Exchange – Name on the Security Certificate is Invalid or Does Not Match
Your users are frustrated that every 5 minutes, or upon opening Outlook, an obnoxious pop-up appears warning them that the Exchange server’s SSL does not match the FQDN. Danget…. This sounds like a poorly setup Exchange autodiscover URL! It can be incredible helpful to make a CNAME record such as “autodiscover.company.com” >> “remote.company.com”, phones suddenly become so much easier for users. We need to also set up a Microsoft Exchange UCC SSL Security Certificate.
Extremely common are the lazily set up domain names like “company.local”. Domain registrars no longer offer SSLs for .local, and Microsoft has been telling sysadmins for a decade to use full FQDNs for Active Directory, for example main.company.com, or city.joesbubblegum.net. This allows you to have resolvable SSL addresses for your various servers (web, mail, RemoteApp). This goes hand in hand with adjusting your autodiscover URL. It is very common to see internal Outlook clients resolve to “server.company.local” as their Exchange server. Once you make these changes, you may need to re-make their Outlook profile (fun stuff huh?) to refresh pulling the new FQDN for all future mail syncs.
Here is a cheatlist of commands to make the internal URL, and external URL, accepted by Exchange match.
You’ll need a UCC SSL, generally $150/year from GoDaddy. You can also used a self-signed CA if you don’t want to spend any money, but it can be a world of pain (always go Web Server with base64 on certsrv.asp if you do, that’s a good stickler that a lot of guides can mess up).
You’ll probably want to use Exchange Management Console to generate the certificate request. Those are separate tasks for separate articles. Generally the SAN (multiple FQDNs the SSL covers) would include “remote.company.com; autodiscover.company.com”. By including both under one umbrella, client devices can autoconfigure from anywhere, and no more SSL warnings.
First, find your existing settings in case you mess something up, or approval isn’t give for a UCC by management, or your need to go back for whatever reason.
## Changing Exchange 2010 to Use External DNS Name, Instead of .local #Pull the old settings to be safe Get-ClientAccessServer | FL Get-WebServicesVirtualDirectory | FL Get-OABVirtualDirectory | FL Get-ActiveSyncVirtualDirectory | FL Get-OWAVirtualDirectory | FL Get-ECPVirtualDirectory | FL Get-OutlookAnywhere | FL
Replace mail.yourdomain.com with whatever you normally use for mail resolution. You’ll also need to change the HostName of the Exchange server you’re using.
Watch out for the the switch “InternalHostname” at the bottom line if you do a search & replace command. Note if you don’t have Outlook Anywhere enabled it will just error out anyways (confirm with Get-OutlookAnywhere command).
Enter these commands into an Exchange Management Shell (Run as Admin!), then restart the transport service.
#Change hostname and resolved internal and external mail FQDN Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml Set-WebServicesVirtualDirectory -Identity "HostName\EWS (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx Set-OABVirtualDirectory -Identity "HostName\oab (Default Web Site)" -InternalUrl https://mail.yourdomain.com/oab Set-ActiveSyncVirtualDirectory -Identity "HostName\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl https://mail.yourdomain.com/Microsoft-Server-ActiveSync Set-OWAVirtualDirectory -Identity "HostName\owa (Default Web Site)" -InternalUrl https://mail.yourdomain.com/owa Set-ECPVirtualDirectory -Identity "HostName\ecp (Default Web Site)" -InternalUrl https://mail.yourdomain.com/ecp Set-OutlookAnywhere -Identity "HostName\Rpc (Default Web Site)" -InternalHostname mail.yourdomain.com -InternalClientsRequireSsl $true #Restart Transport Service stop-service MSExchangeTransport start-service MSExchangeTransport