Outlook 2007 security alert - Exchange 2010 CAS + SAN certificate

Outlook 2007 security alert - Exchange 2010 CAS + SAN certificate

Post by RAM » Sat, 01 May 2010 03:55:38

Just installed my Exchange 2010 CAS servers and applied our new
certificate with 3 Subject Alternative Names (mail.domain.com,
autodiscover.domain.com, legacy.domain.com). This certificate was
applied on Monday.

Now I have 2 users (possibly more, but have only heard from these 2)
that report getting a Security Alert when opening Outlook 2007:

Information you exchange with this site cannot be viewed or changed by
others. However, there is a problem with the site's security

(green check) The security certificate is from a trusted certifying
(green check) The security certificate date is valid.
(red X) The name on the security certificate is invalid
or does not match the name of the site.

Do you want to proceed? [Yes] [No] [view certificate]

Clicking Yes gives same alert from CAS02 server.

Tried installing the certificate, to no avail.

Tried applying Outlook 2007 hotfix (KB968858) which is supposed to let
Outlook 2007 recognize SAN certificates; no good.

Tried applying SP2 for Office 2007; no good. (applying the above
hotfix after SP2 was installed gives "the update is already

I found a KB article (940726) that seems to describe this perfectly,
but I hesitate to modify the URLs for the appropriate Exchange 2010
components when this is only happening with 2 (reported) users. Why
wouldn't EVERYONE with Outlook 2007 have this problem if the cause is
some mis-named URLs on the servers?

Can anyone explain why this is happening (to only 2 users) and what I
need to do to get rid of their Security Alerts?

Thanks in advance.


Outlook 2007 security alert - Exchange 2010 CAS + SAN certificate

Post by Ed Crowley » Sun, 02 May 2010 03:21:17

Your certificate doesn't have the server names as SANs. Check all the
internal (and external if necessary) virtual directory settings like in
Get-OABVirtualDirectory, Get-WebServicesVirtualDirectory,
Get-AutodiscoverVirtualDirectory, Get-ActiveSyncVirtualDirectory and
Get-ClientAccessServer (AutodiscoverServiceInternalUri property) and verify
that all are set to the URL hostnames and not the server hostnames and that
should fix it. Or you could add the DNS and NetBIOS names as SANs. Or you
could do both. Obviously adding the hostnames as SANs is easier if you're
using an internal certificate and you don't have to pay for the additional
Ed Crowley MVP
"There are seldom good technological solutions to behavi *** problems."


Outlook 2007 security alert - Exchange 2010 CAS + SAN certificate

Post by RAM » Wed, 05 May 2010 00:04:30

Ok - that's pretty much what the KB article said. So we'll go ahead
and change the URLs in Exchange/AD. Thanks.

I just don't understand why only a few users are seeing the security
alert and not ALL of us. Any idea explanation for that?