Exchange 2007 UCC / Internal Domain Name Issue

Ran into an issue requesting a new UCC for a new Exchange 2007 box.  Tried to request the UCC according to directions posted here:

Getting the UCC approved for "server", "", and "" were easy enough.  But I have been unable to get approval for "" because we don't own "".

This is problematic because when I enable the certificate for the IIS service, it becomes active for OWA (which I want) but then returns the following when configuring Outlook on an internal workstation:


Information you exchange with this site cannot be viewed or changed by others.  However, there is a problem with the site's security certificate.

The security certificate is from a trusted certifying authority.

The security certificate date is valid.

The name on the security certificate is invalid or does not match the name of the site.

I called our certificate provider for advice, and the tech's suggestion was to change our entire internal domain name to something we could own.  This seems rather extreme to have to rename our entire domain.

Is there a way to get "" onto our certificate?  Alternately, is there a way to trick Outlook to look for just "server" on the certificate rather than ""?  Or lastly, is there a way for the Exchange server to use the self-signed certificate for Outlook connections and the 3rd party certificate for all external connections (OWA, Activesync)?

Dan CarpIT DirectorAsked:
Who is Participating?
Dan CarpIT DirectorAuthor Commented:
I think I may have the answer... the solution I posted earlier seems to be only part of the full resolution.  See:

In addition to changing the internal URL for the client access server, I also needed to change a few others (Web Services Virtual Directory, OAB Virtual Directory, & Active Sync Virtual Directory).

Going on 4 hours now, and no cert errors.  Here's hoping!
There are two ways around this.
1. Some certificate providers will issue a certificate for a domain that you do not own, as long as it is NOT the common name. It depends on the provider and your relationship with them. I had a client who had the same problem and they got their certificates issued fine. Entrust I think they were from, but I could be wrong.

2. If your EXTERNAL DNS provider supports SRV records then you can use that method.

Dan CarpIT DirectorAuthor Commented:
Thanks Simon.  I tried to get the certificate issued again, but couldn't because our internal domain ends with a .com and is owned by somebody else.

From another source, I received the suggestion to run the following command from the Exchange shell:

set-clientaccessserver -Identity server -AutoDiscoverServiceInternalUri "

It looks as though it's very similar to your second suggestion and seems to be doing the trick.  Instead of having as a SRV record (which I could do), it's in there as an A record which seems to be working.
Dan CarpIT DirectorAuthor Commented:
Accepted solution (from author) does not fully resolve issue and could use further assistance
Dan CarpIT DirectorAuthor Commented:
Simon - I've since discovered that the solution I came up is somewhat flawed.  Setting the client access server did allow Outlook to initially accept the security certificate.  But after setting up Outlook and after seemingly random intervals, Outlook would again prompt the user about the invalid name on the security certificate.  I'm trying to figure out how to induce the error to help troubleshooting, but have yet to figure out how to do so.

I'm going to try changing the record from an A record to a SRV record with our DNS provider as you suggested, but do you think that will affect things within our domain?

Thank you VERY kindly for your assistance!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.