"Name on the Security Certificate is Invalid or Does not Match..." using Outlok 2007 w/ Exchange 200

Not open for further replies.

Craig Regester

Good afternoon!

We just completed our Exchange 2007 implementation (migration from Exchange 2003... a fun romp of 24 straight hours for the final push) and noticed an error that only occurs on Outlook 2007 clients connecting to the Exchange 2007 server: " Name on the Security Certificate is Invalid or Does Not Match the Name on the Certificate" .

Now, I've done my reading into this and have determined that due to how Outlook 2007 clients managed their OAB, it is essentially through a web virtual directory now, no longer through Public Folders and this is essentially the base of our issue. See, our mail server has an internal FQDN of mail.ourdomain-domain.com whereas it has an external FQDN (which is what the SSL Cert is tied to) of owa.ourdomain.com.

So, essentially what I'm seeing is our internal Outlook 2007 clients (limited to I.S. employees only right now, thankfully) are seeing this SSL error because Outlook 2007 is trying to pick up the OAB using the internal FQDN instead of the external FQDN (which would work as well, due to some internal DNS trickery we have configured).

My question is (finally), is there a way to circumvent this internally so we never see this SSL error prompt or a way to force Outlook 2007 to use the external FQDN? I have made sure all the settings in Exchange Management Console for OAB and the like have both the internal and external FQDN set to owa.ourdomain.com (the valid SSL name), but it does not appear to have made a difference. Granted, I have not rebooted... but I do not think that is necessary in this instance.

Any suggestions would be appreciated. Thanks!!

Shawn Westerhoff

We have a similar problem in that our SSL certificate shows secure.domainname.com rather than the hostname of the Exhchange server. As we have SSL enabled applications OTHER THAN EXHCNAGE, we do not want Exhcnage 07 to redirect to the machine name but instead to a relative path UNDER the URL specified by the client request:

https://secure.domainname.com/exchange is how a user would get to OWA, and we want any redirection to go to https://secure.domainname.com/owa and so on. So far we can not see where in IIS we would make that change.

Also, messages work to Palm 700p devices but we get a failure on other content, like appointments and contacts. The error is related to the SSL certificate not matching the Exhcange server. I will post the error in a while.

Does anyone know how to tell IIS/OWA to redirect to a relative path?

Shawn Westerhoff

Following up, the Palm 700p error message when trying to use ActiveSync is:

There was a problem syncing events. Can't connect to server. Please check your network or server settings and try again: AirSAMStateMachine.c 530 3

And we have a valid SSL Cert from a root CA. The error is ONLY on non-email items, so we assume when the app goes to a specific application on the web server, it is redirected using the hostname of the server, not a relative path.

Joey B


We are having the exact same issue. Were you ever able to resolve this?

Scott Frazer

We're seeing htis issue as well.. Server name is mail02b.{domainname.net} but externally is accessed at exchange.{domainname.com} so we got the SSL cert for exchange.{domainname.com} and set IIS up to redirect the website users appropriately. That all works fine, but Outlook 2007 is apparently stuck with accessing the server at mail02b.{domainname.net} and as such pops a cert not valid error when starting up.


Have you found a solution to this issue yet? I'm having the same problem. If there is no fix for this, Microsoft needs to create one as more and more companies switch to 2007.


As all of you, I have the same issue, and I'm sure that will be many more. Luckily, I only have a handful of users on Outlook 2007, and they have just been dealing with it for about a month now. The best answer I have gotten from anyone is to get a wildcard cert of *.domainname.com. I have not tried this yet, so it's still theory to me whether Exchange 2007 will let it fly or not. On top of that...wildcard certs cost a good bit more than the typical certificate. :(

I agree that a better solution should come from Microsoft about how to deal with their new changes.



Hello Guys,

after few days of research, I found the matter of this problem, and I wanted to post this, because I hope you won't waste the time as myself.

the problem is much simple as you think, because exchange autogenerate the certificate even if a CA in not present in the AD.

then when you would like to use outlook anywhere, you have to generate a certificate with an external name, otherwise rpc over https won't work. but if you do this outlook 2007 got the certificate error appear when you open it.

to solve the problem we need to generate a certificate with multiple server name. you must generate the request directly from the exchange management shell.

follow the instruction at this link:





Manu_it wrote:

Hello Guys,

after few days of research, I found the matter of this problem, and I wanted to post this, because I hope you won't waste the time as myself.

the problem is much simple as you think, because exchange autogenerate the certificate even if a CA in not present in the AD.

then when you would like to use outlook anywhere, you have to generate a certificate with an external name, otherwise rpc over https won't work. but if you do this outlook 2007 got the certificate error appear when you open it.

to solve the problem we need to generate a certificate with multiple server name. you must generate the request directly from the exchange management shell.

follow the instruction at this link:





The solution of Emanuele is only useable for a new certificate request. I have an existing certificate and dont want to generate (and pay) a new one.

is there another solution? I also found this article but did not test it: http://www.pro-exchange.be/modules.php?name=News&file=print&sid=345



I too have spent much time trying to find a reasonable solution to this problem of outlook 2007 client producing an error " The name on the security certificate is invalid or does not match the name of the site" . Of all my researching though, I have not found anything that has been put out by Microsoft to directly address this. This is going to continue to become a significant issue as more and more business' migrate to the new technologies of the 2007 product line. I hope we can get a resolution from Microsoft soon. --BN


Hello, I went to Vista here a week ago. I am running 64-bit Ultimate and I am having constant Certificate invalid messages in IE7 as well. I just installed my copy of Office 2007 Enterprise edition and whenever I open up Outlook I get the same " security certificate that can't be verified" message, and I am using Comcast for email. Now on IE7, when I look at the certificate issuing authority it says the name of the website (take USAA for example, it says it was issued 12/06 and is valid until 12/09, and says it is from www.usaa.com) when they are actually (according to the site and other computers I checked) by a certificate authority. I was running XP Pro 64 bit with IE7 and didn't' encounter these problems, but Vista is starting to torque me off now! At least when I went to FireFox it didnt' have the certificate errors! Oh, BTW, I have disabled/uninstalled Defender, the UAC and all that other garbage that is in Vista, if that helps! Hell, I even tried dropping the internet and intranet security settings to their lowest and still get the certificate issues! Might roll on back to XP next weekend!!


Someone call feel free to correct me if I'm off, but...

The rollback to XP will not remove the certificate issue. However, roll back to Office 2003, and I feel comfortable saying your problem will probably go away. At least in my enviroment...I have XP and Vista boxes, and the only ones with certificate problems are the ones with Office 2007 installed.

Brian Allard

Having the same issues on our network. I'm hoping there's a work-around for this soon.

Oguz Mazlum

There is a work around. I have deployed OWA with ISA 2006. I had already a 3rd party certificate. The certificate was issued on the following address webmail.domain.com. I could not use this certificate on the new exchange 2007 server. To get rid of the certificate error on outlook users internally i have created a certifcate request on exchange 2007 server with the powershell commandlet

New-ExchangeCertificate -generaterequest -subjectname " C=NL,DC=Organisationname,O=Org description,CN=domain.com" -domainname webmail.domain.com,autodiscover.domain.com, cas1.domain.local, cas1 -path c:\certrequest_cas01.txt

This is a certificate request with multiple host and domain names. There is external domian name and also the local domain name on the certificate.

After creating the request, I opened from IE my DC certificate services

select the Request a certificate and then advanced certificate request.</LOCID< Font> then Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Paste the csr that is creaated with the exchange cmdlet in to the field and select the Web server certificate template. Than

submit the request. The certificate will be created download it and place it some where.

Import the created certificate in to exhcange server with the cmdlet and not with de certificate mmc snapin. After importing the certificate change the certificate on the IIS to the new created certificate. The clients must have the certificate autohoruty root cert in the client pc's. That is achived when you already did deploy the certificate services on your network. The certificate error must disappeer and OWA will also work just fine. This is only to fix internally the cert problems. If you want to deploy autodiscover.domain.com on external side of your network than you must buy a 3rd party UC with multiple hostnames.

I have put the following host and domainnames in the cert request.

- domain.com (external domain)
- webmail.domain.com

- autodiscover.domain.com

- cas1 (exchange server name)

- cas.domain.local

- domain.local (internal domain)

I hope that will solve your problem.

Brian Allard

I've thought about creating a certificate with multiple names (or a wildcard-type) but from what I have read, devices running Windows Mobile 5 are not able to recognize wildcard certificates. This would affect our deployment as we plan on running ActiveSync on some of our handhelds.



Does anyone have a solution to this yet? The one a couple of posts from Oguz up is fine assuming you are using homemade certificates, but if you have a certificate from a CA which doesn't match the name of the Exchange Server (which must apply to a heap of people) I don't beleive it works (well it doesn't for me anyway). There is no way the name on the cert can ever match the name of the Exchange Server unless your internal and external domains are the same and you publish the name of your Exchange Server to the outside world (unless I'm mistaken). I have followed the articles from MS which mention changing the OAB, UM and WebServices virtual directories to have an external URL but this makes no difference either. Plus another article I found regarding using the enable-Exchangecertificate cmdlet to enable the cert on services such as SMTP which aren't by default apparently.

From what I can see the problem is with the Outlook profile. When you put in the server name, even if you put in the name of the server as it is published to the outside world (rpc.company.com), it still resolves that to the internal Exchange Server name (server.domain.local) and this is where the issue seems to arise when Outlook 2007 starts as it tries to make a connection but fails due to mismatched names on the certificate and the Exchange Server. This happens even if you set the RPC over HTTPS settings to turn off using HTTP on a " fast network" .

Hope someone can help here.



R6 Mike


Any update on this? I just installed my CA yesterday just to find out that my webmail works fine but Outlook 2007 gives me the invalid cert because of the different name. I am also having this problem with Outlook 2003 POP users "The server you are connected to is using a security certificate that could not be verified."

Thanks for any help you can provide.

Not open for further replies.
Thread starter Similar threads Forum Replies Date
J Is it no longer possible to suppress Outlook 2019 Invalid Certificate name mismatch security alert via Registry? Using Outlook 1
S Help: Your digital id name cannot be found by the underlying security system. Using Outlook 3
G How to determine the "Distinguished Name string" of a security group for New-ManagementScope command Exchange Server Administration 2
C Macro to extract sender name & subject line of incoming emails to single txt file Outlook VBA and Custom Forms 3
D Outlook 2010 Outlook in Windows 10 keeps asking for user name and password repeatedly Using Outlook 14
glnz O365 - How to control whether my From name shows as "Dicky". Using Outlook 1
glnz O365 - How to send from acct 2 but showing email name from acct 1 as From - alias? Using Outlook 1
Terry Sullivan Sender's Name Doesn't Appear in the From Field on Outlook 365/IMAP Using Outlook 2
Terry Sullivan Sender Field Displays My E-Mail Address, Not My Name Using Outlook 1
L Email with correct To address but displaying name of a related person Using Outlook 0
M Automatically add senders first name to a greeting Outlook VBA and Custom Forms 1
D Is a sub folder under contacts necessary to be able to name an Address Book? Using Outlook 1
icacream Enter your user name and password for the following server. Using Outlook 5
B Extracting email addresses from a folder - how to also get the name of the person the address is for? Using Outlook 5
I Saving attachments from multiple emails and updating file name Outlook VBA and Custom Forms 0
D Add date next to day name in Outlook Today calendar view Using Outlook 1
R Search/Jump to a folder by typing its name Outlook VBA and Custom Forms 1
C Outlook Autocomplete suggestions showing wrong person's name against an email address Using Outlook 0
Nadine Rule to move attachments with specific name Outlook VBA and Custom Forms 1
geofferyh How to change the Attachment File Name? Outlook VBA and Custom Forms 1
B Looking to get the Recipient email address (or even the "friendly name") from an email I am replying to using VBA Outlook VBA and Custom Forms 4
J VBA Outlook : Subject line : Cut and Paste name to heading , number to very end of the body of Email Outlook VBA and Custom Forms 1
CWM030 Name Server's Exchange Server Administration 15
CWM030 Name Change? Exchange Server Administration 9
W Save and rename outlook email attachments to include domain name & date received Outlook VBA and Custom Forms 4
V not able to change name in customize Ribbon Outlook VBA and Custom Forms 1
C Changed By field not displaying individual user's name in O365 Shared Mailbox Using Outlook 9
I How to display sender's name instead of email address in outlook 2013 message Using Outlook 5
L Automatically Insert Recipient Name from To Field Outlook VBA and Custom Forms 33
soadfan Outlook rules look up display name only Using Outlook 4
J reinstalling Outlook 2007 asking for user name & password Using Outlook 14
J Outlook Rules - Changing auto-submit address in multiple rules, according to rule name Outlook VBA and Custom Forms 0
A saving attachement to folder named the same as rule name Outlook VBA and Custom Forms 0
D Inserting sender name and address with vba Outlook VBA and Custom Forms 1
A Error: The name cannot be matched to a name in the address list Using Outlook.com accounts in Outlook 0
tjd189 outlook 2016 name change Using Outlook 1
D Office365 Conference Room name change? Using Outlook 5
Vijay Reply all by attachment name Using Outlook 10
Michael R Belleville Making an Attachment Name the Message Subject Using Outlook 2
R Macro to check file name with outlook address book Outlook VBA and Custom Forms 0
C Changing the name of Outlook Messages saved to a folder Using Outlook 1
C Auto subject,name,email,deferred Using Outlook 2
D Change sender name outlook vba 2010 Custom Userform Outlook VBA and Custom Forms 1
A Get shared calendar name or id in custom appointment form Using Outlook 0
wallisellener "The database name cannot exceed 50 characters" BCM (Business Contact Manager) 2
J Subject Field is displaying Name and company Outlook VBA and Custom Forms 1
A Can't add a column called "name" to Inbox? Using Outlook 1
N How to add Dear & mail receipts name while reply to that mail in outlook2007 Outlook VBA and Custom Forms 1
Diane Poremsky Update Contacts with a New Company Name and Email Address New Slipstick.com Articles 0
C in outlook 2007-Contact Group-One name have 3 mail id-its possible? Using Outlook 3
Similar threads