Troubles with security certificates, exchange 2013, GoDaddy and internet/intranet invalid names

Hi Experts,
          As the title suggests, I'm having issues getting my SSL security certificates in Exchange 2013 validating Outlook from both internal and external connections. I can't seem to make the certificate accepted for internal (servername.domainname.local) and external ( outlook connections. On one certificate with servername.domainname.local as the primary address the internal Outlook clients connect just fine but external clients refuse to connect via Outlook Anywhere, then when I change the certificate to have as the primary, Outlook anywhere connects fine but internal clients complain that the certificate name is invalid but still allow the connection. The certificate is a single domain certificate issued via GoDaddy.

Help me Experts-Exchange, you're my only hope.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
You need to have your internal and external URLs the same if you're using a single-name certificate.  So, you need to change the internal URL of your Exchange server to match the external URL (i.e., "").

Here's an article that will explain:

The article refers to Exchange 2007 and 2010, but also applies to 2013.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simon Butler (Sembee)ConsultantCommented:
From November 2015 you cannot have an SSL certificate with internal names on it.
You will need to use a split DNS system to ensure the external name resolves internally, then configure Exchange with the external name for both internal and external URLs.

Aaron TomoskyDirector of Solutions ConsultingCommented:
agree with hypercat, use the external name only. For internal workstations, I assume you run your own dns, just put in an entry for with the internal ip address.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Berkson WeinTech FreelancerCommented:
Agree with the other posters.

You can use a single certificate, for example

Then you need to set the names that are used:

-- change owa
Set-OwaVirtualDirectory -Identity "servername\owa (default web site)" -ExternalUrl -InternalUrl

confirm: Get-OwaVirtualDirectory | Select Server,ExternalURL,InternalURL | fl

-- change ecp
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl -InternalUrl

confirm : Get-EcpVirtualDirectory | select server,externalurl,internalurl | fl

-- change activesync
Set-ActiveSyncVirtualDirectory -Identity "ServerName\Microsoft-Server-Activesync (Default Web Site)" -ExternalUrl -InternalUrl

confirm: Get-ActiveSyncVirtualDirectory | select server,externalurl,internalurl | fl

-- change exchange web services
Set-WebServicesVirtualDirectory -Identity "ServerName\EWS (Default Web Site)" -ExternalUrl -InternalUrl

OR FOR ALL Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl -InternalUrl
confirm: Get-WebServicesVirtualDirectory | Select Server,ExternalURL,InternalURL | fl

--      change oab
Set-OabVirtualDirectory -Identity "ServerName\oab (default web site)" -ExternalUrl -InternalUrl
confirm: Get-OabVirtualDirectory | Select Server,ExternalURL,InternalURL | fl

-- change autodiscover
Set-ClientAccessServer -Identity "ServerName" -AutoDiscoverServiceInternalUri

confirm: Get-ClientAccessServer | Select Name,AutoDiscoverServiceInternalURI

Keep in mind that the autodiscover rename requires a workaround.  THe alternative is to have a multiple name (SAN) certificate that has autodiscover in it.  We use a _SRV record in DNS to tell the client to look to

Hope this helps.
Dougj182Author Commented:
OK, so if I understand correctly, I need to change all the internal and external URL's in the virtual directory entries to<type> next to the red arrows? is that correct?
Berkson WeinTech FreelancerCommented:
That's right, but if I'm remembering correctly, not all can be changed using ECP.  The commands I gave will change them for you in powershelll.  I assume Godaddy gives you powershell access.
Dougj182Author Commented:
Oh no, the exchange server is hosted in house, just the certificate comes from GoDaddy. Thnaks, I'll use PS to change the config and report. Thanks fory our help
Berkson WeinTech FreelancerCommented:
OH, misunderstood that originally.   In general, I find powershell to be much better than the gui, and you get set your settings and then quickly test if they're set right with the equivalent get command
Dougj182Author Commented:
So, I've made all the changes, autodiscover. and mail. have been added to the DNS pointing to the exchange server both internally and externally but I'm still getting this error from outlook..? Suggestions?

Berkson WeinTech FreelancerCommented:
Your certificate likely only has hence the complaining about autodiscover not matching.  You would need a SAN certificate (subject alternate name) that also has autodiscover in it if you want to have to look to  Or you could use a wildcard certificate.

Here's what we generally do instead:
1) Certificate with only

2) Change the autodiscover URL
Set-ClientAccessServer -Identity "ServerName" -AutoDiscoverServiceInternalUri

3) Remove and A record in DNS for

4) Create a SRV record for
and have it point tcp 443 to

More info:
Dougj182Author Commented:
Thanks, let me try it.
Berkson WeinTech FreelancerCommented:
You likely need to do an iisreset after all settings are done fyi.

And note that is your friend!
Berkson WeinTech FreelancerCommented:
checking in...  how'd it go?
Dougj182Author Commented:
Just picked this up again from being on vacation, thanks for checking in. I'll let you know how it goes.
Dougj182Author Commented:
Oh God, I just figured it out. There was an SRV record already inserted the the DNS settings pointing to the wrong place. All working now.

@ Weinberk, thank you so much for your help!
Dougj182Author Commented:
I figured out the final part of the problem myself.
I was having the same issue. I added the SRV Record and no longer get the warning.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.