"The name on the security certificate is invalid or does not match the name of the site" -

Knowledge Base › “The name on the security certificate is invalid or does not match the name of the site”

W P Staff asked 7 years ago

Getting message “The name on the security certificate is invalid or does not match the name of the site” when trying to connect with Outlook 2010 or 2013 to Exchange 2007/2010/2013

1 Answers

0 Vote Up Vote Down

W P Staff answered 7 years ago

For each CAS server that is installed a Service Connection Point (SCP) record is created for the autodiscover service for internal clients
When i go into Outlook i get the following error:-

This is because i’m connecting to services using the NetBIOS name of mbx1 which does not match the name on the certificate. If i run Get-ClientAccessServer -Identity mbx1 | FL i’ll see that the AutoDiscoverServiceInternalUri says https://MBX3/Autodiscover/Autodiscover.xml, this does not match the certificate. I can also check the other services and see that i get the same results for OAB, EWS, Outlook Anywhere (OA) and Exchange Active Sync (EAS). So i need to update all theses internal url’s to match the name on the cert.

Set-ClientAccessServer -Identity “mbx3” –AutodiscoverServiceInternalURI https://nlb.nwtraders.msft/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “mbx3\EWS (Default Web Site)” –InternalUrl https://nlb.nwtraders.msft/EWS/Exchange.asmx

Set-OABVirtualDirectory -Identity “mbx3\OAB (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/OAB

Enable-OutlookAnywhere -Server mbx3 -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”

Set-ActiveSyncVirtualDirectory -Identity “mbx3\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/Microsoft-Server-Activesync

Note: If your customer does decide to enable OA externally it is important to note that the external host name value configured for Outlook Anywhere must match the Certificate Principal Name (CPN) on the certificate used by clients and must match the end point property in the client.
In order for Subject Alternate Name (SAN) certificates to be used for clients to connect to the OA service, where the CPN does not match the msstd value configured in the Outlook client profile (but the url is listed in the SAN part of the certificate), certain conditions need to be met, these are listed below:-

Outlook 2007 or higher
Vista SP1

Then when you open Outlook you should not longer get the cert error!