Last weekend I did a swing migration from Exchange 2003 to Exchange 2010. It all went fine, but now my users are getting a Security Alert ~ "The name on the security certificate is invalid or dose not match the of the site." The web-mail part works, and internal part works, but gives that message.
The external name on the SSL cert is [mail.example.com], and the internal name is [exchange2010.local.example.com].
The only two answer I have seen are adding the internal name of the server to the SSL. I would rather not show my internal DNS name. The other answer was to disable SSL, but I didn't it didn't explain how to disable it. Any suggestions?
Edit I did a Best Practices Analyzer and found this..
The subject alternative name (SAN) of SSL certificate for
https://exchange2010.local.example.com/Autodiscover/Autodiscover.xml
does not appear to match the host address. Host address:
exchange2010.local.example.com. Current SAN: DNS
Name=mail.example.com.The subject alternative name (SAN) of SSL certificate for
https://exchange2010.local.example.com/EWS/Exchange.asmx does not
appear to match the host address. Host address:
exchange2010.local.example.com. Current SAN: DNS
Name=mail.example.com.The subject alternative name (SAN) of SSL certificate for
https://exchange2010.local.example.com/Microsoft-Server-ActiveSync
does not appear to match the host address. Host address:
exchange2010.local.example.com. Current SAN: DNS
Name=mail.example.com.The subject alternative name (SAN) of SSL certificate for
https://exchange2010.local.example.com/owa does not appear to match
the host address. Host address: exchange2010.local.example.com.
Current SAN: DNS Name=mail.example.com.
Edit it's working! You need to make A DNS change; in my case CNAME mail.example.com -> exchange2010.local.example.com you also need to do the following power shell commands.
Set-AutodiscoverVirtualDirectory -Identity * –internalurl “https://mail.example.com/autodiscover/autodiscover.xml”
Set-ClientAccessServer –Identity * –AutodiscoverServiceInternalUri “https://mail.example.com/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory –Identity * –internalurl “https://mail.example.com/ews/exchange.asmx”
Set-oabvirtualdirectory –Identity * –internalurl “https://mail.example.com/oab”
Set-owavirtualdirectory –Identity * –internalurl “https://mail.example.com/owa”
Set-ecpvirtualdirectory –Identity * –internalurl “https://mail.example.com/ecp”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.example.com/Microsoft-Server-ActiveSync"
Best Answer
We created an A record that points to the server that matches the external DNS entry. In our case internally it is mail..com and externally it is mail..com, but depending on which DNS is asked (internally or externally) would depend on the IP returned. This way the same certificate can be used no matter where they are. Works great for laptops too when they move back and forth..