Exchange Ideas - Daniel Kenyon-Smith

I’m a Messaging consultant working for Microsoft Consultancy Services in the UK. Find out about all the latest technology, news, tips and tricks in the world of messaging and much more!

The Name on the security certificate is invalid or does not match the name of the site - PART 2

The Name on the security certificate is invalid or does not match the name of the site - PART 2

  • Comments 21
  • Likes

Once the cert has been installed you will need to enable the cert, you can run the following command to enable the certificate

Enable-ExchangeCertificate -Thumbprint 59 5e a4 7c f0 c0 4f 64 dc 3d 6d 29 95 f7 c4 b1 72 ca 0f 92 -Services "SMTP, IIS"

Note: The thumbprint needs to match the cert you have just installed, use either the get-certificate command or use the MMC, select the cert, click the details page and click on thumbprint or use the command specified in PART 1 to find the correct thumbprint

For each CAS server that is installed a Service Connection Point (SCP) record is created for the autodiscover service for internal clients

When i go into Outlook i get the following error:-



This is because i’m connecting to services using the NetBIOS name of mbx1 which does not match the name on the certificate. If i run Get-ClientAccessServer -Identity mbx1 | FL i’ll see that the AutoDiscoverServiceInternalUri says https://MBX1/Autodiscover/Autodiscover.xml, this does not match the certificate. I can also check the other services and see that i get the same results for OAB, EWS, Outlook Anywhere (OA) and Exchange Active Sync (EAS). So i need to update all theses internal url’s to match the name on the cert.

  • Set-ClientAccessServer -Identity "mbx1" –AutodiscoverServiceInternalURI https://nlb.nwtraders.msft/autodiscover/autodiscover.xml


  • Set-WebServicesVirtualDirectory -Identity "mbx1\EWS (Default Web Site)" –InternalUrl  https://nlb.nwtraders.msft/EWS/Exchange.asmx


  • Set-OABVirtualDirectory -Identity “mbx1\OAB (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/OAB


  • Enable-OutlookAnywhere -Server mbx1 -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”


  • Set-ActiveSyncVirtualDirectory -Identity “mbx1\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/Microsoft-Server-Activesync


Note: If your customer does decide to enable OA externally it is important to note that the external host name value configured for Outlook Anywhere must match the Certificate Principal Name (CPN) on the certificate used by clients and must match the end point property in the client.

In order for Subject Alternate Name (SAN) certificates to be used for clients to connect to the OA service, where the CPN does not match the msstd value configured in the Outlook client profile (but the url is listed in the SAN part of the certificate), certain conditions need to be met, these are listed below:-

  • Outlook 2007 or higher
  • Vista SP1


Then when you open Outlook you should not longer get the cert error!


Written by Daniel Kenyon-Smith

  • This was a tremendous help, Thx!!!!

  • Can anyone please help? I'm new to exchange and don't know the syntax, I keep on getting an error message as of line 2 of instructions..

    My DC server's name is Global-02f and


  • What’s the error message you are getting? MBX1 in that example is the Exchange server (CAS) and nlb is load balanced name, which matches the certificate

  • Add an iisreset to the end and we are in business!  WOOHOO

  • Hello Kenyon87, What should I say about your article? Is there is a better word than "AWESOME". Simply superb, the same I tried given from the Microsoft KB 940726, but no go. Was having this issue for the past 3 months, now after trying your steps, it worked! You deserver a carton of beer! Thanks so much!

  • Hi. this is an excellent post. it has saved my life. thanks.

    another issue. OA anywhere isnt connecting from client end despite publishing the rule on isa and enabling OA in exchange. then name on SAn is same as the one used to configure OA.

    error am getting is that, it cant resolve.

  • Thanks for the feedback

    Monica - take a look at this link it might help you configure the rule on ISA -



  • I have the same issue but have been unable to resolve it even with this article! any other ideas out therE?

  • Have you checked all the virtual directories? you could always add the name you require into the Subject Alternate Name (SAN) part of your certificate

  • I just installed a Netgear FVS318N router on a companies network and now I’m getting the Security Alert message in Outlook 07 over 20 computers. Veiwed the cert and it is Netgear FVS318n.

    Please someone help. I can’t tell if it’s a Netgear issue or MS Issue, but only pops up when Outlook is open?

  • What is the name the Outlook clients are trying to connect?

  • If you mean domain:

    which is listed on the Security Alert, but when I view the certificate, its issuer is Netgear with the model.

  • Sounds like clients are trying to connect to remote, when the cert is called netgear. I'd have a look on the exchange servers at the their certs and see what is installed there, you can view the certs through either the console in exchange 2010 or by using the get-exchangecertificate

  • We have a similar error, but when I do the command Set-WebServicesVirtualDirectory I receive the error that it can not find the EWS (Default Web Site).  I am not sure how to get around this error.  If I continue with the Set-OABVirtualDirectory commend I get the similar error about the OAB (Default Web Site).  I know I am missing something, I just can not figure it out.  Any help would be greatly appreciated.

  • You could use this something like this command Set-WebServicesVirtualDirectory MBX1\* or take a look at the TechNet site, it gives you some examples Also make sure the virtual directories are showing in IIS

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment