"Name on the Security Certificate is Invalid or Does not Match..." using Outlok 2007 w/ Exchange 200

  • Thread starter Craig Regester
  • Start date Views 7,219
Not open for further replies.

Curt L

Also, just another tid bit of info. Wildcard certs are not supported in Windows Mobile 5 so if you have any of those devices, don't do it.

Curt L

Also be aware that Windows Mobile version 5 does not support wildcard certs so if you have any mobile users using that platform don't do it.


I've seen a way to supress this error in outlook using the resource kit and a GPO, but i can't find it again. Will post when i do.


I figured out a quick work around. for the base IP address of the server I added a self signed cert that points to the internal name of the server. That of coarse broke OWA from the outside. I then bound a second IP address to the server and changed my firewall NATs to direct external traffic to the new IP address. I then added the new IP to IIS and a used the public Cert for the new address.

so far everything looks good.

Now if anyone can tell me how to masquerade my SMTP mail to my external FQDN, ill be very happy


jml44 wrote:

In addition to that last command, check out this article:


I know this is an old thread, but here is what we were facing:

Internal Exchange 2007 (Server 2008): server9.internal.domain.name

External Exchange 2007: webmail.domain.com

We purchased a SSL Cert through GoDaddy for webmail.domain.com, but did not include the additional host names in the CSR.

Some users are running Outlook 2003, some Outlook 2007. The Outlook 2007 users were getting the error in the subject heading of this thread. I followed the instructions from the KB article above, (http://support.microsoft.com/kb/940726) and that resolved the problem perfectly!


For the record, if one ever delete the self signed SSL cert create by Exchange 2007, you only need to run this command in the Exchange powershell:

New-ExchangeCertificate -PrivateKeyExportable $True -Services "IMAP, POP, IIS, SMTP" -SubjectName "cn=[Your server name]

and the cert is back



The fix for me was 2 things. Firstly, I had a second IP address bound to my NIC and the cert was not matching up to that, so I removed the second IP on the NIC. Secondly, in IIS default website Bindings, I bound https 443 to my correct IP address (rather than All Assigned) and restarted. Thirdly, and nslookup from outside my domain had mismatching IP's for autodiscover.domain.com and email.domain.com, so I went to Netwrok Solutions and changed autodiscover.domain.com to the same IP as my email.domain.com.

good luck


Hi All,

1) I am using Windows SBS Server 2008 with Exchange 2007 installed on it. With all the Certicate configured internally. We haven't purchased the Certificate from any outside authority yet.

2) Also, user were getting Error message " The name on the security certificate is invalid or does not match the name of the site" in outlook, to resolve this issue I followed the steps mention on " http://support.microsoft.com/kb/940726" & "http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/697f79e2-ca8f-4a2e-bae5-55d3fa7f703f/?prof=required" however I was able run only first command as I was unable to find " EWS (Default Web Site)" , " oab (Default Web Site)" , " unifiedmessaging (Default Web Site)" .

3) After reaserching, I run following commands to get the status, location of WebServicesVirtualDirectory, OABVirtualDirectory & UMVirtualDirectory

[PS] C:\Windows\System32>Get-WebServicesVirtualDirectory | fl

Name : EWS (SBS Web Applications)

Server : PASVR01

InternalUrl : https://sites/EWS/Exchange.asmx

ExternalUrl :

[PS] C:\Windows\System32>Get-OABVirtualDirectory | fl

Name : OAB (SBS Web Applications)

Server : PASVR01

InternalUrl : https://sites/OAB

ExternalUrl :

[PS] C:\Windows\System32>Get-UMVirtualDirectory | fl

Name : UnifiedMessaging (SBS Web Applications)

Server : PASVR01

InternalUrl : https://sites/UnifiedMessaging/Service.asmx

ExternalUrl :

4) Then after getting the correct locations of all the directory I run the following commands to change the internal url on existing Certs

Set-ClientAccessServer -Identity PASVR01 -AutodiscoverServiceInternalUri https://pasvr01/owa/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity " PASVR01\EWS (SBS Web Applications)" -InternalUrl https://pasvr01/owa/ews/exchange.asmx

Set-OABVirtualDirectory -Identity " PASVR01\OAB (SBS Web Applications)" -InternalUrl https://pasvr01/owa/oab

Set-UMVirtualDirectory -Identity " PASVR01\UnifiedMessaging (SBS Web Applications)" -InternalUrl https://pasvr01/owa/unifiedmessaging/service.asmx

5) However, this does'nt resolved our issue so run the following commands to change the external url on existing Certs

Set-WebServicesVirtualDirectory -Identity " PASVR01\EWS (SBS Web Applications)" -ExternalUrl https://exchange.domain.com/owa/ews/exchange.asmx

Set-OABVirtualDirectory -Identity " PASVR01\OAB (SBS Web Applications)" -ExternalUrl https://exchange.domain.com/owa/oab

Set-UMVirtualDirectory -Identity " PASVR01\UnifiedMessaging (SBS Web Applications)" -ExternalUrl https://exchange.domain.com/owa/unifiedmessaging/service.asmx

6) I also tried running " New-ExchangeCertificate -PrivateKeyExportable $True -Services "IMAP, POP, IIS, SMTP" -SubjectName "cn=PASVR01" as I have deleted one of the certicate on this server in past.

7) Following was the status of internal and external URL.

[PS] C:\Windows\System32>Get-WebServicesVirtualDirectory | fl

Name : EWS (SBS Web Applications)

Server : PASVR01

InternalUrl : https://pasvr01/owa/ews/exchange.asmx

ExternalUrl : https://exchange. exchange.domain.com /owa/ews/exchange.asmx

[PS] C:\Windows\System32>Get-OABVirtualDirectory | fl

Name : OAB (SBS Web Applications)

Server : PASVR01

InternalUrl : https://pasvr01/owa/oab

ExternalUrl : https://exchange. exchange.domain.com/owa/oab

[PS] C:\Windows\System32>Get-UMVirtualDirectory | fl

Name : UnifiedMessaging (SBS Web Applications)

Server : PASVR01

InternalUrl : https://pasvr01/owa/unifiedmessaging/service.asmx

ExternalUrl : https://exchange. exchange.domain.com/owa/unifiedmessaging/service.asmx

10) Still we are facing this issue of " The name on the security certificate is invalid or does not match the name of the site" in outlook.


Thanks in Advance,


Adam Schwartz

For what it's worth (a few months after the post), I just had the same problem and solved it after HOURS of research and testing.
First off, I'm running SBS 2008 with Exchange 2007. I originally had a plain vanilla SSL cert from GoDaddy. I soon realized that there was a difference between the servername on my cert and my local server. So I revoked it and got a UCC Multiple Domain Certificate from GoDaddy, complete with a bunch of URLS:
This didn't solve the problem, so I got into the Exchange Command Shell and started testing URLs. Clearly, the problem had to do with URLS that started with https://sites/,..  I could see that " sites" was coming up on the Outlook certificate name mismatch error.
I discovered the world of InternalUrl and ExternalUrl on each of the sites in my server. Many of them were set to https://sites/...  I also found a cool trick : right clicking on the Outlook icon on the client machine allowed me to test the autodiscover service and settings, which showed a few instances of https://sites...
I learned how to check the URL of each of these sites through the following commands:
get-AutoDiscoverVirtualDirectory | FL
Get-UMVirtualDirectory | FL
Get-OABVirtualDirectory | fl
Get-WebServicesVirtualDirectory | fl
Each of these had an internalUrl that started with https://sites/... and each had no externalUrl.
I updated each of the internal urls to look better with commands such as:
SET-OABVirtualDirectory -identity " OAB (SBS Web Applications)" -InternalUrl https://myserver.mydomain.local/...
In the end, still no luck on a whim I tried setting the ExternalUrls for each service with commands like:
SET-OABVirtualDirectory -identity " OAB (SBS Web Applications)" -ExternalUrl https://myserver.mydomain.com/...
And it worked! So, pain in the ____, and i don't know why I had to change the externalUrls, but it worked.


IM haveing ssl Certificate proplems in exchange with outlook 2007 however i need to see what current domain names its popping up with and i have run this command in the exchange managment shell and i get the following.

[PS] C:\Windows\System32>get-AutoDiscoverVirtualDirectory | FL

Get-AutodiscoverVirtualDirectory : Unable to create Internet Information Servic

es (IIS) directory entry. Error message is: Access is denied.

> HResult = -2147024891.

At line:1 char:33

+ get-AutoDiscoverVirtualDirectory <<<< | FL

What am i doing wrong????????

Thanks IN advance

Kenneth MacDonald

Unbelievably, this worked for me...

Go into IIS and into your Application Pools for your exchange server. Right click 'MSExchangeAutodiscoverAppPool' and click 'Recycle'.

That's all I had to do...


Try this:

In Outlook, go to Accounts Settings => Ms Exchange server=>Change=>more settings =>Connection =>Exchange Proxy Settings.

Uncheck " Only connect to proxy servers that have this principal name in their certificate:"

Restart Outlook


You need to right-click the " Exchange Management Shell" and select " Run as Administrator" or login as the domain/local administrator.

This should allow you to run this command.


I had this problem after installing Exchange 2007 SP2.. a bit late with applying SP2 I know.

It took me a good 8 hours of frustration with some breaks in between before I worked out 3 things:
I didn't read KB940726 http://support.microsoft.com/kb/940726 carefully as it wasn't making sense to me to include the external certificate url for the internal cas and at first I was only using the internal names. The commands from that KB in Powershell worked, however the problem didn't go away until I logged in with the Exchange admin rights and performed those commands... I'm still not sure if this is needed, but it worked on these servers I had.
Added entries for the external cert url in the hosts files of both cas servers - this might be an issue for some that need to get to it from the internal LAN, in my case this is not needed.

The topology I had this problem with was the following:

> Exchange 2007 running on WS2008 with roles of CAS, Mailbox, hub transport server

> Exchange 2007 running on WS2008 with roles of CAS server that has the external certificate installed and is configured for OWA from the internet

> Client configurations: Citrix servers running Outlook 2007 SP2

Prior to applying SP2 we had never seen or had Outlook certificate errors and I built both servers from scratch in late 2008... so this was weird to me how I didn't need to run or configure the servers to know about the external cert back then... maybe it's something new with SP2 for 2010?


Yes YES, perfect resolution.

Set-ClientAccessServer -Identity CASservername -AutodiscoverServiceInternalUri https://mail.yourmailnamehere.com/autodiscover/autodiscover.xml

Our situation: Exchange 2007, internal Office 2007, external IE 8. Applied a new GoDaddy SSL cert to our exchange2007 which serves out our OWA web mail too to enable SSL for the ouside OWA, worked great, but that broke the internal users, who then started to get the error of not a trusted site blah blah above...only Outlook 2007 users...2003 worked fine.

After running the above command, with my info in it, poof, instant fix! No reboot needed, no services bounced, nothing, the user just needed to close and reopen outlook, whoot!



Well I figured out what my problem is. Read this article from the MS Exchange team.


This worked. You need to make sure you know what domain names you have in your UCC certificate.

My problem was I didn't own the internet domain name that was the same name as our internal domain.

Exchange uses https://netbiosname.domainname.com/virtualdir as the link to the exchange services for outlook 07 and outlook 10. And since I wasn't able to have server.domainname.com in the certificate I had to change it to the name I did have in there. Which was just the server name. Here are my below commands I had to run. As soon as I ran them, closed and opened outlook, there was no more " certificate error" prompts.

Old setting

Set-ClientAccessServer -Identity SERVER -AutodiscoverServiceInternalUri https://SERVER.infinityinvestmentsinc.com/Autodiscover/Autodiscover.xml


Set-ClientAccessServer -Identity SERVER -AutodiscoverServiceInternalUri https://SERVER/Autodiscover/Autodiscover.xml


Set-WebServicesVirtualDirectory -Identity " SERVER\EWS (Default Web Site)" -InternalUrl https://SERVER.infinityinvestmentsinc.com/EWS/Exchange.asmX


Set-WebServicesVirtualDirectory -Identity " SERVER\EWS (Default Web Site)" -InternalUrl https://SERVER/EWS/Exchange.asmx


Set-OABVirtualDirectory -Identity " SERVER\oab (Default Web Site)" -InternalUrl http://SERVER.infinityinvestmentsinc.com/OAB


Set-OABVirtualDirectory -Identity " SERVER\oab (Default Web Site)" -InternalUrl https://SERVER/OAB

I hope this helps someone out. It took me a while to figure out but it is all good now.



This all works well if you have the server names on the cert.

My scenario is I have a wildcard cert (*.domain.com) for all internet facing devices and services and like you, I have an internal domain that I do not own (internaldomain.com). I couldn't just use the server (netBios) name like you did because my cert only accepts URLs with the wildcard nomenclature anyname.externaldomain.com.

Therefore all I did was take what you did and add my external domain suffix to the end of the server name.

e.g. Set-ClientAccessServer -Identity SERVER -AutodiscoverServiceInternalUri https://SERVER.externaldomain.com/Autodiscover/Autodiscover.xml

One important (and obvious to most in the IT arena) tidbit is that you must have dns configured correctly internally so that it points to the internal server IP from the internal network (e.g. exchange-CAS.externaldomain.com A-record points to 192.168.XXX.XXX). I have access to all services so this wasn't a problem for me, but for some you may have to talk to your network folks to have them add this to your DNS servers.

Anyway, thank you so much for the cmdlets. All is well now.


hey guys,

herewith the solution:

in most of cases the problem is with the DNS, so on the client computers (those which are running outlook express 2007) you have to nodify the host file in the windows, usually located in:


open the file and at the and add entry like


e.g.: CANGOO.domain.local

after adding this line i started the office application with a startup error message about certificate, i clicked ok -> the outlook starting continues and then asked me for allowing(adding) a certificate (which i have early created - self signed), i've added the mentioned to Trusted root certification authority folder and VOILA...

everything was solved and worked fine... no need to buy expensive SNA certificates (if u dont want :) )

hope this will help...

Not open for further replies.