Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Outlook complains about mismatched names on ssl cert

Posted on 2014-08-13
Medium Priority
Last Modified: 2014-09-19
We are going to be renewing our ssl on our exchange 2010. I know that will will no longer be able to use the .local name on the cert. I also know that since this will be missing on the cert, most of our internal outlook users will start getting errors about the name mismatch. One of my coworkers mentioned that he found an article to suppress this error so the users do not receive this annoying pop up. Unfortunately he hasn't had a chance to find the article that he used. Does anyone know what he might be referring to? Thank you.
Question by:StarfishTech
LVL 63

Accepted Solution

Simon Butler (Sembee) earned 1000 total points
ID: 40258213
Don't suppress the error - instead correct your Exchange configuration.
You need a split DNS system so that the external name resolves internally.


You can implement that at any point, if you have an SSL certificate with the correct external name on it already, then you can make the change before you renew your SSL certificate, that way all clients should get the new configuration with Autodiscover.

LVL 10

Assisted Solution

nashiooka earned 1000 total points
ID: 40258258
I've never seen a way to specifically suppress the warning, other than importing the cert (potentially with GPO).  That said I've always found MS documentation to be unclear, and when I rolled out 2010 I must have read dozens of third party articles.  I'll try to summarize it,  MS documentation is written with the assumption that you have a split DNS environment.  Also note you need a SAN certificate so you can have alternate names on it.  Don't buy into anything about a wildcard cert!

At a minimum you would need autodiscover.contoso.com and mail.contoso.com on your cert.   At this point you would create internal DNS record for mail.contoso.com pointing at either a CAS server or your load balancer.  Do not create autodiscover record on your internal DNS.  Change the InternalURL properties on OAB & WebServices virtual directories to mail.contoso.com.  Don't change the OWA, ActiveSync and ECP InternalURL properties yet that's something to consider separately.  You must also change the AutoDiscoverServiceInternalUri property on every CAS server in the site to mail.contoso.com.  Import your SAN certificate and enable it for IIS services.  Normally you can only have one cert enabled for all IIS based services, but at this point the names on the cert will match the InternalURL props and the Autodiscover..URI.  So it plays out like:

1) Outlook starts and queries AD for the SCP of autodiscover services.  https://mail.contoso.com is returned because it was set as the AutodiscoverInternalServicesUri.
2) Mail.contoso.com resolves to your CAS server (or LB).  There is no inconsistency on the cert so no warnings.
3) CAS server returns autodiscovered information like OAB URL and EWS URL which are both based on the aforementioned respective InternalURL properties, hence the cert names are still consistent and no warnings.

If you have to expose your Exchange services externally you only need to enter the external DNS records and update the ExternalURL properties on OAB, WebServices, OWA, ActiveSync & ECP virtual directories.  Notice I'm not excluding ActiveSync and OWA for the ExternalURL properties.  This is withstanding firewall configs and such that are too diverse to discuss here.

There are 2 other things worth mentioning:
1) SSL offloading done by FW, TMG server or possibly the load balancer could be used, this would require you to disable the SSL requirement on all the virtual directories.
2) You could disable SSL altogether.  Again you would need to remove the requirement from each virtual directory in IIS, you may also need to flip a reg key to enable http based CAS-CAS proxy.  Then you'd change the URL props and the Autodiscover..Uri to http://mail.contoso.com.

The hybrid approach is external URLs are https while internal are http.  The FW or LB is terminating the SSL connection, otherwise known as SSL offloading.

This is the most complicated piece of Exchange 2010, so I hope I did enough to explain it, please post back if anything is unclear.

If you are going to expose Exchange to the internet you need to create

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As a Microsoft Exchange user, you must have known the importance of an Offline storage table (OST) file. It is nothing new for an Outlook user to be dependent on a .ost file during a server break down or a problematic Internet connection. In such a…
In this post, we will learn to set up the Group Naming policy and will see how it is going to impact the Display Name and the Email addresses of the Group.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question