"The name on the security certificate is invalid or does not match the name of the site" error in Outlook in a dedicated or ITAR Office 365 environment

Article translations Article translations
Article ID: 2772058 - View products that this article applies to.
Expand all | Collapse all

Symptoms

In a dedicated or International Traffic in Arms Regulations (ITAR) Microsoft Office 365 environment, a user receives a Security Alert dialog box that includes the following error message:

The name on the security certificate is invalid or does not match the name of the site.
For example, the Security Alert dialog box resembles the following:

Collapse this imageExpand this image
2820893


This issue may occur under the following circumstances:
  • The user tries to create a new profile in Microsoft Office Outlook.
  • The user tries to start a Microsoft Outlook client.
  • The issue occurs intermittently when the Outlook client is running.

If the user clicks Yes, the user can continue the operation. However, if the user clicks No, the Autodiscover lookup fails. The failure of the Autodiscover lookup prevents all the following features from working as expected:
  • Automatic creation of an Outlook profile by using Autodiscover
  • Out of Office (OOF) Assistant
  • Free/Busy information

Cause

Generally, this issue occurs when the URL that you are trying to access is not listed in either the Subject or the Subject Alternative Name (SAN) of the Secure Sockets Layer (SSL) certificate for the website. Although different organization's configurations may be slightly different, this issue generally occurs because the organization's Autodiscover Domain Name System (DNS) records are configured incorrectly.

Resolution


To resolve this issue, you may have to change your Autodiscover DNS records (internal, external, or both). However, these changes should not be taken lightly, because the Autodiscover feature may not function if DNS records are configured incorrectly.

Before you change the Autodiscover DNS records, you should understand how the Outlook client tries to locate the Autodiscover service. The Outlook client tries to locate the Autodiscover service by using the following fundamental order of operations. However, the step in which the Autodiscover service is located varies from deployment to deployment. This location depends on whether there is an on-premises solution in co-existence and what the specific on-premises email environment is (for example, an on-premises Microsoft Exchange Server, an on-premises Lotus Notes, or another environment).


The following table displays the fundamental order of operations for how the Outlook client locates the Autodiscover service:
Collapse this tableExpand this table
1
  1. The Service Connection Point (SCP) object - Internal connections only.
  2. Outlook client tries to locate an A Record for the URL that is returned by the SCP object.
2
  1. User's SMTP Domain. (For example, https://proseware.com)
  2. Outlook client tries to locate an A Record for the user's SMTP domain.
3
  1. User's SMTP domain is prepended with Autodiscover. (For example, https://autodiscover.proseware.com)
  2. Outlook client tries to locate an A Record for the URL that is appended with Autodiscover.
4
  1. Outlook client tries to locate a DNS service (SRV) Record for the Autodiscover service in the DNS zone that matches the user's SMTP domain. (For example, _autodiscover._tcp.proseware.com)
  2. The SRV record then returns another URL, for which some kind of resolvable record must exist, such as an A record or a CNAME record.
5Result If the Autodiscover service is not found by any of these methods, Autodiscover fails.
In summary, the Autodiscover service may be resolved by using either an A record, a CNAME record, or an SRV record. To determine which records are used currently, run the following commands at a command prompt or in Windows PowerShell:
  1. To locate an A record, run the following commands:
    1. nslookup
    2. Set Type = A
    3. Autodiscover.SMTPDomain.com
  2. To locate an SRV record, run the following commands:
    1. nslookup
    2. Set Type = SRV
    3. _autodiscover._tcp.SMTPDomain.com
In the following example, the Outlook client can locate the Autodiscover service by using the A record for the Autodiscover URL as described in step 3 in the previous table:
autodiscover.proseware.com
However, as we mentioned in the "Cause" section, this URL is not listed in the SAN of the SSL certificate that is used by the Autodiscover service. For example, see the following screen shot:

Collapse this imageExpand this image
2820894


To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1: Add the Autodiscover URL to the SAN of the Autodiscover site's SSL certificate (not the preferred method)

Although this method is technically workable, this is not the preferred method in the current service design because of the cost and labor that is involved in distributing the newly updated certificates. If this resolution method is the only workable solution, you should submit a Configuration Request (CR) to request that the SSL certificate be updated and deployed. However, the CR may be declined in favor of method 2 unless an exceptionally strong business justification is provided.

Method 2: Replace the existing A record by using an SRV record that points to a namespace that is already in the SAN of the SSL certificate (preferred method)

This is the preferred resolution method in the current service design because the existing SSL certificate does not have to be updated and deployed. According to the fundamental order of the operations that are listed earlier in this section, the organization may implement the new record by using a controlled and tested way to prevent outages of the Autodiscover service.

To resolve this issue, follow these steps:
  1. Create a new SRV record.

    The SRV record should be created in the DNS zone that matches the user's SMTP domain. The SRV record should have the following properties:
    • Service: _autodiscover
    • Protocol: _tcp
    • Port: 443
    • Host: URL for redirection. This URL may be the Outlook Web Access (OWA) URL because the resolved IP should be the same as the Autodiscover service. Additionally, this may vary from deployment to deployment.
  2. Before you remove the existing A record, the new SRV record should be tested by changing a user's host file to redirect the current A record to an invalid IP. This test can make sure that the new SRV record is working as expected before you deploy the new DNS records to the whole organization.

    Note When the SRV record is used by an Outlook client, the user may receive the following message that advises the user of the redirection that is about to occur. We recommend that the user click to select the check box for the Don't ask me about this website again option so that the message is not displayed again.

    Collapse this imageExpand this image
    2820895
  3. When the SRV record works as expected, you can remove the existing A record from DNS.

More information

For more information about the Autodiscover service, go to the following Microsoft TechNet website:

Understanding the Autodiscover Service

Properties

Article ID: 2772058 - Last Review: July 2, 2013 - Revision: 3.0
Applies to
  • Microsoft Business Productivity Online Dedicated
  • Microsoft Business Productivity Online Suite Federal
Keywords: 
vkbportal226 kbgraphxlink KB2772058

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com