The Outspoken Wookie

Hilton has been operating as a Humanist Chaplain for some time and really likes being able to help people using evidence-based processes. HiltonT has been in the IT industry for quite a while now and was selected by Microsoft as their SBSC PAL in 2008-9, representing Australian SMB IT providers to Microsoft. This Blog is his outlet for his thoughts and feelings about life in general (including the IT industry). Some is good, some is bad, but all in all, its his viewpoint. Enjoy!

Sunday, June 19, 2011

Outlook: "The name of the security certificate is invalid or does not match the name of the site"

When an SBS 2008 or SBS 2008 R2 (aka SBS 2011) site is configured, sometimes you will find the local (internal) users who use Outlook 2007 or Outlook 2010 (and possibly/probably also Outlook 2003) will receive an error message when first opening Outlook that will report:

Tick - The security certificate is from a trusted certifying authority.
Tick - The security certificate date is valid.
Cross - The name on the security certificate is invalid or does not match the name of the site.

If you press "Proceed", everything runs as normal. This is an annoying message that is caused by some improperly configured Exchange settings (normally caused by initially using a self-signed cert, then later replacing it with a purchased one), all of which are easily rectified after following KB940726, however below I've included the modified instructions for this to apply to an SBS installation.

In the following instructions, "CAS_Server_Name" should be replaced with your internal SBS name, such as "SBS2008" and "office.example.com" should be replaced with the URL you use to gain access to the SBS from the Internet. Also, all lines beginning with [PS] are single lines - everything in bold is the one command and there are no spaces between the minus signs (-) and the property names immediately after them.

Start the Exchange Management Shell.
To check the current settings of the ClientAccessServer property, enter the following command:
[PS] Get-ClientAccessServer | FL
If AutoDiscoverServiceInternalUri is not set to your external Uri (such as https://office.example.com/autodiscover/autodiscover.xml), then
1. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, enter the following command:
  [PS] Set-ClientAccessServer -Identity "CAS_Server_Name" -AutodiscoverServiceInternalUri https://office.example.com/autodiscover/autodiscover.xml
To check the current setting of the WebServicesVirtualDirectory property, enter the following command:
[PS] Get-WebServicesVirtualDirectory
If the InternalUrl of EWS (SBS Web Applications) is not set to your external Uri (such as https://office.example.com/ews/exchange.asmx), then
1. Modify the InternalUrl attribute of the EWS. To do this, enter the following command:
  [PS] Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (SBS Web Applications)" -InternalUrl https://office.example.com/ews/exchange.asmx
To check the current setting of the OABVirtualDirectory property, enter the following command:
[PS] Get-OABVirtualDirectory
If the InternalUrl is not set to your external Uri (such as https://office.example.com/oab), then
1. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, enter the following command:
  [PS] Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (SBS Web Applications)" -InternalUrl https://office.example.com/oab
To check the current setting of the UMVirtualDirectory property, enter the following command:
[PS] Get-UMVirtualDirectory
If the InternalUrl of UnifiedMessaging (SBS Web Applications) is not set to your external Uri (such as https://office.example.com/unifiedmessaging/service.asmx), then
1. Modify the InternalUrl attribute of the UM Web service. To do this, enter the following command:
  [PS] Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (SBS Web Applications)" -InternalUrl https://office.example.com/unifiedmessaging/service.asmx
  Note This command is required only in an Exchange 2007 (SBS 2008) environment. This command no longer exists in an Exchange 2010 (SBS 2011) environment. Instead, the WebServices URL is used for this purpose.
Open IIS Manager, expand the local computer, and then in Application Pools, right-click MSExchangeAutodiscoverAppPool and click Recycle.

Next time anyone on the LAN opens Outlook and connects to your Exchange Server, the error message will not appear as we've configured the settings in Exchange Server correctly.

Update: Mark Wilton mentioned the following links to me also regarding this same issue:
A script to fix this issue from VirtualBarryMartin.me
Some PowerShell commands to fix the issue from Daniel Kenyon-Smith

Regards,

The Outspoken Wookie

13 comments:

Jules said...: It can also be from when the domain has wildcard DNS enabled (I have it alot over here - and its my only criticism of Heart Internet's hosting in that it's turned on by default...); 3:46 PM
Anonymous said...: By far the clearest and easiest instructions to follow I have seen and I’ve been looking for the last 4 hours! Excellent, many thanks.; 9:08 PM
Anonymous said...: Thank sweet Jesus for people like you.; 12:26 PM
Brandon said...: Many thanks!!; 8:19 AM
Anonymous said...: Thanks! :); 10:32 PM
Anonymous said...: Thank you!

Great steps; 12:25 AM
Anonymous said...: Thank you so much!! I was looking for this.
Can I add something: in the command Set-WebServicesVirtualDirectory -Identity Contoso\EWS* -ExternalUrl https://www.contoso.com/ews/exchange.asmx it worked with the * added. Perhaps handy for other users as well to know.
Your steps were really easy to follow!!; 2:17 AM
Anonymous said...: Hello, I had followed all the steps but i still getting the warning message. Any thing else that can be done? Thank you; 4:19 PM
Schlord said...: Thanks for this great Instruction!!! :-**

For those who have trouble using the Get-UMVirtualDirectory CMDlet:
In Exchange Server 2010, all the Web services required by the UM server will be hosted by the CAS server. In fact, the specific UM Web service is merged into the EWS Web service. That means no separated authentication or separated virtual directory for Exchange UM Web Service

Source: http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/36cc46bf-b78f-41af-839f-92c60e9576d0/; 1:14 AM
Anonymous said...: I had been trying to get this resolved all day - until I found your post. These are the first complete instructions I have found written specifically for SBS 2008.

Many thanks. May God bless you, and I mean it, for taking the time to write this!; 5:36 AM
Anonymous said...: WOOKIE...

You da man!

Thanks for the complete info/commands on this issue.

*S*alute; 9:03 AM
Arnel said...: Hi Hilton,

I would just like to confirm. Changes in the URLs can make an impact to the email flow and could result into an issue, are the steps reversible? Can we use the same steps to revert the changes?

Thank You,

Arnel; 5:02 AM
Anonymous said...: Thank you so so much, i have been looking everywhere to solve this issue. God bless!; 7:58 PM

The Outspoken Wookie

Sunday, June 19, 2011

Outlook: "The name of the security certificate is invalid or does not match the name of the site"

13 comments:

Links

Recommended Blogs