Problem solve Get help with specific problems with your technologies, process and projects.

Fixing certificate mismatch errors in Outlook 2007

When acquiring X.509 certificates to use ActiveSync and OWA on your Exchange 2007 Server, you need to include the correct details in your request. If you don't, certificate mismatches can occur. This tip explains how to troubleshoot those errors.

Exchange ActiveSync and Outlook Web Access use SSL encryption, which requires an X.509 certificate. Acquiring and installing the necessary certificates is fairly simple; however, a mismatch error could occur if you don't provide the correct details within the certificate request. It's good practice to become familiar with what these errors look like and how to fix them.

Exchange Server 2007 doesn't require a certificate if you're merely creating a basic deployment. Certificates are necessary when you deploy more advanced features like Outlook Anywhere, OWA or ActiveSync. Keep in mind that once you deploy any of these services and their required SSL certificate, Outlook will use those certificates when it connects to Exchange Server.

Outlook shouldn't experience any problems using an X.509 certificate -- unless the client access server has a different name on the internal network than it does on the Internet. For example, my ISP didn't offer a static IP address for a while. This was one of the reasons why I couldn't deploy OWA, Outlook Anywhere or ActiveSync on my Exchange Server.

However, once my ISP offered a static IP address, I leased one and changed the MX record for my domain so that it points to my Exchange server instead of my ISP's mail server. I also set up a host record named Exch.brienposey.com that also pointed to my external IP address.

Then I configured my firewall to forward inbound HTTP traffic to my client access server so that I could continue to host my website (www.brienposey.com) with an ISP and on a separate URL (exch.brienposey.com) that I could use to access OWA.

Next, I acquired an X.509 certificate and placed it onto my OWA server. Since everything worked perfectly and I could access OWA without any problems I decided to deploy ActiveSync with the same certificate. That worked well too -- until I opened Outlook from a computer that was attached to my private network. That's when I received a certificate mismatch error (Figure 1).

This is what a certificate mismatch error looks like
Figure 1. This is what a certificate mismatch error looks like.

This error occurred because my internal domain name is different than my external domain name. I have two forests on my internal network: lab.com and production.com. I don't own either of these domain names, but this hasn't mattered in the past because there was no inbound external connectivity. My external domain is named brienposey.com. The host portion of the URL doesn't match either. Internally, my client access server is named Mirage.

If you look back at Figure 1, you can see that Exchange is attempting to connect to Mirage.production.com. But the certificate is registered to Exch.production.com. That's why Outlook displays a warning message stating that the certificate's name doesn't match the site name. You can confirm the mismatch by clicking on the View Certificates button. Outlook will show you which host the certificate was issued to (Figure 2).

The Issued To field displays the host name that is bound to the certificate
Figure 2. The Issued To field displays the host name that is bound to the certificate.

To fix this you need to create a multi-valued certificate. This new certificate will contain your external URL as the subject name as well as the client access server's internal host name in the form of a subject alternate name.

The procedure to create this certificate is similar to what you've already used. The difference is that you'll have to generate the certificate request using Exchange Management Shell, after which you can open the certificate request file and paste the contents into your enterprise CA's website. The site should issue a new certificate, which you can download and bind to your Exchange server.

The command for issuing the certificate request looks like this:

New-ExchangeCertificate -GenerateRequest - DomainName mail.contoso.com, mail.internal.com, ServerName -FriendlyName mail.contoso.com -PrivateKeyExportable: $True -path c:\Cert.req

Notice that the –DomainName parameter is followed by the subject name (the external URL) and the subject alternate name (the internal host name). Figure 3 shows this command.

What the certificate request command looks like when it runs
Figure 3.This is what a certificate request command looks like when it runs.

About the author: Brien M. Posey, MCSE, is a five-time recipient of Microsoft's Most Valuable Professional (MVP) award for his work with Exchange Server, Windows Server, Internet Information Services (IIS), and File Systems and Storage. Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.

Do you have comments on this tip?  Let us know.

Please let others know how useful this tip was via the rating scale below. Do you know a helpful Exchange Server, Microsoft Outlook or SharePoint tip, timesaver or workaround? Email the editors to talk about writing for SearchExchange.com.

Dig Deeper on Legacy Exchange Server versions

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchSQLServer

SearchEnterpriseDesktop

SearchVirtualDesktop

Close