Outlook 2007 The name of the security certificate is invalid or does not match the name of the site

What I feel is the CAS security certificate should be on the name of the CAS address published. Not based on the server name.

Eg: outlook.mydomain.com

Good luck
Shaba

Your certificate has expired. That is why you are getting the error message. You can either issue yourself a new certificate or you could get one from GoDaddy on the cheap.

Here is an article on renewing your self signed certificate:
http://exchangepedia.com/2008/01/exchange-server-2007-renewing-the-self-signed-certificate.html

If you want a 3rd party:
https://www.godaddy.com/ssl/ssl-certificates.aspx

Here is a tutorial for setting up a 3rd party certificate:
http://knowthenetwork.com/blog/2008/09/how-to-install-3rd-party-trusted-certificates-to-exchange-2007/

That cert is your local computer cert. You'll need to import one to the Exchange server using Import-ExchangeCertificate.

how can I tell if the certificate has expired?
Plus this was working just fine until the service pack 1 update

run this from exch shell

get-exchangecertificate | fl

copy paste the output here

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=SERVERNAME.domain.local
NotAfter           : 03/12/2012 12:00:00 AM
NotBefore          : 04/12/2009 12:00:00 AM
PublicKeySize      : 1024
RootCAType         : None
SerialNumber       : 0FA99168655D05BC4DAF62F106A5D34F
Services           : IMAP, POP, IIS
Status             : Valid
Subject            : CN=SERVERNAME.domain.local
Thumbprint         : 92CAED80A1F05704F22D49A99C59E3463AF2B575

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2010 5:44:59 PM
NotBefore          : 13/10/2009 5:44:59 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6112E677000000000003
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=SERVERNAME.domain.local
Thumbprint         : 2E501D0BCA10275DC3D5A3B2303E929E2290EDA1

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SERVERNAME.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2011 5:34:28 PM
NotBefore          : 13/10/2009 5:34:28 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 610943C3000000000002
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : 26F476F3CDC40650A103A28021C0FA48A6F70D3C

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {domain-SERVERNAME-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=domain-SERVERNAME-CA
NotAfter           : 13/10/2014 5:43:55 PM
NotBefore          : 13/10/2009 5:33:56 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 47C55EE35A260A9A444DFD0203E77BCF
Services           : None
Status             : Valid
Subject            : CN=domain-SERVERNAME-CA
Thumbprint         : 4C5799F068CA8DF6E3DACEBBEA20E6F0C176C7CE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-3ZALEM6NNWY}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-3ZALEM6NNWY
NotAfter           : 11/10/2019 12:28:34 PM
NotBefore          : 13/10/2009 12:28:34 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6AE0EEA2DF8C768743D5525DE7F0D0B1
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-3ZALEM6NNWY
Thumbprint         : FBBB2EB062E8D03471C7CCEA01A591EF6B9194BE

From the orginal question
what has changed since service pack 1 and why would outlook 2007 clients be getting the certificate error?

This is the steps you took

Installed Exchange 2007
installed Sp1
Installed RU 9 ?

Correct ?

yes
Exchange 2007 has been running for about 6 months yes
two days ego
installed sp1
then
RU 9 to get rid of constant password pop up for outlook 2007 users

Did you try SP3 ?

SP3 is out.
http://www.microsoft.com/downloads/details.aspx?FamilyID=1687160b-634a-43cb-a65a-f355cff0afa6&displaylang=en

Also did you /preparead and /prepareschema
and run windows installer 4.5 *before* you installed Exchange 2007 SP1

I hope this is not a SBS :)

There is nothing wrong with the server except the certificate error for outlook clients running 2007
yes it is sbs 2008 std

Thanks for clarifying :)

get-exchangecertificate | fl

please post here.

the microsoft article http://support.microsoft.com/kb/940726/en-us
go through exchange shell commands to fix this problem that outlook 2007 clients are having.
would these apply to this error that I am getting?

i have it's above

Seriously sorry :(
I have 10+ EE windows open and I end-up reading the last post and replying to that.

will check the article too.

Yes! Please follow the article to set the InternalUri as follows:-
Follow the kb-940726, and run the following command on the server.

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Hope this helps!

Mohammaed @ you are one cool dude with real cool skills.
I saved your last autodiscover post.
You are the first person who recommended setSPN along with the various -internalurl's.

> That was perfect <

I don't have much experience with exchange command shell!!
When I run these commands do I replace mail.contoso.com with servername.domain.local which would be my server name and domain name for the local network.
Thank you
aa

yes @ servername.domain.local

FQDN (fully qualified domain name) of your local exchange server.

So just to make sure I get this: Sorry to be anal about this :)
1st:
Run the command in this article kb-940726
Set-ClientAccessServer –AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml 
2nd:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml 
3rd:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://servername.domain.local/ews/exchange.asmx
4th:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://servername.domain.local/oab

Than:
DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Thank you
aa

yes
You run these commands against the server listed in -IDENTITY field.

Just to be safe, you can run this, and check the identity fields.
get-ClientAccessServer

Replace the identity within " " with CAS_Server_Name

example

Set-ClientAccessServer -Identity "EXCHANGE"" -AutodiscoverServiceInternalUri https://servername.domain.local/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUrl "https://servername.domain.local/ews/exchange.asmx"

Ok this is what I get : this is for the first command from the article kb-940726

[PS] C:\Windows\System32>get-ClientAccessServer

Name
----
SERVERNAME

[PS] C:\Windows\System32>Set-ClientAccessServer -AutodiscoverServiceInternalUri https://SERVERNAME.domain.local/autodiscover/autodiscover.xml

cmdlet Set-ClientAccessServer at command pipeline position 1
Supply values for the following parameters:
Identity: https://SERVERNAME.domain.local/autodiscover/autodiscover.xml
Set-ClientAccessServer : Cannot bind parameter 'Identity'. Cannot convert value "https://SERVERNAME.domain.local/autodiscover/autodiscover.xml" to type "Microsoft.Exchange.Configura
tion.Tasks.ClientAccessServerIdParameter". Error: "'https://SERVERNAME.domain.local/autodi
scover/autodiscover.xml' is not a valid value for the identity.
Parameter name: identity"
At line:1 char:23
+ Set-ClientAccessServer  <<<< -AutodiscoverServiceInternalUri https://SERVERNAME.domain.l
ocal/autodiscover/autodiscover.xml
[PS] C:\Windows\System32>

you have to run this from Exchange management Shell

start > programs > exchange management shell

command is

get-clientaccessserver | fl

thanks

I did type the command
Set-ClientAccessServer -AutodiscoverServiceInternalUri https://SERVERNAME.domain.local/autodiscover/autodiscover.xml
as one line

Yes it's one line.
You can verify if the settings stuck by running a GET

get-clientAccessServer | fl
check if autodiscoverinternalURI field is updated with the value above @

I hope you replaced servername.domain.local with your FQDN :)

Yes, servername.domain.local Replaced with  FQDN

her it is:
[PS] C:\Windows\System32>get-clientAccessServer |fl


Name                           : SERVERNAME
OutlookAnywhereEnabled         : False
AutoDiscoverServiceCN          : SERVERNAME
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://sites/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SERVERNAME.domain.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SERVERNAME,CN=Servers,CN=Exchange Administrative Group
                                 (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organi
                                 zation,CN=Microsoft Exchange,CN=Services,CN=Configuration,
                                 DC=domain,DC=local
Identity                       : SERVERNAME
Guid                           : 9456c1e3-bf78-468c-b432-c2a4ad690ec9
ObjectCategory                 : domain.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 20/01/2010 9:44:43 AM
WhenCreated                    : 13/10/2009 5:55:41 PM

ok that didnt change it.

 try this


Set-ClientAccessServer -identity SERVERNAME -AutodiscoverServiceInternalUri:"https://SERVERNAME.domain.local/autodiscover/autodiscover.xml"

it's U R EYE @ not U R ELL

ok this is what i have now:
I see now where this has changed

[PS] C:\Windows\System32>get-clientAccessServer |fl


Name                           : SERVERNAME
OutlookAnywhereEnabled         : False
AutoDiscoverServiceCN          : SERVERNAME
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://SERVERNAME.domain.local/autodiscover/autodiscover
                                 .xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SERVERNAME.domain.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SERVERNAME,CN=Servers,CN=Exchange Administrative Group
                                 (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organi
                                 zation,CN=Microsoft Exchange,CN=Services,CN=Configuration,
                                 DC=domain,DC=local
Identity                       : SERVERNAME
Guid                           : 9456c1e3-bf78-468c-b432-c2a4ad690ec9
ObjectCategory                 : domain.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 20/01/2010 9:44:43 AM
WhenCreated                    : 13/10/2009 5:55:41 PM

For this command: After EWS there is a * should that be there?

Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUri "https://servername.domain.local/ews/exchange.asmx"

yes
that way you avoid writing the whole thing :)

it will look like this:
[PS] C:\Windows\System32>Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -Internal
Uri:"https://SERVERNAME.domain.local/ews/exchange.asmx"

Set-WebServicesVirtualDirectory -Identity "Exchange\EWS*" -InternalUrl"https://servername.domain.local/ews/exchange.asmx"

this is internal U R ELL

UR EYE is only for autodiscoverinternalURI

Thanks for all your help I do appreciated a lot.
Set-WebServicesVirtualDirectory - Identity "Exchange\EWS*"    

Should "Exchange be SERVERNAME  ??

you're welcome

run this

get-webservicesvirtualdirectory | fl identity

The output of that goes into -identity " "

After this command

Set-WebServicesVirtualDirectory -Identity "SERVERNAME\EWS*" -InternalUrl: "https://SERVERNAME.domain.local/ews/exchange.asmx"

the cursor is sitting @  
>>

press enter twice

>>       still there

I can do the up/down errow key , show what i have done previously

close it and lets try again

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl:"https://SERVERNAME.domain.local/ews/exchange.asmx"

I should be able to use the same command above with the OABVirtualDirectory

get-oabvirtualdirectory | fl *url*
and set those fields

complete list here

http://my.opera.com/RavenOverride/blog/2009/06/17/how-to-recreate-all-virtual-directories-for-exchange-2007

hows it going ?

Good Day
Looking Good, outlook 2007 clients do not have this certificate error any more.

The list below I did not use
DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612
At this point since the error is gone.
Should these still be applied or can I hold off.
If you can briefly what does 1.Loopbackcheck setting do and 2nd SPN, can I check if they are correct.
This server is a global catalog server
Again , You have been lots of help , thank you
aa

Loopback check yes - you need to set that.

SetSPN - it should already be set by now.

You can verify the entries and see if the SPN's from this article http://support.microsoft.com/kb/927612
is added in your server.

Download adfind
http://www.joeware.net/freetools/tools/adfind/index.htm

extract to c:\adfind
start > run > cmd
cd adfind

adfind -SC C:SERVERNAME

The loopback check as per the article http://support.microsoft.com/kb/896861
does not apply to sbs 2008 it's not listed.

thanks
aa

http://blogs.technet.com/b/sbs/archive/2009/05/07/event-2436-for-sharepoint-services-3-search.aspx

This is for accessing Ex: http://companyweb from the local server where you get the login screen but still can not login?

This has been the best help I got here yet.
Thanks for all the great help
Take care
aa

You are welcome !!
Thanks for the points :)