Microsoft KB Archive/940726

= Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007-based server: &quot;The name of the security certificate is invalid or does not match the name of the site&quot; =

Article ID: 940726

Article Last Modified on 12/11/2007

-

APPLIES TO


 * Microsoft Exchange Server 2007 Enterprise Edition
 * Microsoft Exchange Server 2007 Standard Edition
 * Microsoft Office Outlook 2007

-



SYMPTOMS
When you start Microsoft Office Outlook 2007 and then connect to a mailbox that is hosted on a mailbox server that is running Microsoft Exchange Server 2007, you receive the following security warning message:

The name of the security certificate is invalid or does not match the name of the site.

Note The scenario that is described in this article only applies to Outlook clients that connect to Exchange from inside the local network. The scenario that is described in this article does not apply to remote Outlook clients that connect to Exchange by using Outlook Anywhere.



CAUSE
This issue occurs if the following conditions are true:
 * You replace the default self-signed Exchange 2007 certificate with a different certificate.

Note The Exchange 2007 Setup program creates a default self-signed certificate when Exchange 2007 is installed.
 * The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:
 * The Service Connection Point object for the Autodiscover service
 * The InternalUrl attribute of Exchange 2007 Web Service (EWS)
 * The InternalUrl attribute of the Offline Address Book Web service
 * The InternalUrl attribute of the Exchange unified messaging (UM) Web service

By default, the URL that is stored in these objects references the NetBIOS name of the server. For example, a URL that resembles the following URL is stored:

https:// .contoso.com/autodiscover/autodiscover.xml

This may differ from the host name that is used in the FQDN of the replacement certificate. For example, the replacement certificate may have an FQDN that resembles the following FQDN:

mail.contoso.com

This issue causes a name mismatch error to occur. Therefore, you receive the security warning message when you try to connect Outlook 2007 to the mailbox. 

RESOLUTION
To resolve this issue, modify the URLs for the appropriate Exchange 2007 components. To do this, follow these steps:  Start the Exchange Management Shell. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:

 Set-ClientAccessServer -Identity  -AutodiscoverServiceInternalUri https:// .contoso.com/autodiscover/autodiscover.xml 

 Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:

 Set-WebServicesVirtualDirectory -Identity &quot; \EWS (Default Web Site)&quot; -InternalUrl https:// .contoso.com/ews/exchange.asmx 

 Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:

 Set-OABVirtualDirectory -Identity &quot; \oab (Default Web Site)&quot; -InternalUrl https:// .contoso.com/oab 

 Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:

 Set-UMVirtualDirectory -Identity &quot; \unifiedmessaging (Default Web Site)&quot; -InternalUrl https:// .contoso.com/unifiedmessaging/service.asmx 

 Open IIS Manager. Expand the local computer, and then expand Application Pools.</li> Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.</li></ol>

Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. Consider the following sample scenario: <ul> The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:

https:// .contoso.com/ews/exchange.asmx

</li> The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as &quot;mail.contoso.com.&quot;</li></ul>

In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.

<div class="moreinformation_section">

MORE INFORMATION
The URL for the Autodiscover service is stored in the Service Connection Point object. By default, this URL references the internal FQDN of the CAS that is present when Autodiscover is installed. For example, the following URL is set:

https:// .contoso.local/autodiscover/autodiscover.xml

In this example, the FQDN references the internal namespace. Generally, this namespace differs from the externally-accessible namespace, such as mail.contoso.com.

If the internal namespace differs from the external namespace, and if you cannot use a certificate that supports Subject Alternative Names, use the Set-ClientAccessServer task in Exchange Management Shell to modify the URL. In this scenario, you must modify the URL to point to the new location for Autodiscover. For example, use the following command to point to the new location for Autodiscover:

Set-ClientAccessServer –AutodiscoverServiceInternalUri https:// .contoso.com/autodiscover/autodiscover.xml

For more information about third-party certification authorities that provide certificates that support Subject Alternative Names, click the following article number to view the article in the Microsoft Knowledge Base:

929395 Unified Communications Certificate Partners for Exchange 2007 and for Communications Server 2007

Additional query words: XADM EWS

Keywords: kberrmsg kbtshoot kbprb KB940726

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.