Exchange 2010 SSL Certificate - Name mismatch across VPN connection.

Posted on 2011-03-10
Last Modified: 2013-02-18
Recently added a branch office to connect to the main office with a hardware VPN.  Joined the local server to the domain and all networking works fine.

The Exchange 2010 server is located in the main office.  Outlook clients locally connect fine.  Outlook clients externally can connect from the outside using the certificate.

Outlook clients across the VPN get "The name on the security certificate is invalid or does not match the name of the site".  Press OK and all works ok.  At the top of the Secirity Alert it does show the correct Exchange server, but when you view the GoDaddy certificate it lists the address.

I know it has something to do with the branch office being on a different network across the VPN.  Suggestions?

Question by:xsawkins
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
LVL 16

Expert Comment

ID: 35099654
At your main office do you have it configured so "" resolves to the internal IP (Split DNS) for your local outlook clients?

It sounds to me as if the SAN certificate on the Exchange server does not include the FQDN of the exchange server (ex. exchange.domain.local)

If you have it all setup correctly at your main office then it's probably  just DNS, I'd make sure the remote site is either running it's own DNS as part of the domain OR referencing a domain controller / dns server at the main office.

LVL 16

Expert Comment

ID: 35099665
I should also mention,

Not including the server name will cause that SAN / Certificate name mismatch, but it's not a big deal, hence the question about split DNS.  There are a few steps that you need to do and a few EMS commands that need to be executed if this hasn't already been done.

Let me know if you need more info on that and I'll get the commands and reference for you.

Expert Comment

ID: 35102319
For exchange 2010 you can get the UCC certificate which will fix the name mismatch issue.  Especially if you plan to use outlook 2010 which you will encounter more of those naming error if you only use the regular certificate.

You can use the following tool to generate the necessary crs: 

and then purchase the UCC certificate from godaddy (which is cheaper)
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.


Accepted Solution

praveenkumare_sp earned 500 total points
ID: 35103077
In the below Paragraph i have explained how to change the Internal url  such that u dont need to have CAS FQDN in the certificate

follow the below kb and change the urls 940726
"Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site""

In short this is what u have to do(taken for ur reference from url)

To resolve this issue, modify the URLs for the appropriate Exchange 2007 components. To do this, follow these steps:
1.      Start the Exchange Management Shell.
2.      Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
3.      Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl
4.      Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl
5.      Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl
Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
6.      Open IIS Manager.
7.      Expand the local computer, and then expand Application Pools.
8.      Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:
•      The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
•      The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as ""
In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.

this should fix ur issue

let me know if u need more info

Author Comment

ID: 35132964
The branch office is on the same domain with a local domain controller and DNS running on it.  Most of the clients in the branch office do run Office 2010, with just a few Office 2007 clients.

Currently the exchange server does have cert from godaddy on it.

Thanks for all the references to look at.  I will be looking at it shortly and update everyone.

Author Comment

ID: 35133262
Regarding the DNS question:

From both local networks the address of https://servername.domain.local/owa resolve to Outlook Web App

From the the main office (Exchange server location) the address of does not resolve.  From the branch office it does.

The error from the branch office refers to only showing the external address on the cert.  When you view the cert, the "issue to" is:

Expert Comment

ID: 35133344
I think if you go for the UCC which will be much easier; you can have up to 5 domain name for the same certificate(so it will cover all the autodiscover internal and external and one extra for something else).

LVL 16

Expert Comment

ID: 35134337
Do you get a cert error at the main site when you go to server.domain.local/owa ??

Just thinking if it works at the main site and owa works outside it may not be a cert issue.

Author Comment

ID: 35138976
Outlook clients at the main site do not get a cert error.  From both sites you can go to server.domain.local/owa with no problems.

Internal clients are setup directly to exchange - no proxy settings as if coming in from the outside.  External clients use the external address of in their http proxy settings with no cert error.

I did add a new DNS zone for the address with host A records for mail & www, just incase it was a DNS issue, but that did not resolve the problem.

Author Comment

ID: 35139649
I think if you go for the UCC which will be much easier; you can have up to 5 domain name for the same certificate(so it will cover all the autodiscover internal and external and one extra for something else).


I guess I do not understand how this can help with fixing a certificate already in existance?  Can you be more specific than pointing me to a site and suggesting a UCC?  Is the problem related to not having the proper alternative names in the certificate?

The certificate works fine for external OWA/WebApp users going to

How does this affect users that are using Outlook across a VPN?

Author Comment

ID: 35140283
Thanks for they help.  Changing the InternalUrl to the ExternalUrl of the certificate and adding DNS entries for the external address for the internal did the trick.

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Read this checklist to learn more about the 15 things you should never include in an email signature.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month11 days, 13 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question