Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. You receive a "The name of the security certificate is invalid or does not match the name of the site" warning when you try to connect Outlook 2007 to Small Business Server 2008

You receive a "The name of the security certificate is invalid or does not match the name of the site" warning when you try to connect Outlook 2007 to Small Business Server 2008

View products that this article applies to.

Symptoms

Consider the following scenario:
  • You have a client computer that is running Microsoft Office Outlook 2007.
  • You try to connect to an instance of Microsoft Exchange Server 2007 that is running on a Small Business Server 2008-based computer.
In this scenario, you receive the following warning message:
The name of the security certificate is invalid or does not match the name of the site.

↑ Back to the top

Cause

This issue occurs if the following conditions are true:
  • You replaced the default self-signed root certificate on Small Business Server 2008 with a different certificate that is provided by a third-party.



    Note A self-signed or a self-issued root certificate is created during installation, and it is renewed when you run the Fix My Network Wizard. A self-issued leaf certificate is created or updated based on the root certificate when you run the Internet Address Management Wizard and provide the domain name. Users must install a self-issued certificate on remote computers and devices by using the certificate installation package.



    For more information about how to manage Certificates on Small Business Server 2008, see the following TechNet article:
    Managing Certificates
  • The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:
    • The Service Connection Point object for the Autodiscover service
    • The InternalUrl attribute of Exchange 2007 Web Service (EWS)
    • The InternalUrl attribute of the Offline Address Book Web service
    • The InternalUrl attribute of the Exchange unified messaging (UM) Web service
This issue causes a name mismatch error. This error causes you to receive a security warning message when you try to connect Outlook 2007 to the mailbox server.


Note This issue applies only to Outlook clients that connect to Exchange from inside a local network, where Exchange 2007 is installed on a Small Business Server 2008 server. This issue does not apply to remote Outlook clients that connect to Exchange by using Outlook Anywhere. By default, the URL that is stored in these objects references the NetBIOS name of the server. An example is a URL that resembles the following:
https://NetBIOS_name.contoso.com/autodiscover/autodiscover.xml
This may differ from the host name that is used in the FQDN of the replacement certificate. For example, the replacement certificate may have an FQDN that resembles the following:
mail.contoso.com

↑ Back to the top

Resolution

To resolve this issue, use the following methods.

Method 1: Use the Internet Address Management Wizard

To resolve this issue, follow these steps:
  1. Run the Internet Address Management Wizard (IAMW) by using the Windows Small Business Server 2008 (Windows SBS) console.
  2. Run the Add a Trusted Certificate Wizard from Windows SBS Console.
For more information about how to use the IAMW and the Add a Trusted Certificate Wizard in Small Business Server 2008, see the following TechNet Blog posts:
Introducing the Internet Address Management Wizard: Part 1 of 3

Introducing the “Add a Trusted Certificate Wizard” in SBS 2008

Troubleshooting Certificate Mismatch Warnings in Outlook 2007 Clients on Small Business Server 2008
If you still receive the security warnings after you follow these steps, use Method 2.

Method 2: Change the URLs for the appropriate Exchange 2007 components

To do this, follow these steps:


Note On Small Business Server 2008, Exchange 2007 is installed as a part of the Out of the Box Experience (OOBE) Setup. When you install, all the virtual directories that relate to Exchange are created under a Web site that is named "SBS Web Applications" instead of "Default Web Site." This Web site is configured to listen on port 443 for secure http requests and has a certificate binding that can be a self-issued certificate or public certificate.
  1. Click
    Startstart button , point to
    All Programs, point to
    Exchange Server 2007, and then click
    Exchange Management Shell.
  2. Change the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service.
    1. At the command prompt, run the following cmdlet:
      Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https:// mail .contoso.com/autodiscover/autodiscover.xml
  3. Change the InternalUrl attribute of the EWS.
    1. At the command prompt, run the following cmdlet:

      Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name \EWS (SBS Web Applications)" -InternalUrl https:// mail .contoso.com/ews/exchange.asmx
  4. Change the InternalUrl attribute for Web-based Offline Address Book distribution.
    1. At the command prompt, run the following cmdlet:

      Set-OABVirtualDirectory -Identity "CAS_Server_name \oab (SBS Web Applications)" -InternalUrl https:// mail .contoso.com/oab
  5. Change the InternalUrl attribute of the UM Web service.
    1. At the command prompt, run the following cmdlet:

      Set-UMVirtualDirectory -Identity "CAS_Server_Name \unifiedmessaging (SBS Web Applications)" -InternalUrl https://mail .contoso.com/unifiedmessaging/service.asmx
    Note This command is required only in an Exchange 2007 environment.
  6. Click Startstart button , point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  7. Expand the local computer, and then expand Application Pools.
  8. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:
  • The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
    https://ServerName.contoso.com/ews/exchange.asmx
  • The FQDN that is specified on the certificate points to the externally-accessed host name of the server. For example, the certificate specifies an FQDN, such as "mail.contoso.com."
In this scenario, you must add a host record for the mail host name that is mapped to the internally-accessed IP address of the CAS server to let internal clients access the server.

↑ Back to the top

More Information

The URL for the Autodiscover service is stored in the Service Connection Point object. By default, this URL references the internal FQDN of the CAS that is present when Autodiscover is installed. For example, the following URL is set:
https://servername.contoso.local/autodiscover/autodiscover.xml
In this example, the FQDN references the internal namespace. Generally, this namespace differs from the externally-accessible namespace, such as mail.contoso.com.



If the internal namespace differs from the external namespace, and if you cannot use a certificate that supports Subject Alternative Names, use the Set-ClientAccessServer task in Exchange Management Shell to change the URL. In this scenario, you must change the URL to point to the new location for Autodiscover. For example, use the following command to point to the new location for Autodiscover:

Set-ClientAccessServer –AutodiscoverServiceInternalUri https://mail .contoso.com/autodiscover/autodiscover.xml
For more information about third-party certification authorities that provide certificates that support Subject Alternative Names, click the following article number to view the article in the Microsoft Knowledge Base:

929395 Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007

↑ Back to the top

Keywords: kbemail, kbexpertiseadvanced, kbtshoot, kbsurveynew, kbprb, kb

↑ Back to the top

Article Info
Article ID : 981954
Revision : 1
Created on : 1/7/2017
Published on : 9/10/2011
Exists online : False
Views : 315