Exchange 2007 UCC / Internal Domain Name Issue

Posted on 2009-04-21
Last Modified: 2013-11-16
Ran into an issue requesting a new UCC for a new Exchange 2007 box.  Tried to request the UCC according to directions posted here:

Getting the UCC approved for "server", "", and "" were easy enough.  But I have been unable to get approval for "" because we don't own "".

This is problematic because when I enable the certificate for the IIS service, it becomes active for OWA (which I want) but then returns the following when configuring Outlook on an internal workstation:


Information you exchange with this site cannot be viewed or changed by others.  However, there is a problem with the site's security certificate.

The security certificate is from a trusted certifying authority.

The security certificate date is valid.

The name on the security certificate is invalid or does not match the name of the site.

I called our certificate provider for advice, and the tech's suggestion was to change our entire internal domain name to something we could own.  This seems rather extreme to have to rename our entire domain.

Is there a way to get "" onto our certificate?  Alternately, is there a way to trick Outlook to look for just "server" on the certificate rather than ""?  Or lastly, is there a way for the Exchange server to use the self-signed certificate for Outlook connections and the 3rd party certificate for all external connections (OWA, Activesync)?

Question by:pcamis
    LVL 65

    Expert Comment

    There are two ways around this.
    1. Some certificate providers will issue a certificate for a domain that you do not own, as long as it is NOT the common name. It depends on the provider and your relationship with them. I had a client who had the same problem and they got their certificates issued fine. Entrust I think they were from, but I could be wrong.

    2. If your EXTERNAL DNS provider supports SRV records then you can use that method.


    Author Comment

    Thanks Simon.  I tried to get the certificate issued again, but couldn't because our internal domain ends with a .com and is owned by somebody else.

    From another source, I received the suggestion to run the following command from the Exchange shell:

    set-clientaccessserver -Identity server -AutoDiscoverServiceInternalUri "

    It looks as though it's very similar to your second suggestion and seems to be doing the trick.  Instead of having as a SRV record (which I could do), it's in there as an A record which seems to be working.

    Author Comment

    Accepted solution (from author) does not fully resolve issue and could use further assistance

    Author Comment

    Simon - I've since discovered that the solution I came up is somewhat flawed.  Setting the client access server did allow Outlook to initially accept the security certificate.  But after setting up Outlook and after seemingly random intervals, Outlook would again prompt the user about the invalid name on the security certificate.  I'm trying to figure out how to induce the error to help troubleshooting, but have yet to figure out how to do so.

    I'm going to try changing the record from an A record to a SRV record with our DNS provider as you suggested, but do you think that will affect things within our domain?

    Thank you VERY kindly for your assistance!

    Accepted Solution

    I think I may have the answer... the solution I posted earlier seems to be only part of the full resolution.  See:

    In addition to changing the internal URL for the client access server, I also needed to change a few others (Web Services Virtual Directory, OAB Virtual Directory, & Active Sync Virtual Directory).

    Going on 4 hours now, and no cert errors.  Here's hoping!

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
    Easy CSR creation in Exchange 2007,2010 and 2013
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    26 Experts available now in Live!

    Get 1:1 Help Now