I previously wrote about a problem that you, as an administrator, may run into when using certificates and Outlook. I also revisited the concept of needing to use encryption and the use of public and private keys when sending and receiving email. And I emphasized the need for certificates and Certificate Authorities such as Verisign and Thawte for using trusted certificates.

Continuing the discussion of certificate errors, if you’re using Exchange 2007 server with Outlook 2007 clients you’ll probably run into a situation sooner or later where one or more of you clients gets an error message such as:
“Name on the Security Certificate is Invalid or Does Not Match the Name on the Certificate”.

This can happen if you’ve recently migrated to Exchange 2007 server and one of your clients tries to connect to their mailbox on the server.

To fix this problem one of your options is to create a new website that includes new virtual directories. Once you have created your new website you can then give it an IP address that you will use to identify your Exchange server. Also, make sure you create a new certificate with the corresponding name. The result is your clients will then be able to access this new website using the certificate.

Another area where you may have problems is when you import a certificate into Exchange 2007 and you get certificate errors with Outlook. When you try to import the certificate you may get a security alert popup with the following error message:

“The name on the security certificate is invalid or does not match the name of this site.”

You will have the option to view the certificate, proceed without viewing the certificate or take no action and just exit the popup window. If you decide to view the certificate you will get another window that will show you which of the certificates that you have installed are causing the problem. You may see something like “mail.quantum.com” or “mail.nautilus.com” or some other appropriate name.

Note that if you do not care about external autodiscover access and your install is a simple configuration then you do not need a Unified Communications Certificate (UCC).

However, you might have considered using a Unified Communications certificate (a.k.a. UC Certificate) for versatility. A UC Certificate is a new type of certificate developed primarily for use with Microsoft Exchange 2007 and Microsoft Office Communications Server 2007 products. Its distinguishing feature is that it has a Subject Alternative Name field in the certificate. This Subject Alternative Name field can contain many different domain names or common names. The result is that the certificate can be used for any of the many different domain names listed. The beauty of this is that one certificate can be used to secure internal network names as well as external domain names.

But if you were not using UC Certificates then it is safe to say that your “mail.quantum.com” common name (CN) is indicative of your choice to use a common certificate. As an administrator you would have installed this certificate along with its private key onto your Exchange server. If you were migrating then the certificate could have been installed via an export then import operation. After assigning it to your Internet Information Server (IIS) you could have then enabled Exchange services to use the certificate via the “Get-ExchangeCertificate” command run from the Exchange Management shell.

After installing and assigning the certificate you would then want to verify that AutodiscoverInternalURI was pointing to the primary Client Access Server (CAS) that you were going to use for Autodiscover servicing.

This is the point where you are most likely to see your problem.

Autodiscover directory in Internet Information Server requires SSL encryption. So the URL specified in the AutoDiscoverServiceInternalURI and the URL specified in your certificate must both be the same. You might also check that you have entered an appropriate DNS record such that your server name could be resolved to your Client Access Server. If the URLs are not the same then you will have to use the “Set-ClientAccessServer” command to reconfigure AutoDiscoverServiceInternalURI.

You can run the command like this:

Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.quantum.com/Autodiscover/Autodiscover.xml

After you have run the command you will then need to configure all the InternalURLs for each web distributed service.

This is why you were probably receiving certificate errors because your InternalURLs were most likely pointing to an incorrect common name that was different than your simple certificate.