Home » Exchange Server 2010 » Client Connectivity » Certificate Principal Mismatch

Translate:

Archives

Certificate Principal Mismatch

A Certificate Principal Mismatch error may occur if one of the following conditions is true:

The certificate has an incorrect common name.

The client accesses data on a server by using an incorrect URL if the server has more than one DNS name.

Obsolete or incorrect Accepted Domain entries exist on the Exchange Transport server.

CPM1

 

When you use a SAN certificate, you receive the Certificate Principal Mismatch error if a mismatch occurs between the Principal (“Issued to”) name and the FQDN that clients use to access the resource.

To resolve the certificate name mismatch

  1. Determine the FQDN that the client uses to access the resource. For example, to verify the FQDN that is used by Outlook, follow these steps:
  1. Start Microsoft Outlook.
  2. On the Tools menu, click Account Settings.
  3. Click the E-mail tab, click the Exchange account, and then click Change.
  4. Click More Settings, and then click the Connection tab.

CPM2

Click Exchange Proxy Settings.

CPM3

Note the FQDN that is listed in the Only connect to proxy servers that have this principal name in their certificate box. For example, mail.techrid.com.

Use the Exchange Management Shell to determine the value for the CertPrincipalName attribute as follows:

  1. Get-OutlookProvider

CPM4

 

This command returns the results for the EXPR name. For example, the command returns the following:
msstd:server1.contoso.com

Use the Exchange Management Shell to modify the CertPrincipalName attribute to match the FQDN that Outlook uses to access the resource. To do this, use the following command:

Set-OutlookProvider EXPR -CertPrincipalName:”msstd:<FQDN the certificate is issued to>”

 

Note:

When you obtain a certificate for Exchange, it is best to use the externally-accessible DNS name as the Certificate Principal name. For example, use mail.contoso.com as the primary name of a SAN certificate.

This error can also occur if the Analyzer tool detects Accepted Domain entries that apply to internal SMTP domains that no longer exist in Exchange.

To resolve this issue, you must delete the recipient polices that apply to SMTP domains that no longer exist or that are no longer used.

To view the accepted domains in Exchange

  1. Start the Exchange Management Console.
  2. Expand Organization Configuration, and then click the Transport server. For example, Hub Transport. For an Edge Transport server, click Edge Transport.
  3. In the details pane, click the Accepted Domains tab. Examine the entries that appear in the Accepted Domain list to determine whether any of them should be removed.

 

Praveen Kumar

MCTS, MCITP| Exchange Server

Publisher @ Techrid.com


Leave a comment

Translate »