Sunday, June 19, 2011

Outlook: "The name of the security certificate is invalid or does not match the name of the site"

When an SBS 2008 or SBS 2008 R2 (aka SBS 2011) site is configured, sometimes you will find the local (internal) users who use Outlook 2007 or Outlook 2010 (and possibly/probably also Outlook 2003) will receive an error message when first opening Outlook that will report:

Tick - The security certificate is from a trusted certifying authority.
Tick - The security certificate date is valid.
Cross - The name on the security certificate is invalid or does not match the name of the site.

If you press "Proceed", everything runs as normal.  This is an annoying message that is caused by some improperly configured Exchange settings (normally caused by initially using a self-signed cert, then later replacing it with a purchased one), all of which are easily rectified after following KB940726, however below I've included the modified instructions for this to apply to an SBS installation.

In the following instructions, "CAS_Server_Name" should be replaced with your internal SBS name, such as "SBS2008" and "office.example.com" should be replaced with the URL you use to gain access to the SBS from the Internet. Also, all lines beginning with [PS] are single lines - everything in bold is the one command and there are no spaces between the minus signs (-) and the property names immediately after them.

  1. Start the Exchange Management Shell.
  2. To check the current settings of the ClientAccessServer property, enter the following command:
    [PS] Get-ClientAccessServer | FL
    If AutoDiscoverServiceInternalUri is not set to your external Uri (such as https://office.example.com/autodiscover/autodiscover.xml), then
    1. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, enter the following command:
      [PS] Set-ClientAccessServer -Identity "CAS_Server_Name" -AutodiscoverServiceInternalUri https://office.example.com/autodiscover/autodiscover.xml
  3. To check the current setting of the WebServicesVirtualDirectory property, enter the following command:
    [PS] Get-WebServicesVirtualDirectory
    If the InternalUrl of EWS (SBS Web Applications) is not set to your external Uri (such as https://office.example.com/ews/exchange.asmx), then
    1. Modify the InternalUrl attribute of the EWS. To do this, enter the following command:
      [PS] Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (SBS Web Applications)" -InternalUrl https://office.example.com/ews/exchange.asmx
  4. To check the current setting of the OABVirtualDirectory property, enter the following command:
    [PS] Get-OABVirtualDirectory
    If the InternalUrl is not set to your external Uri (such as https://office.example.com/oab), then
    1. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, enter the following command:
      [PS] Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (SBS Web Applications)" -InternalUrl https://office.example.com/oab
  5. To check the current setting of the UMVirtualDirectory property, enter the following command:
    [PS] Get-UMVirtualDirectory
    If the InternalUrl of UnifiedMessaging (SBS Web Applications) is not set to your external Uri (such as https://office.example.com/unifiedmessaging/service.asmx), then
    1. Modify the InternalUrl attribute of the UM Web service. To do this, enter the following command:
      [PS] Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (SBS Web Applications)" -InternalUrl https://office.example.com/unifiedmessaging/service.asmx
      Note This command is required only in an Exchange 2007 (SBS 2008) environment. This command no longer exists in an Exchange 2010 (SBS 2011) environment. Instead, the WebServices URL is used for this purpose.
  6. Open IIS Manager, expand the local computer, and then in Application Pools, right-click MSExchangeAutodiscoverAppPool and click Recycle.

Next time anyone on the LAN opens Outlook and connects to your Exchange Server, the error message will not appear as we've configured the settings in Exchange Server correctly.

Regards,

The Outspoken Wookie
Posted by Hilton Travis at 11:22 AM
Labels: ,

1 comments:

Jules said...

It can also be from when the domain has wildcard DNS enabled (I have it alot over here - and its my only criticism of Heart Internet's hosting in that it's turned on by default...)

3:46 PM

Post a Comment

Subscribe to: Post Comments (Atom)