Outlook complains about mismatched names on ssl cert

Posted on 2014-08-13
Last Modified: 2014-09-19
We are going to be renewing our ssl on our exchange 2010. I know that will will no longer be able to use the .local name on the cert. I also know that since this will be missing on the cert, most of our internal outlook users will start getting errors about the name mismatch. One of my coworkers mentioned that he found an article to suppress this error so the users do not receive this annoying pop up. Unfortunately he hasn't had a chance to find the article that he used. Does anyone know what he might be referring to? Thank you.
Question by:StarfishTech
    LVL 63

    Accepted Solution

    Don't suppress the error - instead correct your Exchange configuration.
    You need a split DNS system so that the external name resolves internally.

    You can implement that at any point, if you have an SSL certificate with the correct external name on it already, then you can make the change before you renew your SSL certificate, that way all clients should get the new configuration with Autodiscover.

    LVL 10

    Assisted Solution

    I've never seen a way to specifically suppress the warning, other than importing the cert (potentially with GPO).  That said I've always found MS documentation to be unclear, and when I rolled out 2010 I must have read dozens of third party articles.  I'll try to summarize it,  MS documentation is written with the assumption that you have a split DNS environment.  Also note you need a SAN certificate so you can have alternate names on it.  Don't buy into anything about a wildcard cert!

    At a minimum you would need and on your cert.   At this point you would create internal DNS record for pointing at either a CAS server or your load balancer.  Do not create autodiscover record on your internal DNS.  Change the InternalURL properties on OAB & WebServices virtual directories to  Don't change the OWA, ActiveSync and ECP InternalURL properties yet that's something to consider separately.  You must also change the AutoDiscoverServiceInternalUri property on every CAS server in the site to  Import your SAN certificate and enable it for IIS services.  Normally you can only have one cert enabled for all IIS based services, but at this point the names on the cert will match the InternalURL props and the Autodiscover..URI.  So it plays out like:

    1) Outlook starts and queries AD for the SCP of autodiscover services. is returned because it was set as the AutodiscoverInternalServicesUri.
    2) resolves to your CAS server (or LB).  There is no inconsistency on the cert so no warnings.
    3) CAS server returns autodiscovered information like OAB URL and EWS URL which are both based on the aforementioned respective InternalURL properties, hence the cert names are still consistent and no warnings.

    If you have to expose your Exchange services externally you only need to enter the external DNS records and update the ExternalURL properties on OAB, WebServices, OWA, ActiveSync & ECP virtual directories.  Notice I'm not excluding ActiveSync and OWA for the ExternalURL properties.  This is withstanding firewall configs and such that are too diverse to discuss here.

    There are 2 other things worth mentioning:
    1) SSL offloading done by FW, TMG server or possibly the load balancer could be used, this would require you to disable the SSL requirement on all the virtual directories.
    2) You could disable SSL altogether.  Again you would need to remove the requirement from each virtual directory in IIS, you may also need to flip a reg key to enable http based CAS-CAS proxy.  Then you'd change the URL props and the Autodiscover..Uri to

    The hybrid approach is external URLs are https while internal are http.  The FW or LB is terminating the SSL connection, otherwise known as SSL offloading.

    This is the most complicated piece of Exchange 2010, so I hope I did enough to explain it, please post back if anything is unclear.

    If you are going to expose Exchange to the internet you need to create

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Easy CSR creation in Exchange 2007,2010 and 2013
    Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
    In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now