Topic Last Modified: 2009-06-15
The Microsoft Exchange Server Analyzer Tool queries the Server Certificate object in the Exchange server system to retrieve various properties on X509 certificates. For each Secure Sockets Layer (SSL) certificate found, the Exchange Server Analyzer evaluates the Principal attribute to identify the fully qualified domain name (FQDN) that was assigned to the certificate, for example, www.microsoft.com.
Microsoft Exchange Server Analyzer issues a warning when the Principal FDQN name does not match the host address or URL. The certificate Principal mismatch warning means that users might not be able to connect to their mailboxes using Microsoft Office Outlook® Web Access for Exchange Server 2003, Outlook Anywhere for Exchange Server 2007, Exchange Server ActiveSync, and RPC over HTTP.
Symptoms of this issue include being repeatedly prompted for credentials when attempting to connect to Exchange Server and receiving the error, "An encrypted connection to your mail server is not available. Click Next to attempt using an unencrypted connection."
 Note: |
|---|
| A server must have a server certificate when it runs an SSL
protocol. As an option, the server can ask for the client's
certificate. The server certificate contains the Web site name. The
browser verifies that the Web site matches the name that was
entered. For example, for a Web site named
https://www.microsoft.com, the name of the certificate should be
www.microsoft.com. |
A mismatch may result if one of the following conditions is true:
- The certificate is accidentally applied to the wrong
server.
- The client accesses data on a server through the wrong host URL
when servers have more than one host name.
-
Verify that the SSL certificate has been granted and applied to the correct host and, if not, replace the current certificate with a new one issued to the FQDN you entered as the Certificate Principal Name in the Exchange Proxy Settings in Outlook Anywhere. To review the FQDN entered in the Exchange Proxy Settings:
- On the Tools menu, click Account Settings, select the
Exchange account, and then click Change.
- Click More Settings, and then click the
Connection tab.
- Click Exchange Proxy Settings.
- Review the Only connect to proxy servers that have this
principal name in their certificate check box for the correct
FQDN.
- On the Tools menu, click Account Settings, select the
Exchange account, and then click Change.
-
Use the Exchange Management Shell to modify the CertPrincipalName attribute as follows:
Copy CodeSet-OutlookProvider EXPR -CertPrincipalName:"msstd:<FQDN the certificate is issued to>"
This error can also occur when the Exchange Server Analyzer Tool detects recipient polices that apply to internal SMTP domains that no longer exist in Exchange. In this case, the Exchange Server Analyzer Tool issues the following message:
|
Certificate principal mismatch |
To resolve this issue, you must delete the recipient polices that apply to SMTP domains that no longer exist or are no longer used.
For More Information
- For information about how to use certificates with virtual
servers in Exchange Server 2003, see Microsoft Knowledge Base
Article 823024, "How to Use Certificates with Virtual Servers in
Exchange Server 2003" (http://go.microsoft.com/fwlink/?linkid=3052&kbid=823024).
- For information about how to use SSL and how to obtain and
install server certificates, see "Configuring Exchange
Server 2003 for Client Access" in the Exchange
Server 2003 Client Access Guide (http://go.microsoft.com/fwlink/?LinkId=47568).
- For information about how to use SSL and how to obtain and
install server certificates for Exchange Server 2007, see "How
to Configure SSL for Outlook Anywhere" (http://go.microsoft.com/fwlink/?LinkId=80875).