Go Premium for a chance to win a PS4. Enter to Win


Exchange 2010 SSL Certificate - Name mismatch across VPN connection.

Posted on 2011-03-10
Medium Priority
Last Modified: 2013-02-18
Recently added a branch office to connect to the main office with a hardware VPN.  Joined the local server to the domain and all networking works fine.

The Exchange 2010 server is located in the main office.  Outlook clients locally connect fine.  Outlook clients externally can connect from the outside using the certificate.

Outlook clients across the VPN get "The name on the security certificate is invalid or does not match the name of the site".  Press OK and all works ok.  At the top of the Secirity Alert it does show the correct Exchange server, but when you view the GoDaddy certificate it lists the external.domain.com address.

I know it has something to do with the branch office being on a different network across the VPN.  Suggestions?

Question by:xsawkins
  • 5
  • 3
  • 2
  • +1
LVL 16

Expert Comment

ID: 35099654
At your main office do you have it configured so "External.domain.com" resolves to the internal IP (Split DNS) for your local outlook clients?

It sounds to me as if the SAN certificate on the Exchange server does not include the FQDN of the exchange server (ex. exchange.domain.local)

If you have it all setup correctly at your main office then it's probably  just DNS, I'd make sure the remote site is either running it's own DNS as part of the domain OR referencing a domain controller / dns server at the main office.

LVL 16

Expert Comment

ID: 35099665
I should also mention,

Not including the server name will cause that SAN / Certificate name mismatch, but it's not a big deal, hence the question about split DNS.  There are a few steps that you need to do and a few EMS commands that need to be executed if this hasn't already been done.

Let me know if you need more info on that and I'll get the commands and reference for you.

Expert Comment

ID: 35102319
For exchange 2010 you can get the UCC certificate which will fix the name mismatch issue.  Especially if you plan to use outlook 2010 which you will encounter more of those naming error if you only use the regular certificate.

You can use the following tool to generate the necessary crs:

and then purchase the UCC certificate from godaddy (which is cheaper)
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.


Accepted Solution

praveenkumare_sp earned 2000 total points
ID: 35103077
In the below Paragraph i have explained how to change the Internal url  such that u dont need to have CAS FQDN in the certificate

follow the below kb and change the urls 940726

"Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site""

In short this is what u have to do(taken for ur reference from url)

To resolve this issue, modify the URLs for the appropriate Exchange 2007 components. To do this, follow these steps:
1.      Start the Exchange Management Shell.
2.      Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
3.      Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
4.      Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
5.      Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
6.      Open IIS Manager.
7.      Expand the local computer, and then expand Application Pools.
8.      Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:
•      The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
•      The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as "mail.contoso.com."
In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.

this should fix ur issue

let me know if u need more info

Author Comment

ID: 35132964
The branch office is on the same domain with a local domain controller and DNS running on it.  Most of the clients in the branch office do run Office 2010, with just a few Office 2007 clients.

Currently the exchange server does have cert from godaddy on it.

Thanks for all the references to look at.  I will be looking at it shortly and update everyone.

Author Comment

ID: 35133262
Regarding the DNS question:

From both local networks the address of https://servername.domain.local/owa resolve to Outlook Web App

From the the main office (Exchange server location) the address of https://mail.ExternalDomain.com/owa does not resolve.  From the branch office it does.

The error from the branch office refers to only showing the external address on the cert.  When you view the cert, the "issue to" is: mail.ExternalDomain.com

Expert Comment

ID: 35133344
I think if you go for the UCC which will be much easier; you can have up to 5 domain name for the same certificate(so it will cover all the autodiscover internal and external and one extra for something else).

LVL 16

Expert Comment

ID: 35134337
Do you get a cert error at the main site when you go to server.domain.local/owa ??

Just thinking if it works at the main site and owa works outside it may not be a cert issue.

Author Comment

ID: 35138976
Outlook clients at the main site do not get a cert error.  From both sites you can go to server.domain.local/owa with no problems.

Internal clients are setup directly to exchange - no proxy settings as if coming in from the outside.  External clients use the external address of mail.domainname.com/owa in their http proxy settings with no cert error.

I did add a new DNS zone for the domainname.com address with host A records for mail & www, just incase it was a DNS issue, but that did not resolve the problem.

Author Comment

ID: 35139649
I think if you go for the UCC which will be much easier; you can have up to 5 domain name for the same certificate(so it will cover all the autodiscover internal and external and one extra for something else).


I guess I do not understand how this can help with fixing a certificate already in existance?  Can you be more specific than pointing me to a site and suggesting a UCC?  Is the problem related to not having the proper alternative names in the certificate?

The certificate works fine for external OWA/WebApp users going to mail.domainname.com/owa

How does this affect users that are using Outlook across a VPN?

Author Comment

ID: 35140283
Thanks for they help.  Changing the InternalUrl to the ExternalUrl of the certificate and adding DNS entries for the external address for the internal did the trick.

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question