A Certificate Principal Mismatch error may occur if one of the following conditions is true:
The certificate has an incorrect common name.
The client accesses data on a server by using an incorrect URL if the server has more than one DNS name.
Obsolete or incorrect Accepted Domain entries exist on the Exchange Transport server.
When you use a SAN certificate, you receive the Certificate Principal Mismatch error if a mismatch occurs between the Principal (“Issued to”) name and the FQDN that clients use to access the resource.
To resolve the certificate name mismatch
- Determine the FQDN that the client uses to access the resource. For example, to verify the FQDN that is used by Outlook, follow these steps:
- Start Microsoft Outlook.
- On the Tools menu, click Account Settings.
- Click the E-mail tab, click the Exchange account, and then click Change.
- Click More Settings, and then click the Connection tab.
Click Exchange Proxy Settings.
Note the FQDN that is listed in the Only connect to proxy servers that have this principal name in their certificate box. For example, mail.techrid.com.
Use the Exchange Management Shell to determine the value for the CertPrincipalName attribute as follows:
This command returns the results for the EXPR name. For example, the command returns the following:
Use the Exchange Management Shell to modify the CertPrincipalName attribute to match the FQDN that Outlook uses to access the resource. To do this, use the following command:
Set-OutlookProvider EXPR -CertPrincipalName:”msstd:<FQDN the certificate is issued to>”
When you obtain a certificate for Exchange, it is best to use the externally-accessible DNS name as the Certificate Principal name. For example, use mail.contoso.com as the primary name of a SAN certificate.
This error can also occur if the Analyzer tool detects Accepted Domain entries that apply to internal SMTP domains that no longer exist in Exchange.
To resolve this issue, you must delete the recipient polices that apply to SMTP domains that no longer exist or that are no longer used.
To view the accepted domains in Exchange
- Start the Exchange Management Console.
- Expand Organization Configuration, and then click the Transport server. For example, Hub Transport. For an Edge Transport server, click Edge Transport.
- In the details pane, click the Accepted Domains tab. Examine the entries that appear in the Accepted Domain list to determine whether any of them should be removed.
MCTS, MCITP| Exchange Server
Publisher @ Techrid.com