Exchange 2010 “Name on Certificate does not match site” error from Outlook 2007 clients

We had one 2007 exchange server on a virtual 2003 box.  We have upgraded to Exchange 2010 and now have two 2008 R2 virtual servers (one with the mailbox role and the other with CAS & Hub roles).  We are planning to implement an edge-server later.  All the mailboxes have been moved to the 2010 box along with firewall routing, DNS pointers and a new SSL certificate (not self signed).  We have 42 mailboxes.

On our user’s machines (all users are using Outlook 2007) we are having the Security Alert window pop up with the “The name on the security certificate is invalid or does not match the name of the site” message.  It shows the name it is looking for as ServerName.Domain.Local.  I was going to add the .Local name to the certificate (as I did when we had this problem with our exchange 2007 upgrade) but .local is going away as far as CA certs are concerned and would just postpone the problem. Not to mention making my 2 year certificate only good for 11 months.

I also have a self-signed cert that lists server.domain.local and I assigned to imap and pop and we still get the error box.

I have gone through all the options in the EMC that I could find and changed all incidences of .local to .com, which we have matching DNS entries for and still no joy.  If we click on YES outlook runs normally but will re-display the error one more time.  I do not want users to get used to clicking YES on these errors for obvious reasons.  With the .local URLs going away, surely there should be is a fix for this?
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

MAS EE MVEConnect With a Mentor Technical Department HeadCommented:
Hi dosdet2,
You are supposed to get a result like below. Your and common name( should point to the active server. (This is explained in my article)
[PS] C:\Windows\system32>Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri

Name                           : Server1
AutoDiscoverServiceInternalUri :

Name                           : Server2
AutoDiscoverServiceInternalUri :

Open in new window

Please configure split DNS or pin point DNS as well
Split DNS
Pin Point is explained in my article above
On the exchange server, export the certificate.  Then install it in trusted root certification authorities (local Computer) on each PC.
To get to the correct place on each PC, goto Start > Run > MMC > File > Add/Remove Snap-in > Select Certificates > Add > Computer Account > Next >Local Computer > Finish
dosdet2Author Commented:
Thanks ktaczala, I'm sure this would work.
However since many exchange organizations have thousands of users, I can't imagine that they would manually Import certificates to each PC every time the certificate expires.  I'm thinking there must be a better alternative.  
I will do this if I am left with no other solution.
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

I had the same issue when I went from SBS 2003 / Exchange 2003 to Exchange 2010.  Only solution I found was either purchase or install it locally. Fortunately it was a small customer 20 PC's.

How about thru a GPO?

See here:
dosdet2Author Commented:
I don't think that I have been clear enough.  I have a purchased SAN certificate from GoDaddy. The problem is that the certificate authorities have to discontinue including any intranet domain names (ie: ending in .Local) from their SSL - SAN-type certificates.  

See Here:

Outlook is looking for server.domain.local, which is not part of the SAN certificate list.  The name server, is there but Outlook / exchange does not look for that.  
This is the problem I am trying to resolve.  The self signed certificate (that does contain server.domain.local) would be the one I would have to import to local PCs.  I am trying to find a way that to avoid that and use the CA certificate.  Does that make sense?
Jessie Gill, CISSPConnect With a Mentor Technical ArchitectCommented:
So you have a disjoint name space.  What I did is internally I created DNS records for my external URLs, and I made the Exchange urls for internal and external the same.  That way your clients are looking for, instead of autodiscover.domain.local.  This would however cause you to change all your internal URLS and create DNS zone for all the urls.
MAS EE MVEConnect With a Mentor Technical Department HeadCommented:
You need only below names in your certificate. ( (

Please check my articles, it may help to sort out your issues

Please use this tool to generate CSR easily
dosdet2Author Commented:
Jessie Gill, CISSP -  This was what I thought also but is kind of a problem too.  I have the DNS records all set up and working, but I can't seem get Outlook on the workstations to look for the external URL.  It seem that no matter what I try, they still keep looking for autodiscover.domain.local instead of or or - any of which would point them properly and are all named in the certificate.  
I'm wondering if the old exchange 2007 server is causing a problem.  It is no longer being used except it is a DC (not the PDC though).  It will eventually going away once I can verify everything else is working properly.  Any help here would be appreciated
dosdet2Author Commented:
I ran several of the  get- commands (for ClientAccessServer, virtual directories & internal / external URLs) and saw that some of my earlier commands (URLs) didn't work ??  I reran all of the set- commands and rechecked.  Everything is as it should be now and the problem seems to be corrected (no more security messages).  Thanks for help.
All Courses

From novice to tech pro — start learning today.