I had a customer with an SBS 2008 server who called this past week to say that they were getting the following popup alert when starting up Outlook 2010:
The name on the security certificate is invalid or does not match the name of the site
I ran the Microsoft Remote Connectivity Analyzer to test Autodiscover for this customer. And sure enough, it was failing the test to validate the server name.
Certificate name validation failed. Host name xxx.com doesn’t match any name found on the server certificate.
The first article I reviewed was KB 940726. Although the title of this KB article indicates that it was written for Outlook 2007 and Exchange 2007, it is also applicable to Outlook 2010 and Exchange 2010. It covers how to change the internal URL for the Autodiscover service stored inside Exchange via Exchange PowerShell commands.
However, in my case, the PowerShell command get-ClientAccessServer | fl was showing that the AutoDiscoverServiceInternalUri field was showing the correct URL.
In talking with other MVPs, it appears that the issue may have to do with someone making changes to the domain name “A” or “cName”. I am still tracking that down.
But meanwhile, I was looking for a quick solution to at least suppress those popup alerts on a short-term basis, as I was going to be traveling for the next several days.
More research lead me to this blog post from Tipst3r titled: “Turn off Autodiscover for Outlook”, which was a recommendation for adding a registry key called “Exclude ScpLookup”. I gave it a try, but it did not appear to work. Also, I wanted more information as to what this registry key did, and why.
So, on further searching, I found Microsoft’s KB 2212902 titled: “Unexpected Autodiscover behavior when you have registry settings under the \Autodiscover key”. This article listed seven different optional registry settings that one might create and use.
I started working with these options, and found that using the following three options (setting them to a value of “1”) would disable the “security certificate is invalid or does not match” popup window from appearing:
- ExcludeScpLookup
- ExcludeHttpsAutoDiscoverDomain
- ExcludeSrvRecord
I’m not one to generally implement a workaround. So part of this was just a desire to understand more what was going on “under the covers”, so to speak. I will be testing out making the recommended changes to the domain records later, but since I will be gone for a week, I did not want to make such changes at this time.