SSL Certificate Name Mismatch in SBS 2008

I did some testing of Exchange 2007 using the website

It showed that I had an SSL Certificate Name Mismatch.

My internet domain sends my to a paid hosted website and I use the recommended to my IP address on my local SBS 2008 server.

I don't seem to have any trouble with OWA, active sync or remote HTTPS.

In the testing I get these 3 errors:
SSL Certificate Name Mismatch
The Host Name Could Not be Resolved in DNS
Could Not Find Autodiscover Service Location (SRV) Record in DNS

My signed certificates is from which looks like it the same folks that put out

I do have reverse DNS setup on my local IP address for

I am not sure where to look first to fix this issue.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkhaterSolutions ArchitectCommented:
the 3 errors you are seeing are at 3 different stages,

1. testexchangeconnectivity will try to access using

that's probably when you are getting SSL Certificate Name Mismatch

2. it tries

when you are getting "The Host Name Could Not be Resolved in DNS"

and it also tries to find an SRV for autodiscover server which is probably not present in your case so you have

Could Not Find Autodiscover Service Location (SRV) Record in DNS
Alpha4043Author Commented:
That seems to be the case.
AkhaterSolutions ArchitectCommented:
all the above means that you cannot use autodiscover but not that you can't use activesync/rpc or owa
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Alpha4043Author Commented:
So are you saying that there is no problem?
AkhaterSolutions ArchitectCommented:
when in testexchangeconnectivity do not pick the "use autodiscover" option, instead enter manually the url if it passes then you have no problem but the one that you are not able to use autodiscover
Alpha4043Author Commented:
Ok, and this is because the domain name is split to two different places?
AkhaterSolutions ArchitectCommented:
No this is because

1. you don't have in your DNS
2. you don't have in you certificate
Alpha4043Author Commented:
Ok, Do I need to do that? What do I need to do to make all that happen?
AkhaterSolutions ArchitectCommented:
you dont NEED to do that as long as you are OK without autodiscover...

if your DNS provider supports SRV records just add

Service: _autodiscover
Protocol: _tcp
Port Number: 443
Alpha4043Author Commented:
Yes it does.

I see the following blanks to fill in:

Service:                              Protocol:
Priority:                Weight:              Port:

Target:                                  TTL: 1 Hour

So service would be "autodiscover"
Protocol would be "TCP"
Name: I have no idea or does it matter?
Priority:  ?
Weight: ?
Port 443
Target: ""??
AkhaterSolutions ArchitectCommented:
serveice _autodiscover
protocol _tcp
priority weight = 0
port 443


for the name can u leave it empty ?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alpha4043Author Commented:
So nothing in the name. OK. Do I test with:  ?
AkhaterSolutions ArchitectCommented:
no it is nothing has changed. you will need to wait for DNS replication to happen
AkhaterSolutions ArchitectCommented:
and in name enter @

Alpha4043Author Commented:
Is the _ necessary in the _autodiscover and _tcp  ?

When I look at the SRV is shows

Service: _      Protocol: _
Priority: 0                Weight: 0             Port: 0

Target:     TTL: 1 Hour

AkhaterSolutions ArchitectCommented:
if the _ already exists no need to add it

for the name let it be @
Alpha4043Author Commented:
It looks like it took it but when I look on the The DNS control page it shows up as listed below after I save it.

Service: _      
Protocol: _
Name: @
Priority: 1
Weight: 0
TTL: 1 Hour

AkhaterSolutions ArchitectCommented:
you mean there is no autodiscover in service and tcp in protocol ? also where is the port ?
Alpha4043Author Commented:
I put the information in the blanks but when it is saved it shows what I list above.
AkhaterSolutions ArchitectCommented:
i think u shld contact your dns provider in that case
Alpha4043Author Commented:
I agree.
Alpha4043Author Commented:
I just talked to the people that have our DNS. They said all I need was a C NAME setup with autodiscover in the HOST and in the POINTS TO fields.

What do I need to do with certificate

AkhaterSolutions ArchitectCommented:
I told you to created as SRV record so you don't do it a CNAME so you won't have to get another certificate
Alpha4043Author Commented:

Well I tried to get the guy to help me set up SRV and he said that the CNAME was the way they recommended because he thought only hosting sites needed that setup.

 I have attached copies of what the SRV section looks like. I am pretty sure this is just like

When you look at the after that is how the information shows up in the record.
AkhaterSolutions ArchitectCommented:
if you want to do it CNAME it would also work however you will need another certificate

Alpha4043Author Commented:
I don't really want another certificate if I can make this work.
AkhaterSolutions ArchitectCommented:
Well that's why i started with SRV records to start with, the config you are doing is correct, you just need to nag on your DNS provider to fix the SRV issue
Alpha4043Author Commented:
I will do that. Is what I am putting in the fields look correct to you?  Is this what you are used to dealing with or is it totally different?

Thanks for your patients and expertise.
AkhaterSolutions ArchitectCommented:
wait one sec

from a computer on the internet please run

set type=srv

what it gives you ?

if you want to share with me your domain name i will do it for you
Alpha4043Author Commented:
Well it looks like SRV is finally listed correctly. Everything is in the correct location.

I am deleting the CNAME record.

Alpha4043Author Commented:
It shows me my domain name server with it's private IP address.
Alpha4043Author Commented:
My email address is  I will send you the report I get from the test.
It is looking better.
Alpha4043Author Commented:
Would it be better for me to open another question to continue with this?
Alpha4043Author Commented:
Good to work with. Answer got too involved. I think there is still some issue with the certificate.
AkhaterSolutions ArchitectCommented:
thank you for the points, however if the question is not done yet for you I can finish helping you here or in another question.

If you decide to open another quesiton just update me with its number, I will carry it over till it is done
Alpha4043Author Commented:
That would be great. I don't have any other source to turn to on this but I also didn't want for you to feel like this was a never ending question.

It looks like the SRV is setup correctly in the DNS but I still think I have issues with the certificate not matching. Not sure how to check or test that.
AkhaterSolutions ArchitectCommented:
no the SRV record is not correct. we are left with 3 options

1. call your DNS provider and nag till they fix DNS for you
2. create it a CNAME record and rekey your certificate
3. live without autodiscover since all is working
Alpha4043Author Commented:
I sent you what my DNS looked like.

What do I need to do if I need to rekey my certificate?
AkhaterSolutions ArchitectCommented:
you will need to get a new CSR from exchange with the names and

go to your ssl provider and rekey it , it should be free of charge
Alpha4043Author Commented:
Didn't my SRV look right in the DNS settings?  
AkhaterSolutions ArchitectCommented:
in the screen shot it does look right, however the query is not returning anything there is an issue with the DNS provider
Alpha4043Author Commented:
Here is the second response from the tech support.  What does this mean?  

Thank you for your reply.  At this time the DNS record is setup as a recursive record which is not supported in our system.  You will need to remove the domain name from the target and simply use remote.  You will need to make sure that the domain name is never used in the records created.

Please let us know if we can assist you in any other way.

Best Regards,
Thad P.
Online Support Representative

AkhaterSolutions ArchitectCommented:
well this is rather good news

it means in the target just put remote instead of

i'd say delete the record and create a new one
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.