specified in PART 1 to find the correct thumbprint

For each CAS server that is installed a Service Connection Point (SCP) record is created for the autodiscover service for internal clients

When i go into Outlook i get the following error:-

image

 

This is because i’m connecting to services using the NetBIOS name of mbx1 which does not match the name on the certificate. If i run Get-ClientAccessServer -Identity mbx1 | FL i’ll see that the AutoDiscoverServiceInternalUri says https://MBX1/Autodiscover/Autodiscover.xml, this does not match the certificate. I can also check the other services and see that i get the same results for OAB, EWS, Outlook Anywhere (OA) and Exchange Active Sync (EAS). So i need to update all theses internal url’s to match the name on the cert.

 

  • Enable-OutlookAnywhere -Server mbx1 -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”

 

 

Note: If your customer does decide to enable OA externally it is important to note that the external host name value configured for Outlook Anywhere must match the Certificate Principal Name (CPN) on the certificate used by clients and must match the end point property in the client.

In order for Subject Alternate Name (SAN) certificates to be used for clients to connect to the OA service, where the CPN does not match the msstd value configured in the Outlook client profile (but the url is listed in the SAN part of the certificate), certain conditions need to be met, these are listed below:-

  • Outlook 2007 or higher
  • Vista SP1

 

Then when you open Outlook you should not longer get the cert error!

 

Written by Daniel Kenyon-Smith

Comments

  • Anonymous
    January 01, 2003
    What’s the error message you are getting? MBX1 in that example is the Exchange server (CAS) and nlb is load balanced name, which matches the certificate

  • Anonymous
    January 01, 2003
    Have you checked all the virtual directories? you could always add the name you require into the Subject Alternate Name (SAN) part of your certificate

  • Anonymous
    January 01, 2003
    All you are changing is the name the clients connect to, to match the name of cert, you can either change the certificate or update the services, either way won’t need to visit each client. If you are unsure, then I suggest you run this is a lab and run through all the scenarios you want to test

  • Anonymous
    January 01, 2003
    Sounds like clients are trying to connect to remote, when the cert is called netgear. I'd have a look on the exchange servers at the their certs and see what is installed there, you can view the certs through either the console in exchange 2010 or by using the get-exchangecertificate

  • Anonymous
    January 01, 2003
    Hello Kenyon87, What should I say about your article? Is there is a better word than "AWESOME". Simply superb, the same I tried given from the Microsoft KB 940726, but no go. Was having this issue for the past 3 months, now after trying your steps, it worked! You deserver a carton of beer! Thanks so much!

  • Anonymous
    January 01, 2003
    You could use this something like this command Set-WebServicesVirtualDirectory MBX1* or take a look at the TechNet site, it gives you some examples technet.microsoft.com/.../aa997233.aspx. Also make sure the virtual directories are showing in IIS

  • Anonymous
    January 01, 2003
    Thanks for the feedback Monica - take a look at this link it might help you configure the rule on ISA - www.microsoft.com/.../details.aspx Thanks Dan

  • Anonymous
    January 01, 2003
    What is the name the Outlook clients are trying to connect?

  • Anonymous
    November 01, 2010
    This was a tremendous help, Thx!!!!

  • Anonymous
    March 26, 2011
    The comment has been removed

  • Anonymous
    May 06, 2011
    Add an iisreset to the end and we are in business!  WOOHOO

  • Anonymous
    August 16, 2011
    The comment has been removed

  • Anonymous
    August 18, 2011
    I have the same issue but have been unable to resolve it even with this article! any other ideas out therE?

  • Anonymous
    February 03, 2012
    I just installed a Netgear FVS318N router on a companies network and now I’m getting the Security Alert message in Outlook 07 over 20 computers. Veiwed the cert and it is Netgear FVS318n. Please someone help. I can’t tell if it’s a Netgear issue or MS Issue, but only pops up when Outlook is open?

  • Anonymous
    February 06, 2012
    If you mean domain: remote.company.com which is listed on the Security Alert, but when I view the certificate, its issuer is Netgear with the model.

  • Anonymous
    March 22, 2012
    We have a similar error, but when I do the command Set-WebServicesVirtualDirectory I receive the error that it can not find the EWS (Default Web Site).  I am not sure how to get around this error.  If I continue with the Set-OABVirtualDirectory commend I get the similar error about the OAB (Default Web Site).  I know I am missing something, I just can not figure it out.  Any help would be greatly appreciated.

  • Anonymous
    April 27, 2012
    Oh man, this saved me a lot of headache during an Exchange 2010 migration.  Thank you!!!!

  • Anonymous
    June 21, 2012
    I'm having this issue and the fix appears easy enough. What are the consequences? Will I have to re-visit each PC on the network and configure Outlook again? Thanks

  • Anonymous
    November 11, 2012
    thank you very much ,this topic is very helpfull and it solve the problem in my company thank you

  • Anonymous
    January 21, 2013
    Thank you. I've look everywhere for this info. You make it simple.

  • Anonymous
    June 10, 2013
    The comment has been removed