Saturday, August 25, 2007

Problems with Exchange 2007 certificates when you're on VPN or in the Companys LAN ?

A while ago I used half a day with one of our consultants troubleshooting this and other issues and setting this up correctly and it now turns out that a KB article has been published, which handles this exact issue -

Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007-based server: "The name of the security certificate is invalid or does not match the name of the site"

This issue occurs if the following conditions are true:
  • You replace the default self-signed Exchange 2007 certificate with a different certificate.
  • Note The Exchange 2007 Setup program creates a default self-signed certificate when Exchange 2007 is installed (DLT Comment - That shouldn't be deleted!).

The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:

  • The Service Connection Point object for the Autodiscover service
  • The InternalUrl attribute of Exchange 2007 Web Service (EWS)
  • The InternalUrl attribute of the Offline Address Book Web service
  • The InternalUrl attribute of the Exchange unified messaging (UM) Web service
By default, the URL that is stored in these objects references the NetBIOS name of the server. For example, a URL that resembles the following is stored:

This may differ from the host name that is used in the FQDN of the replacement certificate. For example, the replacement certificate may have an FQDN that resembles the following:

This issue causes a name mismatch error to occur. Therefore, you receive the security warning message when you try to connect Outlook 2007 to the mailbox.

Read more at KB940726

No comments: