Security warning when you start Outlook on Small Business Server 2008 with Exchange Server 2007 "The name of the security certificate is invalid or does not match the name of the site" (Dutch: "Naam van het beveiligingscertificaat is ongeldig of komt niet overeen met naam van de site")

Image


This problem appears in following situations:
You replaced the default self-signed Exchange Server 2007/2010 certificate with an new certificate.

Note: The Exchange Setup-program creates the default self-signed certificate during installation of Exchange Server 2007/2010.

The name on the new certificate does not match the FQDN (fully qualified domain name) of the URL that is stored for the following objects:

  • The SCP-object (Service Connection Point) for the Autodiscover-service
  • The property InternalUrl of Exchange 2007 Web Service (EWS)
  • The property InternalUrl of the webservice offline adresboek
  • The property InternalUrl of the Exchange-webservice UM (unified messaging)

The stored URL for these objects point to the NETBIOS name of the server by default and looks like: https://NETBIOS_name.localdomain.local/autodiscover/autodiscover.xml

When the new certificate has a different FQDN, e.g. mail.externaldomain.com, this issue occurs and when you open Outlook you get the warning "The name of the security certificate is invalid or does not match the name of the site".

Solution:

Change all URL's of the mentioned objects following the next steps:

1)
Open the Exchange Management Shell as "Administrator".

2)
Set the URL of Autodiscover in the Service Connection Point. The Service Connection Point is stored in Active Directory. Enter the following command:

Set-ClientAccessServer -Identity sbservernaam -AutodiscoverServiceInternalUri https://mail.externdomein.nl/autodiscover/autodiscover.xml

3)
Set the property of InternalUrl of EWS. Enter the following command:

Set-WebServicesVirtualDirectory -Identity "sbservernaam\EWS (SBS Web Applications)" -InternalUrl https://mail.externdomein.nl/ews/exchange.asmx

Attention: (SBS Web Applications) is only valid for SBS 2008 and does not apply for Windows 2008 server Standard. In the latter case, EWS is placed under (Default Web Site).

4)
Set the property for InternalUrl for the distribution of the offline adresbook. Enter following command:

Set-OABVirtualDirectory -Identity "sbservernaam\oab (SBS Web Applications)" -InternalUrl https://mail.externdomein.nl/oab

5)
Set the property of InternalUrl of the webservice UM. Enter following command:
Set-UMVirtualDirectory -Identity "sbservernaam\unifiedmessaging (SBS Web Applications)" -InternalUrl https://mail.externdomein.nl/unifiedmessaging/service.asmx

6)
Set the property of ExternalUrl of the webservice EWS. Enter following command:
Set-UWebServicesVirtualDirectory -Identity "sbservernaam\EWS (SBS Web Applications)" -ExternalUrl https://mail.externdomein.nl/ews/
exchange.asmx -BasicAuthentication:$true

Attention: This command is only valid for Exchange 2007. In Exchange 2010 the WebServices URL is used for Unified Messaging.

7) Open ISS-manager.
8) Go to local computer and Application Pools.
9) Select MSExchangeAutodiscoverAppPool and choose Recycle.

You can check the setting with: Get-WebServicesVirtualDirectory -Server <server> | fl

Attention: To succesfully change these settings it is assumed that a DNS hostrecord exists which assigns the FQDN to the IP-address of the CAS-server. Look at following examples:

  • The original internal URL's for the Exchange-services point to the internal FQDN of the server. On of the URL's points to:
    https://ServerName.contoso.com/ews/exchange.asmx
  • The FQDN on the certificate points to the external name of the server, e.g. "mail.contoso.com."

In above example you must add a host record for the mailhostnaam to theinternal IP-address of the CAS-server to allow internal clients to access the server