none
Site name does not match name on certificate RRS feed

  • Question

  • Hello,

    We recently changed from doing business under one name to a different one.  Our SSL certificate for our Exchange 2007 just expired.  Instead of renewing the old one, I bought a new one, with the new company name in the Common Name attribute of the certificate.  I then installed it.

    The problem now is that when opening Outlook, the users get a popup message saying the site name does not match the name on the certificate.  Also, OWA users cannot see their mailbox using the new name in the URL.  They can using the old name but they get the "problem with the certificate" message.  Please note:  I did not change any internal naming.  Our internal domain name remains the same.

    So my question is this:  Can I change the "site" name on Exchange to the new name?  If so, how do I go about it?  I've spent a lot of time looking for an answer but so far have not found anything definitive.  I have seen a few postings that have said it is not possible.  I'd like to confirm that before I decide what to do next.  If that is the case, it looks like my only two options are to start a new domain and install Exchange on a different box and then migrate everything over (do not want to do this!), or renew the old certificate keeping the old name on it.

    Any info would be extremely useful.  Thanks in advance.

    Thursday, May 21, 2015 6:07 PM

Answers

  • Hi,

    I agree with  DJ’s suggestion that you can  add the old name to the new cert as an additional 'Subject Alternative Name’. Additionally, please run the following command to check your current certificate settings here:

    Get-ExchangeCertificate | fl

    Get-OwaVirtualDirectory | FL Identity,*Auth*,*url*

    We can change some related URL values to match the certificate host name which is assigned with IIS service. To change these URLs, type the following command on the Exchange Management Shell (supposing the mail.contoso.com is the namespace for internal and external accessing):

    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUrl https://mail.contoso.com/autodiscover/autodiscover.xml

    Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

    Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

    Then open IIS Manager, Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.

    For detailed information about the issue , please refer to: https://support.microsoft.com/en-us/kb/940726

    Best Regards,

    David

     

    Friday, May 22, 2015 7:48 AM
    Moderator
  • "From those suggestions it sounds like I need to change the internal url to match the external?"

    -> You need to match all your URLs (internal and external) so they match the new name that is now on the certificate (the new name of your company).

    (or add the old name to the certificate - would have to make new request with additional name).

    At least for OWA, you could leave the internal URL blank and it would still work (as long as DNS is correct). So the internal URL was possibly not even being taken into account.

    (I read this Exchange 2010 Best Practices by MS Press - Client Action section. If anyone is interested in the exact page number, I can provide that).

    http://blogs.msdn.com/b/microsoft_press/archive/2010/07/13/new-book-microsoft-exchange-server-2010-best-practices.aspx

    In other cases, you DO need this URL so I'm not saying it is not necessary at all.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, June 4, 2015 2:21 PM

All replies

  • The quick and easy thing do to is to go to whomever you purchased your new cert from and have them add the old name to the new cert as an additional 'Subject Alternative Name'. They will charge you a little bit but you will no longer get cert errors. 

    You can change your URLs in Exchange with not too much hassle. Its just updating with Poweshell and making sure you have all the same entries setup for the new name in DNS that you had for the old name. 

    The article below talks about changing from internal URLs to external so it doesnt exactly match your situation but the steps are the same

    https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm


    DJ Grijalva | MCITP: EMA 2007/2010 SPA 2010 | www.persistentcerebro.com

    Thursday, May 21, 2015 7:06 PM
  • Hi,

    I agree with  DJ’s suggestion that you can  add the old name to the new cert as an additional 'Subject Alternative Name’. Additionally, please run the following command to check your current certificate settings here:

    Get-ExchangeCertificate | fl

    Get-OwaVirtualDirectory | FL Identity,*Auth*,*url*

    We can change some related URL values to match the certificate host name which is assigned with IIS service. To change these URLs, type the following command on the Exchange Management Shell (supposing the mail.contoso.com is the namespace for internal and external accessing):

    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUrl https://mail.contoso.com/autodiscover/autodiscover.xml

    Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

    Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

    Then open IIS Manager, Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.

    For detailed information about the issue , please refer to: https://support.microsoft.com/en-us/kb/940726

    Best Regards,

    David

     

    Friday, May 22, 2015 7:48 AM
    Moderator
  • Thank you DJ and David for your responses and suggestions.

    From those suggestions it sounds like I need to change the internal url to match the external?  If that is correct, why would this problem not exist before?  With the old external domain name the internal url didn't match either.

    Old settings:

    Internal URL: servername.internaldomainname/owa

    External URL: servername.OLDexternaldomainname/owa

    New settings:

    Internal URL: SAME AS BEFORE

    External URL: servername.NEWexternaldomainname/owa

    If changing the internal url fixes the issue, I'm good with that.  I'm just curious as to why the issue didn't exist before when the internal/external urls didn't match.

    By the way, I contacted our SSL cert vendor and apparently we would need to buy a different type of cert to allow for SANs.

    Thanks again and I look forward to your response.



    • Edited by Mike57 Wednesday, May 27, 2015 4:39 PM
    Wednesday, May 27, 2015 4:35 PM
  • "From those suggestions it sounds like I need to change the internal url to match the external?"

    -> You need to match all your URLs (internal and external) so they match the new name that is now on the certificate (the new name of your company).

    (or add the old name to the certificate - would have to make new request with additional name).

    At least for OWA, you could leave the internal URL blank and it would still work (as long as DNS is correct). So the internal URL was possibly not even being taken into account.

    (I read this Exchange 2010 Best Practices by MS Press - Client Action section. If anyone is interested in the exact page number, I can provide that).

    http://blogs.msdn.com/b/microsoft_press/archive/2010/07/13/new-book-microsoft-exchange-server-2010-best-practices.aspx

    In other cases, you DO need this URL so I'm not saying it is not necessary at all.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, June 4, 2015 2:21 PM
  • Thanks to all for taking the time. 

    I ran the commands as suggested by David and now with Outlook the security message does not come up.  So that fixed that issue.

    With OWA, there is still a little issue.  When going to the site:

    https://server.NEWname.com/owa, it redirects to https://server.NEWname.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%fserver.OLDname.com%2fowa%2f

    Why?

    After entering credentials, it goes to this page:

    https://server.NEWname.com/owa/auth/owaauth.dll and says "The webpage cannot be found"  So I click to "Go back to previous page" which takes me back to the login screen and the URL is the redirected one noted above.

    Now at this point, if I remove everything in that URL except http://server.NEWname.com/owa and hit Enter, it goes right into the mailbox.  So it is getting authenticated in the previous step.

    I really don't know what to do at this point.  Any thoughts?

    Thanks again.

    Wednesday, June 10, 2015 3:51 PM
  • Hi,Mike 

    I noticed outlook don't pop up the security message,and OWA had other problem.

    In order to avoid confusion and keep track of troubleshooting steps, we usually troubleshoot one issue per thread in order to find a resolution efficiently. Concerning your other question, I suggest we create a new post in the forum.

    Thank you for your understanding!

    Regards,

    David 

     

    Thursday, June 11, 2015 1:25 AM
    Moderator
  • Hi David,

    Since the issues with Outlook and OWA are most certainly related, I thought that it would be OK to continue this discussion in this post.  But that's OK.  I will start a new post on the OWA problem.

    Thanks,

    Mike

    Friday, June 12, 2015 3:59 PM