When an Outlook 2007 user has their mailbox migrated from Exchange 2003 to Exchange 2007 they may start seeing a certificate mismatch error appear when launching Outlook. This problem will occur if the following conditions are true:
- the internal DNS namespace does not match the external DNS namespace (eg domain.local for internal and domain.com.au for external)
- a third party SSL certificate matching the external namespace has been applied to the IIS instance on the Client Access Server (eg cas.domain.com.au)
The certificate mismatch occurs because the Autodiscover Service and/or Availability Service use the FQDN of the Exchange 2007 host in their URL (eg https://server.domain.local/AutoDiscover/AutoDiscover.xml) but the IIS instance has an SSL certificate that does not match that name.
To resolve this issue you can change the URL of the Autodiscover and Availablity services to match the name on the certificate, which you can do with the following shell commands.
[PS] C:\>Set-ClientAccessServer -Identity cas.domain.local -AutoDiscoverServiceInternalUri https://cas.domain.com.au/Autodiscover/Autodiscover.xml
[PS] C:\>Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -InternalUrl https://cas.domain.com.au/EWS/Exchange.asmx -ExternalUrl https://cas.domain.com.au/EWS/Exchange.asmx
As long as your internal clients are resolving the external name cas.domain.com.au directly to your Client Access Server this should resolve the certificate mismatch error.
I’m experiencing a similar problem. Some of my users are getting the certificate error message but others are not. The internal and external url are the same, autodiscover shows the correct name that is on the certificate. The error or security warning shows the name of the server and not the domain name listed on the certificate or what is listed in our external dns.
Just have a guy named Jimmy look at it 🙂
Thanks to the guide Paul Cunningham’s guide … https://www.practical365.com/avoiding-exchange-2013-server-names-ssl-certificates/ … I was able to help William identify that we had missed changing one of the external urls to match the address on our certificate. We were able to fix the problem and our users are very thankful. Thank you Paul!
I have this new sever setup, 1 dc and 1 exchange 2013 server, had this error message: There is a problem with the proxy server’s security certificate, Error code 10.
Searched online and found the solution was to deploy split-brain DNS. So I did, solution worked like a charm. But after some time, clients with laptops that were brought home and back to the office would receive the message once in a while.
Found out that while having the error, ping results to the xxx.service.ca would resolve externally, and had to manually clear DNS cache on the laptop and release / renew IP. The ping would resolve back internally. Error would go away…??? anything I should be looking for?
The real issue is that your SSL cert and namespaces likely are’t set up correctly. Get that set up right and it won’t matter if the internal client’s DNS cache makes them hit the external DNS from time to time.
https://www.practical365.com/avoiding-exchange-2013-server-names-ssl-certificates/
Pingback: Outlook 2007 Certificate Error | OutlookRecoveryGuide.org
Although this was posted 3 years ago, I wanted to add to it as I came across this very same issue following our recent Exchange 2007 to 2010 transition.
The following KB from Microsoft addresses this specific issue and details how to resolve it.
http://support.microsoft.com/kb/940726?wa=wsignin1.0
Pingback: JIRA: Infrastructure
This article works. I like this article as you gave details key in compare to the rest, even Microsoft didn’t give this details. It helps me solved my exchange 2007 issue