If you have installed Exchange 2007 Client Access Servers in your organization, and if you have installed your SSL certificates (even commercial ones) on IIS, Outlook MAPI users may receive 'Security Alert' messages similar to the above in Outlook.
The name on the security certificate is invalid or does not match the name of the site.
This is because of the certificate that you have installed on IIS. Outlook 2007 MAPI clients use Client Access Servers for the Autodiscover service. The Autodiscovery web service (a virtual directory on the Client Access Server) is used for automatically finding the mailbox server for a given user. When the Autodiscover service is accessed by Outlook, and the name on the security certificate installed in IIS doesn't match the internal FQDN of the Client Access server (CAS), this error results.
Suppose your company's public domain name is mycompany.com. You may have obtained a certificate for webmail.mycompany.com and installed on the IIS of your Client Access Server. This is correct because users on the internet will type the public name.
However, the same IIS on the CAS is hosts the Autodiscover virtual directory as well and this certificate applies. Your internal domain name might be mycmpny.local and the client access server FQDN might be CAS1.mycmpny.local. Outlooks 2007 uses this internal name to connect to Autodiscovery, and hence the mismatch error.
To fix this problem, open Exchange Management Shell and type the following commands:
Set-ClientAccessServer -Identity CAS1 -AutodiscoverServiceInternalUri https://webmail.mycompany.com/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity "CAS1\EWS (Default Web Site)" -InternalUrl https://webmail.mycompany.com/ews/exchange.asmx
Set-OABVirtualDirectory -Identity "CAS1\oab (Default Web Site)" -InternalUrl https://webmail.mycompany.com/oab
Set-UMVirtualDirectory -Identity "CAS1\unifiedmessaging (Default Web Site)" -InternalUrl https://webmail.mycompany.com/unifiedmessaging/service.asmx
Pay attention to the text in red, you will need to change it to reflect your server's running parameters. Recycle the MSExchangeAutodiscoverAppPool. Your users should no longer receive the security alert.
8 comments:
Thanks
Exactly what I needed!
Amen! I have been looking for this information for ever... Microsoft wasn't any help. Just kept telling me to buy a certificate.
Well, actually you need a certificate with multiple SAN (Subject Alternative Names) if you intend to offer Outlook Anywhere (aka RPC over HTTPS) services to your users. May be that was what MS Support was trying to tell you?
You rock! This information is EXACTLY what I needed to get rid of our certificate error. Popped up after I bought us a commercial SSL for OWA email access.
Thanks to this info, no more internal errors.
we just add outlook.yourdomain.com to our local dns, same address internally and externally then.
Brilliant This works perfectly.
Sorry follow this to the letter without any errors, restarted outlook all users on the Lan still recieve the same message...
Back to the drawing board
Post a Comment
You should feel free to challenge me, disagree with me, or tell me I'm completely nuts in the comments section of each blog entry, but I reserve the right to delete any comment for any reason whatsoever. That said, I will most likely only delete abusive, profane, rude, or anonymous comments, so keep it polite, please.