Exchange 2010 security certificate mismatch

Hello folks,
                    Got a head scratcher here, hoping you all can help. Since 2010, when Exchange 2010 came out, I have been using third-party single name cert to run my exchange servers. I change all the virtual directories to, the name on the cert, and set up a split horizon internally that points this public fqdn to the mail server. I also create a SVC record for autodiscover on the public DNS. This has worked like a charm for years.
                    As of this year, recently mind you, some of my clients for no apparent reason, have started to get certificate errors internally referencing the mail.domain.local name and stating that the name on the certificate does not match when opening outlook. This is happening with Outlook 2007, 2010 and 2013. This has never happened in the pass and has never been an issue before, nothing on these mail servers have been changed or modified. After opening outlook it connects like normal and then will be fine for about 1 to 2 minutes, the the security alert pops up. Wether I accept or decline outlook functions fine.
                    I believe there must be a simple way to fix this issue and am hoping that I am just over looking it.

Thank you in advance
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
If you just changed the virtual directories then you haven't covered everything - specifically the Autodiscover entry.

get-clientaccessserver | select identity, AutodiscoverServiceInternalURI

If that value isn't set correctly to match the SSL certificate then it will generate the prompts that you are seeing.

jplatt1Author Commented:
Thank you for the response. So, autodiscover, client access server, webservices, oab, owa, ecp, activesync have all had there internal and external urls/uris changed to and this popup just started recently. The server has been in service for about 2 years. That is the head scratcher .
Simon Butler (Sembee)ConsultantCommented:
Something has to have changed - this is not a problem that occurs on its own UNLESS the SSL certificate has expired.
When you get the SSL error, if you look at the certificate is it yours?
If you do an Autodiscover test in Outlook, does it return the correct information and URLs? You need to check the log field as well.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

jplatt1Author Commented:
Test E-Mail AutoConfig
So the domain was the public, that I set in the exchange server for all of the external and internal fields. The client connects to exchange and functions correctly with the exception of the the certificate alert.
Simon Butler (Sembee)ConsultantCommented:
That Autodiscover is wrong. You shouldn't have that many log entries.
Looks like either is not resolving to the correct server, or you have multiple web sites on the server and the bindings are wrong.
That is causing Autodiscover to connect to instead, which is probably where the mismatch is coming from.

I have screenshots from a correctly functioning Autodiscover here:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jplatt1Author Commented:
Will Look deep into this. I will let you know what I find. Thank you for the help so far.
jplatt1Author Commented:
So, There is definitely a dns issue with autodiscover. It seems to be internal, though we have not tranked it down as of yet. What changed, we are not sure, but thank you for pointing us in the right direction.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.