SSL not being installed on outlook

I am haveing an issue with SSL certs that is getting to be a nightmare.
For reasons not discussed our wildcard SSL was rekeyed. (Please don't make me go there) I have a new wildcard cert properly installed / updated all servers.  Almost everything is working - except - now clients are getting a Security Alert message that says "The name on the security certificate is invalie or does not match the name of the site".  This happens on only about 10% of the users 34 of 350.  One user gets the "Cert Alert" on one computer but not on a second desktop.
once the user hits any of the checkboxes on the alert dialog popup outlooks works fine and gives them a new popup the next time they open outlook.

For many of the users simply installing the new cert did the trick.
the remaining clients I have done the following and am left with about 10% of the workstations that will not cooperate.

checked usual suspects:

ran IPconfig /flushdns to clean DNS cache
Went to powershell and ran Test-ComputerSecureChannel -r (results = true)
GPUpdate /force.
Reboot and then open outlook and reinstall cert.
Taken Outlook out of exchange mode then try to install the cert.
Opened a MMC console and searched for all %MyDomain% SSL certs - deleted ceerts -installed new cert
Confirmed that the new cert Serial number matches the one on the server.
confirmed that the certificates thumbprint matches the serverConfirmed that Autodiscovery DNS records were correct
Confirmed that Certificates SCP object is correct.
Created and confirmed that SRV record for autodiscover is correct.
confirmed SRV in cert is correct.
server name/ip is correct in local DNS and outside DNS
nslookup shows correct server IP
ran the following comdlts on server:

      Set-ClientAccessServer -Identity %myserever% -AutodiscoverServiceInternalUri
      Set-WebServicesVirtualDirectory -Identity "%myserver%\EWS (Default Web Site)" –InternalUrl https://mail.%mydomain%/EWS/Exchange.asmx
      Set-OABVirtualDirectory -Identity “%myserver%\OAB (Default Web Site)” -InternalURL https://mail.%mydomain%/OAB
      Set-ActiveSyncVirtualDirectory -Identity “%myserver\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://mail.%mydomain%/Microsoft-Server-Activesync
      Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.%mydomain%

- each stop resolved the issue on a few but not all (left me with the 10%)
MPontoNetwrok AdminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Was this a trusted SSL certificate?
If so, you shouldn't need to do anything on the clients - installing the certificate is not necessary. If you have to do that then using a trusted certificate is pointless.

If it wasn't a trusted certificate, then I suggest you get one.
If it was, the first thing you need to do when you get the prompt is click on the message to view the certificate. Verify that it is the certificate you think it is. You need to establish if it is a DNS issue for example.

It isn't clear what you have done with the URLs, but as you are using a wildcard certificate you need to deploy a split DNS so the external host name resolves internally, then change all of the URLs, both internal and external to match.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MPontoNetwrok AdminAuthor Commented:
thanks for the quick response and the thought.

Yes it is a trusted cert - that is part of what has me flustered.    I didn't say it clearly in the question but it is a wildcard cert and I do have the split domain.  All server internal servers addresses resolve to the internal IP subnet.
Like I said 90% didn't need to do a thing.
Simon Butler (Sembee)ConsultantCommented:
You should have no internal addresses anywhere in Exchange.
Then you need to look at a client that is getting the prompt. you may have to run an Autodiscover test and generally see what it is doing - my guess is something isn't resolving correctly or the client cannot connect and is going to an external host which is generating the prompt.

Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

David Johnson, CD, MVPOwnerCommented:
go to and run the email tests. Rekeying a Cert only makes the older certificate marked as revoked and now the clients will use the new certificate.  The error you are reciving is in the subject names that do not match.. Examine the certificate using OWA ( a web browser)
MPontoNetwrok AdminAuthor Commented:
Ran all tests and they all passed.
I did examine them with IE and it shows the wildcard cert.
Simon Butler (Sembee)ConsultantCommented:
If you are still getting certificate prompts, and the correct certificate is being passed to the client, then you must have one of the names configured incorrectly.

MPontoNetwrok AdminAuthor Commented:
I am headed out of town for most of the week - will recheck everything as soon as I get back.
MPontoNetwrok AdminAuthor Commented:
I hate to be dense and a pain but ....  

I agree with  you that one of the names must be incorrect but for the life of me I can't find it.  The  showed only a warning that it couldn't find the autodiscovery service on the main web site which is on a different ISP / subnet all together but then does find it on the main mail server. As for checking it on a web page when I go to the OWA page for the mail server and check even the thumbprint is correct..

could this be something to do with the wildcard cert?
Simon Butler (Sembee)ConsultantCommented:
Wildcard certificates should have nothing to do with it, unless you are using a different domain.
Personally I would presume one is wrong and reconfigure it using the script from my web page linked to in the first article. After doing so, run IISRESET.

Autodiscover failing on the root of the domain is to be expected and can be ignored.

MPontoNetwrok AdminAuthor Commented:
I think we got it. Did all you suggested and it kept getting better and better. Also while digging I found 2 more PS commands that seem to have mopped up the last of it.
Set-POPSettings - X509CertificateName
Set-IMAPSEttings -X509CertificateName

thanks for the help
MPontoNetwrok AdminAuthor Commented:
good advice and support on a very tricky issue.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.