Saturday, August 25, 2007

Problems with Exchange 2007 certificates when you're on VPN or in the Companys LAN ?

A while ago I used half a day with one of our consultants troubleshooting this and other issues and setting this up correctly and it now turns out that a KB article has been published, which handles this exact issue -

Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007-based server: "The name of the security certificate is invalid or does not match the name of the site"

This issue occurs if the following conditions are true:
  • You replace the default self-signed Exchange 2007 certificate with a different certificate.
  • Note The Exchange 2007 Setup program creates a default self-signed certificate when Exchange 2007 is installed (DLT Comment - That shouldn't be deleted!).

The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:

  • The Service Connection Point object for the Autodiscover service
  • The InternalUrl attribute of Exchange 2007 Web Service (EWS)
  • The InternalUrl attribute of the Offline Address Book Web service
  • The InternalUrl attribute of the Exchange unified messaging (UM) Web service
By default, the URL that is stored in these objects references the NetBIOS name of the server. For example, a URL that resembles the following is stored:

https://NetBIOS_name.contoso.com/autodiscover/autodiscover.xml

This may differ from the host name that is used in the FQDN of the replacement certificate. For example, the replacement certificate may have an FQDN that resembles the following:

mail.contoso.com

This issue causes a name mismatch error to occur. Therefore, you receive the security warning message when you try to connect Outlook 2007 to the mailbox.

Read more at KB940726

No comments: