• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 942
  • Last Modified:

Exchange 2013 Local Certificate Error

Server Information
Microsoft Windows Server 2012 R2 Standard
Microsoft Exchange Server 2013
Local Domain sd.com
Public Domain: strdetail.com

Godaddy UCC SSL Certificate Subject Alternative Names:
Services: SMTP, IMPA, POP, IIS

Virtual Directories
Internal URL: https://mail.strdetail.com/ecp
External URL: https://mail.strdetail.com/ecp

Internal URL: https://mail.strdetail.com/EWS/Exchange.asmx
External URL: https://mail.strdetail.com/EWS/Exchange.asmx

Internal URL: https://mail.strdetail.com/Microsoft-Server-ActiveSync
External URL: https://mail.strdetail.com/Microsoft-Server-ActiveSync

Internal URL: https://mail.strdetail.com/OAB
External URL: https://mail.strdetail.com/OAB

Internal URL: https://mail.strdetail.com/owa
External URL: https://mail.strdetail.com/owa

Internal URL: https://mail.strdetail.com/powershell
External URL: https://mail.strdetail.com/powershell

DNS SRV records have been created for both internal and external domains and are pointed to mail.strdetail.com.

Mail.strdetail.com is pointed to the server both internally and externally.

Client Information
Windows 8.1 Pro
Microsoft Outlook 2013

The issue is an error message when creating the outlook profile which says

"The name on the security certificate is invalid or does not match the name of the site."

The site works perfectly from outside the domain.  I only get the error message internally.

I have done about as much Google as I can stand on this issue.  Let me know if any other information would be useful and I will provide it.
  • 3
  • 2
1 Solution
Simon Butler (Sembee)ConsultantCommented:
You have probably missed Autodiscover.

get-clientaccesserver | select identity, AutodiscoverServiceInternalURI

That needs to be changed as well.


CyberCorpSoftwareAuthor Commented:
ok, I set the AutoDiscover

[PS] C:\Windows\system32>Get-ClientAccessServer |fl identity,autodiscoverserviceinternalur
Identity                       : S-FS
AutoDiscoverServiceInternalUri : https://mail.strdetail.com/autodiscover/autodiscover.xml

Now I am getting the following error when I try to create the account in outlook

"The action cannot be completed.  The connection to Microsoft Exchange is unavailable.  Outlook must be online or connected to complete this action."

I found that in IIS I can check HTTP Redirect and point the autodiscover to

This resolves the issue but creates a new one.  

"Cannot start Microsoft Outlook.  Cannot open the outlook window.  The set of folders cannot be opened.  You must connect to Microsoft Exchange with the current profile before you can synchronize your folders with your Outlook data file (.ost)."

At this point I think my issue is still  with Autodiscover.  

C:\Windows\system32>Test-OutlookWebServices -clientaccessserver mail.strdetail.com -identity mperrigon@strdetail.com -MailboxCredential (get-credential sd\mperrigon)

Source                              ServiceEndpoint                     Scenario                       Result  Latency
------                              ---------------                     --------                       ------  -------
S-FS.sd.com     mail.strdetail.com      Autodiscover: Outlook Provider  Failure      48
S-FS.sd.com     mail.strdetail.com      Exchange Web Services                Success     176
S-FS.sd.com     mail.strdetail.com      Availability Service                        Success      44
S-FS.sd.com     mail.strdetail.com      Offline Address Book                   Success      77
Simon Butler (Sembee)ConsultantCommented:
"I found that in IIS I can check HTTP Redirect and point the autodiscover to

Why are you using a HTTP redirect?
That shouldn't be required at all.

Change the URL to one that matches the SSL certificate and resolves to the Exchange server. Job done. The only reason I can think you have to do anything else is that there is something non-standard about the configuration of the server.

CyberCorpSoftwareAuthor Commented:
I did end up unchecking that HTTP Redirect.  

The only thing I can think of that would make this a non-standard configuration would be

1. I do have this running on the Global Catalog Server
2. The local domain is sd.com and not strdetail.com.local which is what I see in most examples.
Simon Butler (Sembee)ConsultantCommented:
The internal domain doesn't matter as long as you have the DNS configured correctly.
That means whatever you have on the SSL certificate resolves internally and the host names match.

Running Exchange on a domain controller is not recommended and there is almost no good reason for doing so. If you use Windows 2012 or higher as your OS, then you have two virtual licences, allowing you to install two VMs on the same machine, one being a domain controller and one being the Exchange server. Having Exchange on a domain controller significantly complicates matters, particularly around recovery.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now