locked
The name on the security certificate is invalid or does not match the name of the site RRS feed

  • Question

  • I am a Network Administrator for a small non-profit organization, and have been for a little less than a year.  We have an exchange server, call it exchange, which is still running Exchange 2007.  In addition to making several upgrades to our environment, I've been working to build a new mail server, call it mail, running 2010.

    Now I have both servers, exchange and mail, running.  Exchange still has 99.9% of our user mailboxes, while mail has a retired account and a couple test accounts.  OWA functionality on the mail is up -- you can browse out via https:// or http:// and reach it.  Unfortunately, when I open Outlook on one of the test accounts, I receive the aforementioned message:

    "The name on the security certificate is invalid or does not match the name of the site."

    We have a CA-signed certificate, and yes, our internal and external hostnames are different.  Call it npc.org (internal) vs nonprofitcompany.org (external). 

    One of the first things I did was run the following powershell commands in order to set our internal URLs to be the same as the external URLs :

    set-webservicesvirttualdirectory -identity "mail\ews (default web site)" -internalURL https://mail.nonprofitcompany.org/EWS/Exchange.asmx -basicauthentication:$true

    set-oabvirtualdirecotry -identity "mail\oab (default web site)" -internalURL https://mail.nonprofitcompany.org/oab

    set-activesyncvirtualdirectory -identity "mail\microsoft-server-activesync (default web site)" -internalurl "https://mail.nonprofitcompany.org/microsoft-server-activesync"

    I've also used the Get command to verify that the urls match correctly.  They do.  And lastly, I went into iis and recycled msexchangeautodiscoverapppool.  So theoretically, everything should be working now.  But every time I pull that test account up in Outlook, it takes about 15 seconds before that Security Alert comes up.

    Any ideas or suggestions?  I'm willing to forward additional logs if need be.

    Friday, September 4, 2015 1:23 PM

All replies

  • I also have a host (a) record for mail.npc.org with the correct internal ip address which was automatically configured by the DNS Manager. A pointer in the RLZ was also automatically configured. 

    MAIL     HOST (A)     192.168.x.xx     (Timestamp)

    Friday, September 4, 2015 1:58 PM
  • Hi ,

    Have you configured the autodiscover url in the newly build exchange 2010 server ?


    Thanks & Regards S.Nithyanandham

    Friday, September 4, 2015 2:01 PM
  • What names are on the Exchange 2010 certificate?

    I'm assuming:

    mail.nonprofitcompany.org

    and

    autodiscover.nonprofitcompany.org

    ?

    And what is the Url (or rather Uri) for autodiscover?

    https://social.technet.microsoft.com/Forums/exchange/en-US/2173def6-44e5-41a3-99f5-79bdfdbdfa25/outlook-the-name-of-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site?forum=exchangesvrclientslegacy

    Another tip: right-click on the Outlook icon in the taskbar while holding down the Ctrl key. Select "Test-Email Auto-configuration". Uncheck the GuessSmart options. This should show you what Urls are being used. In fact, it might even be the UM Url that is causing the problem.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, September 4, 2015 2:02 PM
  • Correct. 

    They are:

    nonprofitcompany.org
    autodiscover.nonprofitcompany.org
    mail.nonprofitcompany.org

    Running Test-Email Auto-Configuration shows the account trying to reach out to our older exchange server first, but when that fails, it redirects to https://mail.nonprofitcompany.org/autodiscover/autodiscover.xml.

    Addendum (I forgot to take off Guessmart Option)

    Attempting URL https://exchange.nonprofitcompany/autodiscover/autodiscover.xml found through SCP
    Autodiscover to https://exchange.nonprofitcompany.org/autodiscover/autodiscover.xml starting
    GetLastError=0; httpstatus =302
    Autodiscover to https://exchange.nonprofitcompany.org/autodiscover/autodiscover.xml failed (0x800C8204)
    Autodsicover URL redirection to https://mail.nonprofitcompany.org/autodiscover/autodiscover.xml
    Autodiscover to https://mail.nonprofitcompany.org/autodiscover/autodiscover.xml starting
    Autodiscover to https://mail.nonprofitcompany.org/autodiscover/autodiscover.xml Succeeded (0x0000000)



    Friday, September 4, 2015 2:27 PM
  • Yes.  It is https://mail.nonprofitcompany.org/autodiscover/autodiscover.xml
    Friday, September 4, 2015 2:29 PM
  • Lets say all your vdir are using 

    https://mail.nonprofitcompany.org/*****/*****

    and your company email address is based on username@nonprofitcompany.org

    a) You need to have autodiscover.nonprofitcompany.org registered in DNS somehow
    b) Check your Outlook Anywhere settings internal and external - is it set to server FQDN or mail.nonprofitcompany.com or something else?

    Make sure if you are settings all URLs to mail.nonprofitcompany.org - Outlook Anywhere is also using the same. Publish DNS internal and external for these FQDNs + Autodiscover as mentioned above.

    Make sure certificate SAN includes

    autodiscover.nonprofitcompany.org
    mail.nonprofitcompany.org

    and Cert principal name should be mail.nonprofitcompany.org 

    and finally assign the cert to Exchange servers for IIS 

    HTH
    Abhi

    Abhi

    Friday, September 4, 2015 2:36 PM
  • I got it figured out.  Had a DNS record for the new mail server's internal IP, but didn't put a DNS Host record for the external.  In the end, it was something easy and stupid.  So while I'm simultaneously doing a happy dance for getting this, and banging my head for taking so long to get it, I thank you all for your help.  ^_^
    Friday, September 4, 2015 2:51 PM