none
The name of the security certificate is invalid or does not match the name of the site error?

    Question

  • I am looking for some help folks. We are in a Outlook 2007/Exchange2010/Windows2008R2 environment.

    When users open Outlook off the network, and occasionally on the network, they get the error

    The name of the security certificate is invalid or does not match the name of the site error

    The CAS hostname is HRECAS.XXX.ORG. The URL that is listed on the SSL certificate (issued by VeriSign) is WEB.XXX.ORG. WEB.XXX.ORG is what users use to get to OWA and such.

    When I use testexchangeconnectivity.com, under certificate name validation I see an error that reads:

    Host name autodiscover.xxx.org doesn't match any name found on the server certificate CN=web.xxx.org.

    Does this mean somehow we have to add autodiscover.xxx.org on the certificate?

    I tried to add AutoDiscoverExternalUri using http://support.microsoft.com/?kbid=940726 & http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/2d0c0f5f-e4ec-4f33-a37d-b94fd7a2319f on the CAS server.

    Set-ClientAccessServer -identity HRECAS -AutodiscoverServiceExternalUri

     https://autodiscover.xxx.org/Autodiscover/Autodiscover.xml 

    I get an error that says "a positional parameter cannot be found that accepts argument '-AutoDiscoverExternalUri'.

    Can someone point to me what I am doing wrong with the command and whether I should be concerning myself with adding that line? By the way the InternalUrl information is already configured on the system. Also should I edit the certificate to add autodiscover.xxx.org?

    Thank in advance for your support.

    TD


    TD
    • Edited by TDiddles Saturday, October 15, 2011 3:42 PM
    Saturday, October 15, 2011 3:36 PM

Answers

  •  

    Hello,

     

    The most possible cause should be described in the following article:

     

    http://support.microsoft.com/kb/940726

     

    In order to understand the issue more deeply on your server, please also collect the following information for my further research.

     

    [Please provide a screenshot of the certificate warning in Outlook]

      

    [Collect AutoConfiguration Status in problematic Outlook]

    ========================================

    1. While Outlook is running, click the CTRL key and then right-click the Outlook icon in the system tray and then select “Test Email Autoconfiguration”.

    2. Confirm that your email address is in the address field, uncheck “Use Guessmart” and “secure Guessmart authentication” boxes. Then click the “Test” button.

    3. Once it runs, please send me a screen shot of the Log and Results tab..

     

    [Certificate configuration information]

    =============================

    On CAS server, open Exchange Management Shell and type the cmdlet:

     

    Get-ExchangeCertificate |fl >c:\certlog.txt

    Get-autodiscovervirtualdirectory | fl >c:\auto.txt

    Get-clientaccessserver | fl >c:\cas.txt

     

    You can reach me at: v-simwu@microsoft.com

     

    Thanks,

    Simon

    Monday, October 17, 2011 10:08 AM
  • Hi Tapera,

     

    Thanks for the question.

     

    SRV record is a good idea. You can set the SRV to https://web.abc.com/autodiscover/autodiscover.xml but you must make sure the url can be resolved from External clients.

     

    In addition, there is still a issue. It is hard coded that Outlook will find the autodiscover by the orders below:

     

    1. Access autodiscover via SCP in AD. https://web.abc.com/autodiscover/autodiscover.xml

    2. If SCP access fails, it will try: https://abc.com/autodiscover/autodiscover.xml

    3. Then https://autodiscover.abc.com/autodiscover/autodiscover.xml

    4. Local XML file

    5. SRV record

     

    As you can see, Outlook will try SRV record at last. Therefore, it will still try to access https://autodiscover.abc.com/autodiscover/autodiscover.xml each time you run Outlook. Then the certificate warning will still persists.

     

    I have a workaround solution. You can do a local policy to disable the autodiscover to access the https://autodiscover.abc.ocom/autodiscover/autodiscover.xml by:

     

    1.    On the Outlook client machine, open regedit and add the following key: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Autodiscover

     

             "ExcludeHttpsAutodiscoverDomain"

             "ExcludeHttpsRootDomain"

     

     

    2.    Then set the value to “1” on the above two keys.

     

    Thanks,

    Simon  

     

    Wednesday, October 19, 2011 5:53 AM

All replies

  •  

    I tried to add AutoDiscoverExternalUri using http://support.microsoft.com/?kbid=940726 & http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/2d0c0f5f-e4ec-4f33-a37d-b94fd7a2319f on the CAS server.

    Set-ClientAccessServer -identity HRECAS -AutodiscoverServiceExternalUri

     https://autodiscover.xxx.org/Autodiscover/Autodiscover.xml 

    I get an error that says "a positional parameter cannot be found that accepts argument '-AutoDiscoverExternalUri'.


    TD
    Hi TD,
    I think you should read the information again.
    There aren't any parameter called AutodiscoverServiceExternalUri (Hint: AutoDiscoverServiceInternalUri)

    Martina Miskovic - http://www.nic2012.com/
    Saturday, October 15, 2011 4:03 PM
  • I already read the document. The internal records are already there. I however read in a different document about the external records, as suggested in this link http://www.msexchange.org/articles_tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html.

    How about the question on editing the certificate to add the autodiscover URL?

     

    Thank you again.

     

    TD


    TD
    Saturday, October 15, 2011 4:13 PM
  • If you want to have autodiscover.xxx.org in your certificate, you need to get a new one.
    You can not add that name to the certificate.

    You should run:
    Set-ClientAccessServer -identity HRECAS -AutoDiscoverServiceInternalUri https://web.xxx.org/Autodiscover/Autodiscover.xml 

    Without autodiscover in the certificate, you should create SRV-record in the DNS.
    http://support.microsoft.com/kb/940881



    Martina Miskovic - http://www.nic2012.com/
    Saturday, October 15, 2011 4:19 PM
  • Thanks again Martina.

    The command:

    Set-ClientAccessServer -identity HRECAS -AutoDiscoverServiceInternalUri https://web.xxx.org/Autodiscover/Autodiscover.xml 

    has already been run. I take it I should not worry about AutoDiscoverServiceExternalUri then.

    Will work on the DNS piece as you suggested.

    Thank you very much.


    TD
    Saturday, October 15, 2011 5:14 PM
  • Hi TD,

    Since you don't seem to have your server FQDN in your certificate, you need to make sure you configure the right URLs for webservicevirutaldirectory and oabvirtualdirectory as well (if you haven't done so already)

    I take it I should not worry about AutoDiscoverServiceExternalUri then.
    TRUE!!


    Martina Miskovic - http://www.nic2012.com/
    Saturday, October 15, 2011 5:21 PM
  •  

    Hello,

     

    The most possible cause should be described in the following article:

     

    http://support.microsoft.com/kb/940726

     

    In order to understand the issue more deeply on your server, please also collect the following information for my further research.

     

    [Please provide a screenshot of the certificate warning in Outlook]

      

    [Collect AutoConfiguration Status in problematic Outlook]

    ========================================

    1. While Outlook is running, click the CTRL key and then right-click the Outlook icon in the system tray and then select “Test Email Autoconfiguration”.

    2. Confirm that your email address is in the address field, uncheck “Use Guessmart” and “secure Guessmart authentication” boxes. Then click the “Test” button.

    3. Once it runs, please send me a screen shot of the Log and Results tab..

     

    [Certificate configuration information]

    =============================

    On CAS server, open Exchange Management Shell and type the cmdlet:

     

    Get-ExchangeCertificate |fl >c:\certlog.txt

    Get-autodiscovervirtualdirectory | fl >c:\auto.txt

    Get-clientaccessserver | fl >c:\cas.txt

     

    You can reach me at: v-simwu@microsoft.com

     

    Thanks,

    Simon

    Monday, October 17, 2011 10:08 AM
  • Please check your email.
    TD
    Monday, October 17, 2011 6:13 PM
  • Hi Tapera,

     

    Thanks for your email.

     

    From the log files, I found the autodiscover can b e successfully accessed via https://web.abc.com/autodiscover/autodiscover.xml.

     

    I suspect the certificate warning issue occurs intermittently, doesn’t it?

     

    If the issue occurs intermittently, the cause must be that the Outlook client sometimes fails to access https://web.abc.com/autodiscover/autodiscover.xml, so it continue to find https://autodiscover.abc.com/autodiscover/autodiscover.xml.

     

    Since the host name “autodiscover.care.org” is not included in the certificate, the certificate mismatch warning window appears.

     

    To workaround this issue, a recommended solution is to add the “autodiscover.abc.com” to the IIS certificate you use.

     

    As for a workaround solution, you can remove the DNS record for the “autodiscover.abc.com”.

     

    If you have any question, feel free to email me.

    Tuesday, October 18, 2011 2:42 AM
  • Thank you for the feedback. Can a certificate issued by Verisign be edited to add the autodiscover.abc.com url?

    And by the way the pop-up is only intermittent while on the network, but while off the network (Outlook Anywhere) the certificate comes up everytime.

    What about the DNS SRV-record as suggested by someone? 


    TD
    Tuesday, October 18, 2011 2:51 AM
  • Hi,
    Have you changed the webservicevirtualdirectories URLs as I suggested earlier?
    Check the urls: Get-WebServicesVirtualDirectory | fl Name,*url*

    Run Test-OutlookWebServices , if you haven't done so already.

    No, it's not possible to edit a certificate. To add a name to the certificate you need to get a a new one.

    Martina Miskovic - http://www.nic2012.com/
    Tuesday, October 18, 2011 3:47 AM
  • What is your email address? I don't want to broadcast some of the information about our environment.

    Thank you.


    TD
    Tuesday, October 18, 2011 3:58 AM
  • Here is the output of Get-WebservicesVirtualDirectory.

    (Default Web Site)
    InternalNLBBypassUrl : https://hreemail.careinc.local/ews/exchange.asmx
    InternalUrl          : https://web.xxx.org/ews/exchange.asmx
    ExternalUrl          :

    Name                 : EWS (Default Web Site)
    InternalNLBBypassUrl : https://hrecas.careinc.local/ews/exchange.asmx
    InternalUrl          : https://web.xxx.org/ews/exchange.asmx
    ExternalUrl          :

    Name                 : EWS (Default Web Site)
    InternalNLBBypassUrl : https://hrecas2.careinc.local/ews/exchange.asmx
    InternalUrl          : https://web.xxx.org/ews/exchange.asmx


    TD
    Tuesday, October 18, 2011 4:06 AM
  • Ok, so you have three CAS Servers (hreemail,hrecas,hrecas2)?
    Make sure that both of them has AutoDiscoverServiceInternalUri configured with https://web.xxx.org/Autodiscover/Autodiscover.xml 

    Witout autodiscover.xxx.org in the certificate, you shouln't have a A-Record for it in DNS. Remove it if you have it configured it.
    Consider adding SRV-record _autodiscover._tcp.xxx.org pointing to web.xxx.org (info in the KB I posted before)

    If you have Outlook Anywhere configured, you should add ExternalURL to the WebservicesVirtualDirectory.


    Martina Miskovic - http://www.nic2012.com/
    Tuesday, October 18, 2011 4:20 AM
  • Test-OutlookWebservices Output;

    It looks like I might have too much data for this, I cannot post my reply/output. 


    TD
    Tuesday, October 18, 2011 5:05 AM
  • In looking at KB940881, it states that:

    In this example, the Autodiscover service does the following when the client tries to contact the Autodiscover service:

    1. Autodiscover posts to https://contoso.com/Autodiscover/Autodiscover.xml. This fails.
    2. Autodiscover posts to https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml. This fails.
    3. Autodiscover performs the following redirect check:
      GET http://autodiscover.contoso.com/Autodiscover/Autodiscover.xml
      This fails.
    4. Autodiscover uses DNS SRV lookup for _autodiscover._tcp.contoso.com, and then "mail.contoso.com" is returned.
    5. Outlook asks permission from the user to continue with Autodiscover to post to https://mail.contoso.com/autodiscover/autodiscover.xml.
    6. Autodiscover's POST request is successfully posted to https://mail.contoso.com/autodiscover/autodiscover.xml.

    I thought (#5 above) what we were doing was suppressing the permission request from the users. We are trying to stop the certificate messages from poping up & having users to click YES to continue.  Am I misreading this? 


    TD
    Tuesday, October 18, 2011 5:21 AM
  • Hi Tapera,

     

    Thanks for you reply.

     

    The Outlook Anywhere must use the https://autodiscover.abc.com/autodiscover/autodiscover.xml for access because it cannot get the autodiscover via SCP.

     

    Therefore, if you need the Outlook Anywhere feature, you must include the “autodiscover.abc.com” in the certificate.

     

    For the third-party certificate question, you can inquiry the certificate support for more professional suggestion. In my image, you may not able to add the host name to a existing certificate and you have to recreate a new certificate.

     

    Thanks,

    Simon

    Wednesday, October 19, 2011 2:11 AM
  • Hi Tapera,

     

    Thanks for the question.

     

    SRV record is a good idea. You can set the SRV to https://web.abc.com/autodiscover/autodiscover.xml but you must make sure the url can be resolved from External clients.

     

    In addition, there is still a issue. It is hard coded that Outlook will find the autodiscover by the orders below:

     

    1. Access autodiscover via SCP in AD. https://web.abc.com/autodiscover/autodiscover.xml

    2. If SCP access fails, it will try: https://abc.com/autodiscover/autodiscover.xml

    3. Then https://autodiscover.abc.com/autodiscover/autodiscover.xml

    4. Local XML file

    5. SRV record

     

    As you can see, Outlook will try SRV record at last. Therefore, it will still try to access https://autodiscover.abc.com/autodiscover/autodiscover.xml each time you run Outlook. Then the certificate warning will still persists.

     

    I have a workaround solution. You can do a local policy to disable the autodiscover to access the https://autodiscover.abc.ocom/autodiscover/autodiscover.xml by:

     

    1.    On the Outlook client machine, open regedit and add the following key: HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Autodiscover

     

             "ExcludeHttpsAutodiscoverDomain"

             "ExcludeHttpsRootDomain"

     

     

    2.    Then set the value to “1” on the above two keys.

     

    Thanks,

    Simon  

     

    Wednesday, October 19, 2011 5:53 AM
  • Thank you both.

    The SRV record fixed the issue for Outlook Anywhere access. However for LAN users after creating the SRV record, we get a pop up that says:

    Allow this website to configure name@xxxx.org server settings?

    https://web.abc.com/autodiscover/autodiscover.xml

    Your account was redirected to this website for settings.

    You should only allow settings from sources you know and trust.

    Is there a way to global suppress this for all users on the LAN?

    And secondly, can the regedit fix above be global applied using Group Policy, and thus avoid having to ask users to be prompted?

    Thank you.


    TD
    Thursday, October 27, 2011 9:23 PM
  • Hi, our company just change to use Ex2010 since dec of last year, but it always prompt up the autodiscover certificate error when using Outlook 2007 or 2010, I understand it may be solved by purchase a certificate, but it need a cost and also need to renew the cert. yearly, I try many ways to bypass this warning message but still fail even your provided adding 2 registry keys

    "The name on the Security certificate is invalid or does not match the name of the site"

    I try to search how to issue a internal cert. by Windows 2008 CA, but seems can't create a cert. named "autodiscover.domain.com", is there any other way can help to bypass this security warning without purchasing a cert.?






    Tuesday, June 04, 2013 6:39 AM
  • Guys,,

    I have three domains in my Exchange 2010 and one domain started giving this message while outside of the organization.

    after searing all the reviews, I found the solution.

    This is purely due to problems with auto discoverer and DNS "A records"

    What I did was, I logged in to my cpannel for the domain and reset all the DNS entries and reenter them. It worked..

    If this is happening within the organization domain network, just have a look on your DNS entries..

    Dilshan.

    Thursday, August 15, 2013 10:11 AM
  • The initial source of most of these queries is that

    http://support.microsoft.com/kb/940726

    Has a typo.

    Set-ClientAccessServer –AutodiscoverServiceInternalUrl -identity <var><servername> </var>
    https://<var>mail</var>.contoso.com/autodiscover/autodiscover.xml

    Should read

    Set-ClientAccessServer –AutodiscoverServiceInternalUri -identity <var><servername> </var>
    https://<var>mail</var>.contoso.com/autodiscover/autodiscover.xml

    Where the –AutodiscoverServiceInternalUri

    has an "i" on the end and not an "L"

    Other lines remain the same, so this is the source of the confusion.

    Wednesday, March 12, 2014 12:52 AM