This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 17%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
Hello,
We are migrating Exchange 2013 to Exchange Online. We have 5 CAS servers. 1 of the CAS servers (Server05) is a hybrid Exchange server and it is not part of the DAG. It is strictly used to move mailboxes to the cloud.
The hybrid server has a self signed certificate installed. All other CAS servers have mail.domain.com. Nslookup for mail.domain.com is pointing to our internal CAS servers with the "mail.domain.com" .
We did notice that when we changed the Certificate binding in IIS to use the SAN Certificate on the Hybrid CAS server (Server05) some users experienced the Outlook popup window with a red X about a certificate mismatch.
"The name on the security certificate is invalid or does not match the name of the site"
How can I fix this problem? I would prefer to use the SAN Certificate on server 05. Should I just add the server05 to our internal DNS to point to mail.domains.com ?
Get-ClientAccessServer | fl Name,AutodiscoverServiceInternalUri
Name : Server01
AutoDiscoverServiceInternalUri : https://mail.domains.com/Autodiscover/Autodiscover.xml
Name : Server02
AutoDiscoverServiceInternalUri : https://mail.domains.com/Autodiscover/Autodiscover.xml
Name : Server03
AutoDiscoverServiceInternalUri : https://mail.domains.com/Autodiscover/Autodiscover.xml
Name : Server04
AutoDiscoverServiceInternalUri : https://mail.domains.com/Autodiscover/Autodiscover.xml
Name :Server05
AutoDiscoverServiceInternalUri : https://mail.domains.com/Autodiscover/Autodiscover.xml
Thanks,
A couple of things. You MUST use a third party cert on the servers that are used for the Hybrid Connections
https://learn.microsoft.com/en-us/exchange/certificate-requirements
When configuring a hybrid deployment, you must use and configure certificates that you have purchased from a trusted third-party CA. The certificate used for hybrid secure mail transport must be installed on all on-premises Mailbox (Exchange 2016 and newer), and Mailbox and Client Access (Exchange 2013 and older) servers.
For the second question. You can "add in the internal DNS" yes, and if that SAN cert has the required subject names that will work. Not sure what that means, if that is a load balancer or not, but I would make the "Hybrid Server" client URLs match the others and use the same cert as the others.
Thank you. What you are saying makes a lot of sense. I'll make the changes tonight and let you know the outcome tomorrow.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 82%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEY%3C/text%3E%3C/svg%3E)
Can you clarify which url is included by the self-signed certificate and SAN certificate?
Is it a typo that you set the url as mail.domains.com while your CAS server is mail.domain.com?
Click "View Certificate" and check if the url used by autodiscover is listed by the SAN certificate:
Since the url listed in existing certificate is hard to change, you can replace the existing A record by using an SRV record that points to a namespace that is already in the SAN of the SSL certificate: https://support.microsoft.com/en-us/help/2772058/the-name-on-the-security-certificate-is-invalid-or-does-not-match-the
How the things going now?
@Alexis Crawford