Exchange 2007 running on Server 2003 R2 X64 with IIS 6
- purchased SAN/UCC Certificate for 3 years
LAN users with Outlook 2010 are complaining about a certificate error every time they open Outlook:
"The name of the security certificate is invalid or does not match the name of the site"
LAN domain is exchange.domain.local
WAN domain is exchange.domain.com
The exchange server is on the LAN. Router uses port redirections to get to OWA on the exchange server - it does not have a public IP. There is no edge transport server.
Solution tried (but didn't work): http://support.microsoft.com/kb/940726
The issue started when Outlook was upgraded from 2003 to 2010. I purchased a new certificate from GoDaddy but I purchased a 3 year term certificate and discovered that you can no longer include .local addresses (no non-FQDN permitted) on any certificate that goes beyond November 1st 2015. This certificate will expire in January 2016.
The certificate is a SAN/UCC and includes autodiscover.domain.com, owa.domain.com, and the principle subject of exchange.domain.com.
Because of the above mentioned limitation, it does not include exchange.domain.local or autodiscover.domain.local,
and exchange.domain.local as well as the NETBIOS name of the server - EXCHANGE.
In Exchange the certificate was assigned to all services - IIS, POP, IMAP, UM, SMTP
I have discovered that the assignment of the certificate to all the LAN systems appears to be via IIS. I have a self-signed certificate installed with the subject of exchange.domain.local and if it's present the Outlook client doesn't have a problem - it's happy with the certificate. Unfortunately this messes up OWA - it works but there's always a problem with the certificate because the domain doesn't match. This rather defeats the purpose purchasing a certificate.
I configured DNS with the primary domain of exchange.domain.com and set an A records to point to the Exchange server.
I reset the Internal and External URL's as described in the Microsoft article (listed above) for the CAS server to point to exchange.domain.com.
I also deployed the certificates (both of them) to all workstations using a GPO.
Nothing seems to help - Outlook 2010 always looks at the local domain name of the server and cannot accept the public name on the certificate.
Any help would be appreciated.