Link to home
Start Free TrialLog in
Avatar of BigBadWolf_000
BigBadWolf_000Flag for United States of America

asked on

When using Outlook 2010 Client Cert domain name not valid error

Exchange 2010 SP1
Outlook 2010

Hi - I created a godaddy cert for my external domain for OWA. Imported the cert., OWA works ok
When I did the cert request I checked the Outlook web app on the intranet and added internal FQDN of exchange server (

But the cert only lists the external domain (

I get the error attached error when launcing or config Outlook client
What am I missing?
Default MS Exchange cert exists with CN=Red
Avatar of Akhater
Flag of Lebanon image

if the certificate doesn't contain then it is normal you get this error

what you can do is

1. change the Exchange URLs to give instead of
2. in your internal DNS add a record pointing to the internal IP of your exchange server
Avatar of BigBadWolf_000


I want to keep internal as RED why does the default cert not work it because I assigned SMTP Services to the external cert.

does the external cert need both IIS and SMTP services assigned to it?
The cert has to match the domain name

Your cert is issued to
Your domain is -

You can change the internal to
and then create a DNS entry where you add a A-record for to point to lan IP of exchange 2010
Avatar of Akhater
Flag of Lebanon image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
That's another possibility :)
Akhater: Thanks...when I submitted the req to godaddy it included red. I selected their Exc 2007 cert download.

sunnyc7: yes i have that already...whichs works for accessing the webmail access internally.

I am talking about Outlook Client which finds RED (even if I type in OWA it resolves to RED)

I am guessing rekeying may be my only option...Akhater: any additional thoughts

yes outlook clients takes the configuration from autodiscovery services so as long as in the exchange it is configured to use RED it will switch back to RED
Akhater: Why is mapi looking for an SSL cert...does not make sense...I can turn of the encryption in the profile ...but then I get an address book error

The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.
There must be a simple solution to this....why would I need an SSL cert for internal mapi
you don't need SSL for mapi, you need SSL for autodiscover to work, this is the way exchange 2010/2007 works

outlook will connect through https to the autodiscover servrice to pull all needed URLS


How can I change the url that autodiscover looks for internally???

get-clientaccessserver | fl InternalUrl
get-autodiscovervirtualdirectory | fl InternalUrl

post the results of both

Too expensive to setup cert with multiple subdomains....what can I do to work around...besides having internal and external FQDN being the same name
you don't have a lot of options it is either have both the same or get a SAN certificate

a SAN certificate is for $80/year not exactly expensive
get-clientaccessserver | fl InternalUrl
returns...nothing...blank space


get-autodiscovervirtualdirectory | fl InternalUrl

if you want to make them both the same you will need to

1. open EMC -> server config ->Client access
2. go to each tab and change the name from RED to mail....

then got to EMS

get-webservicesvirutaldirectory |fl *url*

get-webservicesvirutaldirectory | set-webservicesvirtualdirectory -externalURL https://mail....../...... (copied from step before)

finally go issue

get-clientaccessserver | fl *uri*

get-clientaccessserver | set-clientaccesserver -AutoDiscoverServiceInternalUri https://mail.....

This is your problem http:#33667204
Blank space - that means SCP's and url's ar enot configured and akhater gave the answer above.

Along with externalURL - you need to set internalURL for completeness

Was out of action for a while.
Thanks all...It was easier to just put in a UC certificate (that can contain internal and external domains - recquired by MS)...all works fine now. was strange that the EMS did not show the InternalUrl when they show in the EMC