The Name on the security certificate is invalid or does not match the name of the site – PART 2

Once the cert has been installed you will need to enable the cert, you can run the following command to enable the certificate

Enable-ExchangeCertificate -Thumbprint 59 5e a4 7c f0 c0 4f 64 dc 3d 6d 29 95 f7 c4 b1 72 ca 0f 92 -Services "SMTP, IIS"

Note: The thumbprint needs to match the cert you have just installed, use either the get-certificate command or use the MMC, select the cert, click the details page and click on thumbprint or use the command specified in PART 1 to find the correct thumbprint

For each CAS server that is installed a Service Connection Point (SCP) record is created for the autodiscover service for internal clients

When i go into Outlook i get the following error:-



This is because i’m connecting to services using the NetBIOS name of mbx1 which does not match the name on the certificate. If i run Get-ClientAccessServer -Identity mbx1 | FL i’ll see that the AutoDiscoverServiceInternalUri says https://MBX1/Autodiscover/Autodiscover.xml, this does not match the certificate. I can also check the other services and see that i get the same results for OAB, EWS, Outlook Anywhere (OA) and Exchange Active Sync (EAS). So i need to update all theses internal url’s to match the name on the cert.

  • Set-ClientAccessServer -Identity "mbx1" –AutodiscoverServiceInternalURI https://nlb.nwtraders.msft/autodiscover/autodiscover.xml


  • Set-WebServicesVirtualDirectory -Identity "mbx1\EWS (Default Web Site)" –InternalUrl  https://nlb.nwtraders.msft/EWS/Exchange.asmx


  • Set-OABVirtualDirectory -Identity “mbx1\OAB (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/OAB


  • Enable-OutlookAnywhere -Server mbx1 -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”


  • Set-ActiveSyncVirtualDirectory -Identity “mbx1\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/Microsoft-Server-Activesync


Note: If your customer does decide to enable OA externally it is important to note that the external host name value configured for Outlook Anywhere must match the Certificate Principal Name (CPN) on the certificate used by clients and must match the end point property in the client.

In order for Subject Alternate Name (SAN) certificates to be used for clients to connect to the OA service, where the CPN does not match the msstd value configured in the Outlook client profile (but the url is listed in the SAN part of the certificate), certain conditions need to be met, these are listed below:-

  • Outlook 2007 or higher
  • Vista SP1


Then when you open Outlook you should not longer get the cert error!


Written by Daniel Kenyon-Smith

Comments (21)

  1. Dan Kenyon-smith says:

    What’s the error message you are getting? MBX1 in that example is the Exchange server (CAS) and nlb is load balanced name, which matches the certificate

  2. Dan Kenyon-smith says:

    Have you checked all the virtual directories? you could always add the name you require into the Subject Alternate Name (SAN) part of your certificate

  3. Dan Kenyon-smith says:

    All you are changing is the name the clients connect to, to match the name of cert, you can either change the certificate or update the services, either way won’t need to visit each client. If you are unsure, then I suggest you run this is a lab and run through all the scenarios you want to test

  4. Dan Kenyon-smith says:

    Sounds like clients are trying to connect to remote, when the cert is called netgear. I'd have a look on the exchange servers at the their certs and see what is installed there, you can view the certs through either the console in exchange 2010 or by using the get-exchangecertificate

  5. Anonymous says:

    Hello Kenyon87, What should I say about your article? Is there is a better word than "AWESOME". Simply superb, the same I tried given from the Microsoft KB 940726, but no go. Was having this issue for the past 3 months, now after trying your steps, it worked! You deserver a carton of beer! Thanks so much!

  6. Dan Kenyon-smith says:

    You could use this something like this command Set-WebServicesVirtualDirectory MBX1* or take a look at the TechNet site, it gives you some examples…/aa997233.aspx. Also make sure the virtual directories are showing in IIS

  7. Dan Kenyon-smith says:

    Thanks for the feedback

    Monica – take a look at this link it might help you configure the rule on ISA –…/details.aspx



  8. Dan Kenyon-smith says:

    What is the name the Outlook clients are trying to connect?

  9. greg says:

    This was a tremendous help, Thx!!!!

  10. Samy Silva says:

    Can anyone please help? I'm new to exchange and don't know the syntax, I keep on getting an error message as of line 2 of instructions..

    My DC server's name is Global-02f and


  11. Bridget says:

    Add an iisreset to the end and we are in business!  WOOHOO

  12. Monica Gachaku says:

    Hi. this is an excellent post. it has saved my life. thanks.

    another issue. OA anywhere isnt connecting from client end despite publishing the rule on isa and enabling OA in exchange. then name on SAn is same as the one used to configure OA.

    error am getting is that, it cant resolve.

  13. Matt says:

    I have the same issue but have been unable to resolve it even with this article! any other ideas out therE?

  14. Eric says:

    I just installed a Netgear FVS318N router on a companies network and now I’m getting the Security Alert message in Outlook 07 over 20 computers. Veiwed the cert and it is Netgear FVS318n.

    Please someone help. I can’t tell if it’s a Netgear issue or MS Issue, but only pops up when Outlook is open?

  15. Eric says:

    If you mean domain:

    which is listed on the Security Alert, but when I view the certificate, its issuer is Netgear with the model.

  16. donna says:

    We have a similar error, but when I do the command Set-WebServicesVirtualDirectory I receive the error that it can not find the EWS (Default Web Site).  I am not sure how to get around this error.  If I continue with the Set-OABVirtualDirectory commend I get the similar error about the OAB (Default Web Site).  I know I am missing something, I just can not figure it out.  Any help would be greatly appreciated.

  17. Eric says:

    Oh man, this saved me a lot of headache during an Exchange 2010 migration.  Thank you!!!!

  18. Steve says:

    I'm having this issue and the fix appears easy enough. What are the consequences? Will I have to re-visit each PC on the network and configure Outlook again?


  19. eyad ghunaim says:

    thank you very much ,this topic is very helpfull and it solve the problem in my company

    thank you

  20. Life Saver says:

    Thank you. I've look everywhere for this info. You make it simple.

  21. Oscar Pedroza says:

    Hi, tks your post was very helpfully.

    God blase you man!!!

    Best regards,

    Oscar Pedroza