Exchange Certificate Security

Posted on 2012-08-13
Medium Priority
Last Modified: 2013-08-11
Hi Guys,

We just added a new certificate to our Exchange 2007 box (to get our smartphones to receive email) and since this has been installed, all of our users now get a security warning message every time they open Outlook.

I have googled this issue and read through Microsoft's support pages regarding this, but I have yet to find a Microsoft support page that has ever been helpful with any issue I have had, and this record still stands!  ;)

Has anyone come across this before, or knows how to fix it?   It's very annoying.

Note:  A rebuild of the user profile client-side doesn't remedy the situation at all, it seems to be a server-side problem.

Users are using XP and Windows 2007, the problem is identical on all machines.
Question by:Angry_Stu
LVL 19

Expert Comment

ID: 38290420

Could you run a test for Exchange Activesync and post the result


Author Comment

ID: 38290465

I don't really want to do that, it asks for my credentials.

How would this even help anyway?  All the email works perfectly fine, so I assume your test will also show that it is fine.
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 38290659
Is the alert same as this?

""The name of the security certificate is invalid or does not match the name of the site"

Can you close outlook and reopen it to create the issue once more.

This should give you the names outlook is objecting to. This is normally a server like mail002.domain.com and the server is for domain.com

This should help

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.


Expert Comment

ID: 38290660
Hi Stu

It sounds like it's trying to use your new certificate for Outlook's AutoDiscover - Elan Shudnow has a great description of the issue and how to fix it:

LVL 33

Expert Comment

ID: 38292379
What the article doesn't talk about is an important aspect is DNS.

You'll need the following details

create an A Record for autodiscover.domain.com and have autodiscover.domain.com added to your SAN Certificate internally and externally OR
create a SRV Record for _autodiscover._tcp.domain.com to point to your webmail address (such as webmail.domain.com which would be used for other URL too)

You'll need to have an A Record for pointing to your external firewall IP of webmail.domain.com, so any request for http Or https gets to your environment.

The link provided above does give you the exact URL that needs to be setup.

If you have any questions, feel free to ask.


Author Comment

ID: 38310606

I looked at that article from Microsoft.   It's useless, like all of their articles.


I am looking through that article but where it says:

Get-ClientAccessServer -Identity CASServer | FL

What is a CASServer?   Is it the name of my Exchange server?


Thanks for the advice mate, but I don't really get what you are saying.  Too complicated for me ;)  I will try and work through that article, once I find out what a CASServer is.

Thanks to all for your responses.
LVL 33

Accepted Solution

Exchange_Geek earned 1500 total points
ID: 38310709
Aight, let me simplify a bit more.

E2007 and E2010 have Exchange divided into various roles,

Mailbox Role aka Mbx is supposed to take care of mailboxes / mailbox database / public folders / generating OAB.

Client Access Server aka CAS Role is supposed to facilitate access to mailboxes and its features using various https URL such as Autodiscover, OAB, OOO, UM etc.

Hub Transport aka Hub Role is supposed to facilitate all mail flow that take places between mailboxes within your Exchange Organization and between internal to external (&vice versa) recipients.

Hope we are clear uptill here.

Things have changed for how OL 2007 (and higher versions) works ever since MS launched Exchange 2007 aka E2007. OL 2007 connects externally using heavily dependant on autodiscover links and DNS records. OL2007 has in-built process to connect to Exchange using custom-defined autodiscover URL and its associated Cert.

The link defined by npsingh123 - I'd agree won't be of much help - but the link given by easydav of shudnow (a well respected Exchange blogger) talks at length about how important certs are and how they play a vital role for Exchange-Outlook relationship. What it doesn't help you to understand is OL also work with DNS, i mean nothing in Internet world can work without DNS.

So, the suggestion that I gave would help you reach you're Exchange environment with the help of few DNS Record that needs to be created on internet facing DNS Servers of yours. This is precisely for all those machines (laptop / ipad etc) that aren't connected to your local domain (which would use internal DNS to reach Exchange).

Hope I've clarified your doubts.


Author Comment

ID: 38310720

Thanks for your reply again mate.   It certainly helps me understand the relationship between outlook and exchange a little clearer.

Unfortunately however, I still don't get exactly what it is you are suggesting that I do.   As I stated earlier, I am trying to work through the shudnow article but I cannot proceed without knowing what I am supposed to enter in place of "CASServer" in the command-line.

You have outlined briefly what the CAS server is for, but that doesn't help shed some light on what exactly I am supposed to be typing into the line.

Do I need to add the CAS role to my exchange server first?   Do I just type in the name of my exchange server into this line, because it is already configured by default to provide this service?

I need specifics mate ;)

LVL 33

Expert Comment

ID: 38310740
CAS Server is the server that holds the CAS Role, you can find details of your CAS by checking the server in Exchange Management Console

Refer the image I could pick up from Google, check for the Roles: Client Access Server


Author Comment

ID: 38318851

Ok I have found that my exchange server has the client access role.  

So that means that I can now put in the following line and get started:

Get-ClientAccessServer -Identity ID01 | FL

It gets so much more complicated after this though.   Also, before I go any further, do I need to know which of these certificates is the new sparkly one?  (image attached).  Or doesn't it matter?

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question