Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Outlook 2016 - the name on the security certificate is invalid
Posted on 2016-08-23
Hello,
We have just installed a new windows 2012 server running 2 hyperv servers. One being our domain controller and the other being our exchange 2016 server.
We have this working OK apart from the SSL certificate integration. ie we were getting complaints on starting up outlook regarding an invalid or untrusted certificate. I presumed that once we obtained the correct SSL, this would just disappear.
Unfortunately, having just purchased our True ID SAN from geotrust, and installed it, we are still experiencing a warning on starting outlook. This is :-
The name on the security certificate is invalid or does not match the name of the site.
I have spoken with geotrust and they tell me its because it is looking for the internal exchange 2016 name, which I can confirm is the case.
the name of the local server is exch2016.domain.local
Our SSL is to secure remote.domainname.co.uk and autodiscover.domainname.co
Geotrust say that we have to rename our local site to match??
Can anyone advise on what we need to do to resolve this problem?
We have just installed a new windows 2012 server running 2 hyperv servers. One being our domain controller and the other being our exchange 2016 server.
We have this working OK apart from the SSL certificate integration. ie we were getting complaints on starting up outlook regarding an invalid or untrusted certificate. I presumed that once we obtained the correct SSL, this would just disappear.
Unfortunately, having just purchased our True ID SAN from geotrust, and installed it, we are still experiencing a warning on starting outlook. This is :-
The name on the security certificate is invalid or does not match the name of the site.
I have spoken with geotrust and they tell me its because it is looking for the internal exchange 2016 name, which I can confirm is the case.
the name of the local server is exch2016.domain.local
Our SSL is to secure remote.domainname.co.uk and autodiscover.domainname.co
Geotrust say that we have to rename our local site to match??
Can anyone advise on what we need to do to resolve this problem?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
3
8 Comments
Active 4 days ago
It seems like the common name that you specified when you generated the certificate request for that Web site does not match the URL that is used to access the Web site. For example, if you access the site by typing an IP address or the server name, but the common name that is specified in the certificate request is remote.domainname.co.uk, so that is why you receive the security message.
To avoid this warning, make sure that the common name that is specified when you generate the certificate request matches the URL that will be used to access the site.
If the URL that will be used to access the site cannot be changed to match the common name on the certificate, follow these steps:
1.Create another certificate request. Make sure that the common name matches the URL that is used to access the Web site.
2.Have your certification authority generate a new certificate.
3.Use the new certificate for the Web site.
To avoid this warning, make sure that the common name that is specified when you generate the certificate request matches the URL that will be used to access the site.
If the URL that will be used to access the site cannot be changed to match the common name on the certificate, follow these steps:
1.Create another certificate request. Make sure that the common name matches the URL that is used to access the Web site.
2.Have your certification authority generate a new certificate.
3.Use the new certificate for the Web site.
Active 4 days ago
You can also check a related microsoft's article here:
https://support.microsoft.com/en-us/kb/2772058
https://support.microsoft.com/en-us/kb/2772058
Active today
many thanks for your reply.
I think my situation must be a little different, as when I asked about adding the local site to my San, geotrust told me that this was no longer allowed.
it is not actually a site which is causing the problem, it is outlook 2016 that is looking for exch2016.domain.local , and our Ssl only covers remote.domainname.co.uk
I don't understand why the local copy of outlook 2016 does not trust its own local 2016 server, but as I can't add the local name to our Ssl, I presume that we have to somehow change the local name of the exchange server.
accessing exchange remotely works fine, so I am very frustrated that I am having this problem locally.
I will check out the additional link, to see if it helps.
many thanks
I think my situation must be a little different, as when I asked about adding the local site to my San, geotrust told me that this was no longer allowed.
it is not actually a site which is causing the problem, it is outlook 2016 that is looking for exch2016.domain.local , and our Ssl only covers remote.domainname.co.uk
I don't understand why the local copy of outlook 2016 does not trust its own local 2016 server, but as I can't add the local name to our Ssl, I presume that we have to somehow change the local name of the exchange server.
accessing exchange remotely works fine, so I am very frustrated that I am having this problem locally.
I will check out the additional link, to see if it helps.
many thanks
Active today
It is itrue that using .local in DNS for certificates is no longer allowed.
You need to configure exchange so that it will use public names d(omainname.co.uk) where possible instead of .local ones. So for owa it will be mail.domainname.co.uk, for autodisover it is autodiscover.domainname.co
https://blog.digicert.com/replace-your-internal-name-certificates/
https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
You need to configure exchange so that it will use public names d(omainname.co.uk) where possible instead of .local ones. So for owa it will be mail.domainname.co.uk, for autodisover it is autodiscover.domainname.co
https://blog.digicert.com/replace-your-internal-name-certificates/
https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
Active today
sorry for the delay in updating this incident. I have been away on vacation, but now I'm back, will be addressing this issue.
will update you later today.
many thanks for your assistance
will update you later today.
many thanks for your assistance
Active today
I have now run the digicert tool which changed our local settings to autodiscover.domainname.co
I have ensured we have a Dns zone for domainname.co.uk
with an entry for autodiscover and remote (which we use externally) both pointing to the local IP address of our exchange server.
I can confirm that our current San covers both remote.domainname.co.uk and autodiscover.domainname.co
I am very frustrated, so if anyone can provide any further assistance, I would be much obliged.
it would seem that outlook is still trying to reach exch2016.domain.local. is there anything to do on outlook 2016 to stop this?
many thanks
I have ensured we have a Dns zone for domainname.co.uk
with an entry for autodiscover and remote (which we use externally) both pointing to the local IP address of our exchange server.
I can confirm that our current San covers both remote.domainname.co.uk and autodiscover.domainname.co
I am very frustrated, so if anyone can provide any further assistance, I would be much obliged.
it would seem that outlook is still trying to reach exch2016.domain.local. is there anything to do on outlook 2016 to stop this?
many thanks
Active 4 days ago
One more thing to check as are likely to have these two registry settings:
[HKEY_CURRENT_USER\Softwar
"domain.com"="c:\\auto\\au
"PreferLocalXML"=dword:000
With HKEY_CURRENT_USER\Software
for Outlook 2010
You must make this solution more robust by adding these registry entries:
"ExcludeScpLookup"=dword:0
"ExcludeHttpsAutodiscoverD
"ExcludeHttpsRootDomain"=d
"ExcludeSrvLookup"=dword:0
"ExcludeHttpRedirect"=dwor
"ExcludeSrvRecord"=dword:0
The only lookup type that will be used now, is HTTP Redirect to the XML file. If this fails, there'll be no Autodiscover.
This is an excerpt from my documentation after having implemented this solution twice with different forests, not Office 365.
For more information see here:
Potential Autodiscover Issue During E-Mail Coexistence
http://social.technet.microsoft.com/Forums/en-US/onlineservicesmigrationandcoexistence/thread/d6c69c69-6524-493b-a0c6-21c79e146ce7/
Outlook 2007 unexpectedly connects to an on-premise Exchange Server 2007 server mailbox instead of an Exchange Online server mailbox
http://support.microsoft.com/kb/956297/en-us
[HKEY_CURRENT_USER\Softwar
"domain.com"="c:\\auto\\au
"PreferLocalXML"=dword:000
With HKEY_CURRENT_USER\Software
for Outlook 2010
You must make this solution more robust by adding these registry entries:
"ExcludeScpLookup"=dword:0
"ExcludeHttpsAutodiscoverD
"ExcludeHttpsRootDomain"=d
"ExcludeSrvLookup"=dword:0
"ExcludeHttpRedirect"=dwor
"ExcludeSrvRecord"=dword:0
The only lookup type that will be used now, is HTTP Redirect to the XML file. If this fails, there'll be no Autodiscover.
This is an excerpt from my documentation after having implemented this solution twice with different forests, not Office 365.
For more information see here:
Potential Autodiscover Issue During E-Mail Coexistence
http://social.technet.microsoft.com/Forums/en-US/onlineservicesmigrationandcoexistence/thread/d6c69c69-6524-493b-a0c6-21c79e146ce7/
Outlook 2007 unexpectedly connects to an on-premise Exchange Server 2007 server mailbox instead of an Exchange Online server mailbox
http://support.microsoft.com/kb/956297/en-us
Featured Post
What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Changing a few Outlook Options can help keep you organized!
In this article I discuss my selections of the Top Four free Outlook OST File Viewers available. Open, view and read even damaged OST files by using these tools. They all provide a clear preview of all data such as emails, notes, tasks, calendars, e…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Servers >> Certificates…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA).
For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651
If you want to manage em…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month4 days, 17 hours left to enroll
635 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.