Suppress Outlook security alert about name mismatch on ssl certificate

Bassam Zahid
Bassam Zahid used Ask the Experts™
on
Hi,

I want to get rid of the Outlook security alert. The alert says: The name on the security certificate is invalid or does not match the name of the site.

We have on-premise Exchange 2010. The SSL certificate is issued on the external domain name but the internal domain name is different than the external one.

How can this alert be suppressed or removed?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:

Author

Commented:
Hi,

Thanks for the quick reply, but the problem is that coincidentally the internal domain name conflicts with another external domain name which we do not own, so the internal domain name cannot be added in the SAN of the SSL certificate.
EE Solution Guide - Technical Dept Head
Most Valuable Expert 2017
Commented:
Hi,
You need only your external names in the certificate. if your email domain name is contoso.com you need only these names.
1. mail.contoso.com
2. autodiscover.contoso.com
I have explained the same in my article.
You can rekey your certificate using the above posted tool.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
The certificate already has these two in the SAN:
1: mail.myemaildomain.com
2: autodiscover.myemaildomain.com

Whats next ?
bbaoIT Consultant

Commented:
do you and your clients have any need to access the external domain which has the same name as your internal domain? are the two parties related or nothing to do with each other at all?

Author

Commented:
The external domain name and internal domain name are different. We own the external domain name but unfortunately the internal domain name is registered by a different party at the global domain level.

So the FQDN of the mail servers become different than the external name.

My clients need to access the external domain as well. The SSL certificate is issued against the external domain name including the required Subject Alternative Names. When Outlook runs inside the company environment it throws the security certificate name mismatch warning.
bbaoIT Consultant

Commented:
I probably didn't my previous question clearly. say your client's internal domain is A, its external domain is B, that same-name external domain of another party is C. do your clients need to access C from A? do A/B and C have business relation in any way?
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Explained about certificate requirement and URL configuration.
I believe this can be closed.

Author

Commented:
Hi,

I am sorry I was away. The question is not answered yet.

A/B have no relation to C and therefore A/B don't need to access C or vise versa.
Just to make sure I'm understanding the setup.

Your internal server is using the same domain name as an external server (example - Microsoft.com) of which where is no business relation between you and the external server's domain...

In addition, you're also trying to use a certificate for this domain name

Is this correct?
MaheshArchitect
Distinguished Expert 2018

Commented:
You just need to match your EWS and autodiscoverInternalURI URL's to external domain name so that certificate errors would go away - The articles already supplied by others would work
Certificate rekey is not required, because anyways you cannot add your internal domain to public certificate and also you cannot add domain names in that certificate which you did not own

Mahesh.
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Did you configure the URLs as per below article?
https://www.experts-exchange.com/articles/13676/Out-Of-office-not-working.html

Please post the results of these commands
Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri
Get-OabVirtualDirectory |  fl Server,Name,internalurl,externalurl
Get-WebServicesVirtualDirectory | fl name,internalurl,externalurl
Get-ExchangeCertificate | fl issuer,services,notafter
if the same users access the server both externally and internally, the simplest is to make the external access available internally.
this should be solved with a couple of firewall/dns rules/redirections.

Author

Commented:
Here are the results of Get commands:

[PS] C:\Windows\system32>Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri


Name                           : MAILSRV1
AutoDiscoverServiceInternalUri : https://mailsrv1.internaldomain.com/Autodiscover/Autodiscover.xml

Name                           : MAILSRV2
AutoDiscoverServiceInternalUri : https://mailsrv2.internaldomain.com/Autodiscover/Autodiscover.xml

Name                           : MAILSRV3
AutoDiscoverServiceInternalUri : https://mailsrv3.internaldomain.com/Autodiscover/Autodiscover.xml



[PS] C:\Windows\system32>Get-OabVirtualDirectory |  fl Server,Name,internalurl,externalurl


Server      : MAILSRV1
Name        : OAB (Default Web Site)
InternalUrl : http://mailsrv1.internaldomain.com/OAB
ExternalUrl : https://mail.externaldomain.com/OAB

Server      : MAILSRV2
Name        : OAB (Default Web Site)
InternalUrl : http://mailsrv2.internaldomain.com/OAB
ExternalUrl : https://mail.externaldomain.com/OAB

Server      : MAILSRV3
Name        : OAB (Default Web Site)
InternalUrl : http://mailsrv3.internaldomain.com/OAB
ExternalUrl : https://mail.externaldomain.com/OAB



[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl name,internalurl,externalurl


Name        : EWS (Default Web Site)
InternalUrl : https://mailsrv1.internaldomain.com/EWS/Exchange.asmx
ExternalUrl : https://mail.externaldomain.com/ews/exchange.asmx

Name        : EWS (Default Web Site)
InternalUrl : https://mailsrv2.internaldomain.com/EWS/Exchange.asmx
ExternalUrl : https://mail.externaldomain.com/ews/exchange.asmx

Name        : EWS (Default Web Site)
InternalUrl : https://mailsrv3.internaldomain.com/EWS/Exchange.asmx
ExternalUrl : https://mail.externaldomain.com/ews/exchange.asmx



[PS] C:\Windows\system32>Get-ExchangeCertificate | fl issuer,services,notafter


Issuer   : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.
           ", L=Scottsdale, S=Arizona, C=US
Services : IIS
NotAfter : 4/17/2019 6:19:06 PM

Issuer   : CN=MAILSRV1
Services : IMAP, POP, SMTP
NotAfter : 2/13/2018 1:00:36 PM

Issuer   : CN=WMSvc-MAILSRV1
Services : None
NotAfter : 2/11/2023 9:18:27 AM

Issuer   : CN=MAILSRV1
Services : IMAP, POP, SMTP
NotAfter : 2/12/2018 3:12:10 PM
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
You have to change autodiscover URLS to your common name i.e.mail.externaldomain.com.
Change all internal URLs to the same as external URLs.
Which is explained in article posted above
If you do this for all your CAS servers your outlook certificate error issue will be resolved.

Furthermore,
You have to enable SMTP services on the Godaddy certificate.

Author

Commented:
Applied the URL change on one of the mail servers in DAG, closely monitoring the impact before moving forward.
you need to check that the external urls work internally. if they do, internal urls are useless altogether.

Author

Commented:
the problem was solved by changing internal URLs as suggested by MAS

Author

Commented:
Thanks everyone for providing your valuable guidance.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial