Link to home
Start Free TrialLog in
Avatar of Aico

asked on

Certificate error with Outlook 2007 clients to Exchange 2007 server

I've got the following problem.

I'm currently migrating to an Exchange 2007 server. Whenever one of my Outlook 2007 clients connect to their mailbox on the Exchange 2007 server he gets the following message:

"Name on the Security Certificate is Invalid or Does Not Match the Name on the Certificate".

I've done some searching and I found the following article:

In this article they recommend creating a new website with new virtual directories and assign it to a second IP-adress which you assign to your Exchange server. On this new website you can assign a certificate with the correct name and route your internal clients to it.

Now the following problem occurs: My Exchange 2007 server is also a domain controller. And you know what they say! Don't use a multihomed domain controller in your domain, because this means trouble!

So, does anybody have any idea how I can make my Outlook 2007 clients connect to their Exchange 2007 mailboxes without breaking down my Outlook web access and Mobile Access clients?

Kind regards,

Avatar of Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I disagree with Sembee because you can use the following cmdlet to change the internal SCP and external SCP using the following cmdlet:
Set-WebServicesVirtualDirectory -Identity "EWS*" -ExternalUrl "Https://" -InternalUrl "Https://"

we used commercial Certificates and internal O12 and xternal O12 and IE users were able to connect with noe warning
if you are worry about the autodiscovery service only you can use the following cmdlet:
Set-ClientAccessServer -Identity <ClientAccessServerIdParameter> [-AutoDiscoverServiceInternalUri <Uri>] [-AutoDiscoverSiteScope <MultiValuedProperty>] [-DomainController <Fqdn>]  to set the internal URL to match the certificate
If you are using the same URL inside and outside then it is fine.
However the problem is that Outlook 2007 tries to connect to https://servername/ 
where servername is the real name of the server. You then get the error.

The blog posting was heavily researched and discussed with some of my other MVP peers. If your domain uses .local then the solution I have outlined is the only way I have found to get round all the issues with SSL, as I have not found anyone who will issue a certificate with a subject alternative name that contains a .local domain name.

I know that this issue raised and i discussed it also with some MS consultants and MVP as well, and this drags us to the point, how O12 client locate the service point it is from AD?.
i will refer to the autodiscovery architecture in the following link:
So if i updated the SCP in the AD to the external name and used properly managed split DNS infrastructure then i will be able to solve the problem because internal clients will be able to connect to the auto-discovery SCP using the external FQDN and will use the certificate bound to IIS (which contains external FQDN which users connect to it).
i used instructions and concepts explained in the following links:
·How to Configure the Availability Service for Network Load Balanced Computers
·Deployment Considerations for the Autodiscover Service
unless you want to use 2 certificates (1 for internal names and 1 for external names)
i used this configuration in my test and production environment and works great under Microsoft supervision unless there is something missing and i can't see it so i will kindly ask from you to explain it further from me.

Avatar of Aico


Thank you very much for all your input. Due to some time limitations I've chosen to follow Sembee's article (great article by the way!), despite of the fact that Exchange is running on a DC.

I've configured a second IP-address on the NIC and created the second website as described in your article and everything seems to be working fine uptill now. Even after a few reboots. Let's hope it stays that way.

Sembee, thank you for helping. The points will come your way!
Avatar of Aico


Ok, guys. I did some more research and found that the following article solved all my problems, without having to assign a second IP-address or create a second website:

It discusses how to assign multiple Host Names to 1 certificate. It works like a charm!
but you can't use commercial certificate with multiple names i think that verisign don't allow that.
so this is why me and Sembee used our approches
We almost had it working this way, except we ran into the problem that the server would keep re-registering itself to our DNS. This server was a DC, not the PDC, but we have 4 DC in our org.

Anyways, it would keep registering the second IP address into dns. So we would have 2 entries in our DNS for the same IP address. And when Outlook 2007 would query the name of the server, it would randomly get one of the 2 IPs. If it got the wrong one, we got an SSL error as the second IP has a certificate with a different name than the host.

So now we're going the real way and getting a SAN certificate.
you present some smarts solutions here.
I got the same problem and i found this solution more easy to apply:
First you create a new DNS zone in your DNS server using the address configured in your commercial certificate, lets say:
Then you create a  Host (A) type to point to your mail server´s IP :
Then you just change the following values thru the Exchange shell console:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl

Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl 

*please note that you must change: "CAS_Server_Name" to your exchange server name and with the correct address.

I hope this helps.
Just wanted to add that the solution posted by rimaba worked like a charm.

You re welcome!
This worked great for me also. I was getting two certificate errors though and still get an certificate error, as i have multiple domains on my exchange server.
rimba solution worked for me! thanks
np ;)
Hi rimba,
Thanks for your solution.
How do I create a new DNS zone in  DNS server using the address configured in commercial certificate if :
my domain:  (mail server looks like :
on certificate :

The new DNS zone have to be using the Certificate DNS name, regarding order internals subdomains. If they dont mach (certificate domain and new DNS Zone) you will get a certificate mismatch error.
We're in the process of trying Rimba's solution, just wanted to clarify, should we delete the default Microsoft certificate once the Commercial certificate has been applied?

I believe only one cetifiticate can be used per domain, there fore it will be replaced on exchange configuration but it wont be deleted itself, I dont think it is neccesary tho
Thanks Rimba!
Rimba's solution looks pretty straight forward and matches MS's KB on the matter.  My one big question, though, is how will these changes affect Outlook clients that are currently pointing to the netbios name?  Will they automatically adjust or will each Outlook client have to be touched?  While the cert pop-up is annoying, it's not nearly as bad as a few hundred people without Outlook access would be.

the netbios shouldnt be afected by these changes since it is not ip related, the changes are for the http connection of aoutlook to the Exchange server not to resolver the server´s name itself.

I hope it helps


Maybe Netbios wasn't the best term for me to use.  What I'm getting at is:  All the Outlook 07 clients are pointing to hostname.domain.local.  If I make all the changes above to, will this break all the currently set up Outlooks?

Actually both dns ll point to the same ip anyways.... :) so u can use the actual or the new dns name. (you are not deleting the old dns, only adding a new zone)
Thank you Rimba - It worked great!
you are welcome :)
rimba_ 's solution also outlined here worked like a charm, thanks!