Exchange Certificate Security

Posted on 2012-08-13
Last Modified: 2013-08-11
Hi Guys,

We just added a new certificate to our Exchange 2007 box (to get our smartphones to receive email) and since this has been installed, all of our users now get a security warning message every time they open Outlook.

I have googled this issue and read through Microsoft's support pages regarding this, but I have yet to find a Microsoft support page that has ever been helpful with any issue I have had, and this record still stands!  ;)

Has anyone come across this before, or knows how to fix it?   It's very annoying.

Note:  A rebuild of the user profile client-side doesn't remedy the situation at all, it seems to be a server-side problem.

Users are using XP and Windows 2007, the problem is identical on all machines.
Question by:Angry_Stu
    LVL 18

    Expert Comment


    Could you run a test for Exchange Activesync and post the result

    Author Comment


    I don't really want to do that, it asks for my credentials.

    How would this even help anyway?  All the email works perfectly fine, so I assume your test will also show that it is fine.
    LVL 23

    Expert Comment

    by:Nagendra Pratap Singh
    Is the alert same as this?

    ""The name of the security certificate is invalid or does not match the name of the site"

    Can you close outlook and reopen it to create the issue once more.

    This should give you the names outlook is objecting to. This is normally a server like and the server is for

    This should help
    LVL 6

    Expert Comment

    Hi Stu

    It sounds like it's trying to use your new certificate for Outlook's AutoDiscover - Elan Shudnow has a great description of the issue and how to fix it:
    LVL 33

    Expert Comment

    What the article doesn't talk about is an important aspect is DNS.

    You'll need the following details

    create an A Record for and have added to your SAN Certificate internally and externally OR
    create a SRV Record for to point to your webmail address (such as which would be used for other URL too)

    You'll need to have an A Record for pointing to your external firewall IP of, so any request for http Or https gets to your environment.

    The link provided above does give you the exact URL that needs to be setup.

    If you have any questions, feel free to ask.


    Author Comment


    I looked at that article from Microsoft.   It's useless, like all of their articles.


    I am looking through that article but where it says:

    Get-ClientAccessServer -Identity CASServer | FL

    What is a CASServer?   Is it the name of my Exchange server?


    Thanks for the advice mate, but I don't really get what you are saying.  Too complicated for me ;)  I will try and work through that article, once I find out what a CASServer is.

    Thanks to all for your responses.
    LVL 33

    Accepted Solution

    Aight, let me simplify a bit more.

    E2007 and E2010 have Exchange divided into various roles,

    Mailbox Role aka Mbx is supposed to take care of mailboxes / mailbox database / public folders / generating OAB.

    Client Access Server aka CAS Role is supposed to facilitate access to mailboxes and its features using various https URL such as Autodiscover, OAB, OOO, UM etc.

    Hub Transport aka Hub Role is supposed to facilitate all mail flow that take places between mailboxes within your Exchange Organization and between internal to external (&vice versa) recipients.

    Hope we are clear uptill here.

    Things have changed for how OL 2007 (and higher versions) works ever since MS launched Exchange 2007 aka E2007. OL 2007 connects externally using heavily dependant on autodiscover links and DNS records. OL2007 has in-built process to connect to Exchange using custom-defined autodiscover URL and its associated Cert.

    The link defined by npsingh123 - I'd agree won't be of much help - but the link given by easydav of shudnow (a well respected Exchange blogger) talks at length about how important certs are and how they play a vital role for Exchange-Outlook relationship. What it doesn't help you to understand is OL also work with DNS, i mean nothing in Internet world can work without DNS.

    So, the suggestion that I gave would help you reach you're Exchange environment with the help of few DNS Record that needs to be created on internet facing DNS Servers of yours. This is precisely for all those machines (laptop / ipad etc) that aren't connected to your local domain (which would use internal DNS to reach Exchange).

    Hope I've clarified your doubts.


    Author Comment


    Thanks for your reply again mate.   It certainly helps me understand the relationship between outlook and exchange a little clearer.

    Unfortunately however, I still don't get exactly what it is you are suggesting that I do.   As I stated earlier, I am trying to work through the shudnow article but I cannot proceed without knowing what I am supposed to enter in place of "CASServer" in the command-line.

    You have outlined briefly what the CAS server is for, but that doesn't help shed some light on what exactly I am supposed to be typing into the line.

    Do I need to add the CAS role to my exchange server first?   Do I just type in the name of my exchange server into this line, because it is already configured by default to provide this service?

    I need specifics mate ;)

    LVL 33

    Expert Comment

    CAS Server is the server that holds the CAS Role, you can find details of your CAS by checking the server in Exchange Management Console

    Refer the image I could pick up from Google, check for the Roles: Client Access Server


    Author Comment


    Ok I have found that my exchange server has the client access role.  

    So that means that I can now put in the following line and get started:

    Get-ClientAccessServer -Identity ID01 | FL

    It gets so much more complicated after this though.   Also, before I go any further, do I need to know which of these certificates is the new sparkly one?  (image attached).  Or doesn't it matter?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Find out how to use dynamic social media in email signatures with this top 10 DOs & DON’Ts.
    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now