Outlook certificate mismatch error

Hi guys,

I have a strange question.

One of our clients has started having an issue where users are getting a certificate error when they open their Outlook. It says that the name of the certificate is invalid or does not match the name of the site.

The strange thing is that the address seems to have a .com appended to it which is causing this but the certificate is fine, DNS looks ok and the virtual directory URLs are ok too.

Any idea what might be appending .com to the autodiscover lookup?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Please check the SAN entries in the certificate.
If the certificate is self-signed then install it on the workstation.
Please check the url by running command in ESM Get-ClientAccessServer | fl and check AutoDiscoverServiceInternalUri
Please check the inertnal/external url for webservicesvirtualdirectory by running get-WebServicesVirtualDirectory | fl
Also create a domain.com forward lookup zone in internal DNS and create host A record webmail.domain.com and point it to exchange server IP.
niltdAuthor Commented:
Hi R-R, thanks for your comment. Certificate is fine, I've checked all the URLs and none have double .com. We do have a forward lookup zone for domain.com with the correct A record for webmail pointing to the Exchange server. Any other ideas?
Check OA url.
Check activesync/ecp/owa urls
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

niltdAuthor Commented:
I've checked all URLs on the Exchange server. None have .com.com
niltdAuthor Commented:
Also, this isn't a new Exchange install. It's been running along nicely for 2 years until this error popped up! :)
Check if there is any certificate with SAN entries com.com is present.
Check if the proper certificate which do not have com.com is binded in IIS default web site.
Simon Butler (Sembee)ConsultantCommented:
com.com is actually a valid domain name.
Therefore this sounds like there is a DNS error somewhere.

If you have changed all entries in Exchange to use the external host name, then check that you have a proper zone on your internal DNS for that entry.
It could be that for some reason the clients are appending the domain suffix .com to the DNS lookup.

As it appears that everything is correct within Exchange, this looks like it is a DNS/domain configuration error.

niltdAuthor Commented:
Hi Simon, that's correct. The certificate that pops up is a RapidSSL one which we don't have installed anywhere so it's related to the .com.com domain.

Exchange is configured to use the external host name and we do have a forward lookup zone with that entry in it (see screenshot)

niltdAuthor Commented:
Any other DNS checks you can recommend?
Will SzymkowskiSenior Solution ArchitectCommented:
Does this happen for all clients? Have you checked the cert itself to see if it has been replcaed or modified some how?

Please run the below commands in Exchange powershell and paste all output here (Feel free to remove the domain name as you did, but please leave as much info as possible.)

get-OwaVirtualDirectory | fl *url*
get-EcpVirtualDirectory | fl *url*
get-ActiveSyncVirtualDirectory | fl *url*
get-OabVirtualDirectory | fl *url*
get-ClientAccessServer | fl *uri*
get-WebServicesVirtualDirectory | fl *url*
get-OABVirtualDirectory | fl *url*

Please also paste a screen shot of the alternative names for your cert.  See example attached.
niltdAuthor Commented:
This does happen for all clients. We've checked the cert and it's ok. It's also the only one on the Exchaneg server so no phantom certs lurking about.
niltdAuthor Commented:
Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Show quick reference guide: QuickRef
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Tip of the day #40:

Has one of your users asked you to recover their mobile device synchronization password? To return the user's password,

 Get-ActiveSyncDeviceStatistics -ShowRecoveryPassword

VERBOSE: Connecting to TSXNG.domain.com
VERBOSE: Connected to TSXNG.domain.com.
[PS] C:\Windows\system32>get-OwaVirtualDirectory | fl *url*

Url             : {}
Exchange2003Url :
FailbackUrl     :
InternalUrl     : https://webmail.domain.com/owa
ExternalUrl     : https://webmail.domain.com/owa

Url             : {}
Exchange2003Url :
FailbackUrl     :
InternalUrl     : https://cas-dr.domain.com/owa
ExternalUrl     : https://webmaildr.domain.com/owa

[PS] C:\Windows\system32>get-EcpVirtualDirectory | fl *url*

InternalUrl : https://webmail.domain.com/ecp
ExternalUrl : https://webmail.domain.com/ecp

InternalUrl : https://cas-dr.domain.com/ecp
ExternalUrl : https://webmaildr.domain.com/ecp

[PS] C:\Windows\system32>get-ActiveSyncVirtualDirectory | fl *url*

MobileClientCertificateAuthorityURL :
InternalUrl                         : https://webmail.domain.com/Microsoft-Server-ActiveSync
ExternalUrl                         : https://webmail.domain.com/Microsoft-Server-ActiveSync

MobileClientCertificateAuthorityURL :
InternalUrl                         : https://cas-dr.domain.com/Microsoft-Server-ActiveSync
ExternalUrl                         : https://webmaildr.domain.com/Microsoft-Server-ActiveSync

[PS] C:\Windows\system32>get-OabVirtualDirectory | fl *url*

InternalUrl : https://webmail.domain.com/OAB
ExternalUrl : https://webmail.domain.com/OAB

InternalUrl : http://cas-dr.domain.com/OAB
ExternalUrl : https://webmaildr.domain.com/OAB

[PS] C:\Windows\system32>get-ClientAccessServer | fl *uri*

AutoDiscoverServiceInternalUri : https://webmail.domain.com.com/autodiscover/autodiscover.xml

AutoDiscoverServiceInternalUri : https://cas-dr.domain.com.com/autodiscover/autodiscover.xml

[PS] C:\Windows\system32>get-WebServicesVirtualDirectory | fl *url*

InternalNLBBypassUrl : https://tsxng.domain.com/ews/exchange.asmx
InternalUrl          : https://cas-hq.domain.com/EWS/Exchange.asmx
ExternalUrl          : https://webmail.domain.com/ews/exchange.asmx

InternalNLBBypassUrl : https://tsdrxng.domain.com/ews/exchange.asmx
InternalUrl          : https://cas-dr.domain.com/EWS/Exchange.asmx
ExternalUrl          : https://webmaildr.domain.com/ews/exchange.asmx

[PS] C:\Windows\system32>get-OABVirtualDirectory | fl *url*

InternalUrl : https://webmail.domain.com/OAB
ExternalUrl : https://webmail.domain.com/OAB

InternalUrl : http://cas-dr.domain.com/OAB
ExternalUrl : https://webmaildr.domain.com/OAB

[PS] C:\Windows\system32>

Simon Butler (Sembee)ConsultantCommented:
I don't think it is your Exchange configuration - as the first screenshot posted with the results of Autodiscover are showing the correct information.
This is DNS resolution.

If you do an nslookup, does that return the correct results?
Same for a ping?

My instinct is that someone has changed something outside of Exchange, possibly to force .com to be put on to the end of any domains, something like that.

Your AutoDiscoverServiceInternalUri are wrong with the double .coms.  Need to fix that -

Set-ClientAccessServer -Identity [ServerName] -AutodiscoverServiceInternalUri https://webmail.domain.com/autodiscover/autodiscover.xml

Set-ClientAccessServer -Identity [ServerName] -AutodiscoverServiceInternalUri https://cas-dr.domain.com/autodiscover/autodiscover.xml

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hey Dipersp you are correct.. That the one i asked to check in my earlier comments.
Yeh, the URL and URI can be confusing, which is why I explicitly spell it out (hoping they'll cut and paste) so we actually can see the uri as opposed to url values on that one.  URI just looks like someone didn't capitalize the L!
niltdAuthor Commented:
Thanks guys, I think my brain didn't process the double .com in the output as I didn't spot it at all. Without the *uri* it's quite a hefty output.

This was such an unusual one as this value must have been set a while back when Exchange was installed and it's been working fine. I think that last month the *.com.com domain must have been registered with a certificate so since then the Exchange server has been able to resolve it and has been giving the error.

Thanks again for the perseverance. I'll split the points 50/50. R-R did point me in the right direction first (but I was blind!) but dipersp went the extra mile by requesting the output and spotting the problem. Hope that's ok?
That's fine with me. In-fact i am glad that the issue is resolved.
Will SzymkowskiSenior Solution ArchitectCommented:
Not sure i am clear on what the issue was?

the *.com.com domain must have been registered with a certificate so since then the Exchange server has been able to resolve it and has been giving the error.

My comment...
2015-06-26 at 09:50:39ID: 40853024
Does this happen for all clients? Have you checked the cert itself to see if it has been replcaed or modified some how?


Was it not the cert that was the issue. Based on all of your testing the virtual directories were all correct.

Sounds like a plan.  Glad that did it for you.
niltdAuthor Commented:
Hi Will,

It turns out there was a typo on a couple of the virtual directory entries. The certificate was ok.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.