Author Topic: Outloook Anywhere -The name on the security certificate is invalid  (Read 6459 times)


  • Zen Monk
  • **
  • Posts: 52
  • Karma: +2/-0
    • View Profile
I have Zentyal 4.1 set up with openchange.  Internal lan computers can connect Outlook to the Zentyal server and mail in and out is OK.  Webmail log in  from external computers also works fine.  Activesync from Android and Iphone also works.

I am having problems getting Outlook Anywhere to connect.  The error is:

"There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site
Outlook is unable to connect to the proxy server. (Error Code 10)"

I think this has arisen because when setting up OpenChange I used  "" as the virtual mail domain where as it should have been "" . 
"" and "" are on two different  servers with two separate external ip addresses.  The Zentyal server is on the "".  This is what I put into outlook when setting up the remote connections.  Outlook connects to the server but the cert has "" instead of "" hence the error.
In attempting to get over this, I have set up a second virtual domain on Zentyal called ""  However the cert still seems to be only referring to "".  I also tried an alias in the virtual domain but to no avail.

Do I need to re-setup OpenChange and if so I presume I will loose all my data?
How do I tell OpenChange to use a different virtual mail domain?

Any suggestions as to how I might solve this?



  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #1 on: October 31, 2015, 03:48:04 pm »
I have the same problem can anyone help with this please


  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #2 on: November 03, 2015, 04:10:32 pm »
Is there anyone who can help with this please .
I've issued a new certificate for mail."mydomain" . I still cannot connect to outlook anywhere ,when I run the exchange connectivity wizard I receive an error "Certificate name validation failed" listing the name on my authority certificate "mydomain" not mail."mydomain" .
How can I change this!


  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #3 on: November 16, 2015, 11:01:15 am »
I have been unable to sort this out and cannot connect using ssl . I'm sure I'm missing something and there's a simple solution to this. Can anyone help please.


  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #4 on: November 16, 2015, 02:08:15 pm »

I would suggest opening the certificate and checking for which SANs it is a valid cert.


  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #5 on: November 16, 2015, 09:36:29 pm »
Thank you for your reply.
what I would like to do is change the name on the certificate from "" to as a cannot connect with SSL
I receive the following error when I run exchange connectivity wizard.

Testing the SSL certificate to make sure it's valid.
    The SSL certificate failed one or more certificate validation checks.
        Additional Details
    Elapsed Time: 487 ms.

        Test Steps
        The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
        Additional Details
    Remote Certificate Subject: CN=zentyal-domain.lan, O=mydomain, L=sUTTON COLDFIELD, S=Undefined, C=UK, Issuer: CN=mydomain Authority Certificate, O=mydomain, L=sUTTON COLDFIELD, S=Undefined, C=UK.
Elapsed Time: 466 ms.

    Validating the certificate name.
    Certificate name validation failed.
      Tell me more about this issue and how to resolve it

        Additional Details
    Host name doesn't match any name found on the server certificate CN=zentyal-domain.lan, O=mydomain, L=sUTTON COLDFIELD, S=Undefined, C=UK.
Elapsed Time: 0 ms.


  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +1/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #6 on: November 16, 2015, 10:12:19 pm »
I don't think just changing the certificate is the right way to go. The correct certificate should get generated if you setup zentyal with the correct hostname and domain, sure you can just generate a new cert and install it but there are almost certainly other things wrong. NB changing stuff like the hostname and domain of the server will probably mean redoing the setup for openchange (email should be left in place but I'm not sure about calendar /  contacts).

Basically your internal domain should be a subdomain of a real domain you own. Using something like zentyal.lan is bad because these days it's possible for tlds like .lan to suddenly become active on the internet. If you use a subdomain of something you own you don't have to worry about this. Anyhow, if you have you might use I really wish the zentyal documentation didn't use zentyal-domain.lan as an example or at least mentioned what you're supposed to use.

Next you need to make sure your hostname matches what you want want your server to be seen as outside. So if you want to use you should make "mail" your hostname.

Provided you've got the domain and hostname of the server properly configured zentyal should automatically create the correct certificates.

When you're dealing with microsoft stuff like domain controllers and exchange getting your DNS right from the start is absolutely critical.

Having said all this... I've only configured a single test server so far so don't shout at me too much if this is all dud advice  ;)

BTW to check the SANs (Server Alternate Name) on your certificate you can use this command from the terminal:
openssl s_client -connect your_mailserver' | openssl x509 -noout -text | grep DNS:

Which will list something like:
« Last Edit: November 17, 2015, 02:02:16 am by cheesyking »


  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #7 on: November 17, 2015, 10:48:45 pm »
Thank you.I've checked the cert as advised and I get this !
Can you advise how to repair?
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = mydomain, CN = zentyal-domain.lan
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = mydomain, CN = zentyal-domain.lan
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = mydomain, CN = zentyal-domain.lan
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/C=UK/ST=Undefined/L=SUTTON COLDFIELD/O=mydomain/CN=zentyal-domain.lan
i:/C=UK/ST=Undefined/L=SUTTON COLDFIELD/O=mydomain/CN=mydomain Authority Certificate
Server certificate
subject=/C=UK/ST=Undefined/L=SUTTON COLDFIELD/O=mydomain/CN=zentyal-domain.lan
issuer=/C=UK/ST=Undefined/L=SUTTON COLDFIELD/O=mydomain/CN=mydomain Authority Certificate
No client certificate CA names sent
SSL handshake has read 1813 bytes and written 421 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7348AC0F4D3E18EC40B82670F0F12FC7EFC84BF53EC87C51F616CC351D273781
Master-Key: A69A96B7C650CD2F20AF34DEE53EDEE77F7F1E234F4EA02407BFF54035F73D480257BBF8E4286EAC974FE55899D6FDA8
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 26 a6 fd 5c 20 b0 67 e7-fb d8 06 c2 08 69 83 55 &..\ .g......i.U
0010 - 56 ce 70 71 a6 85 25 99-48 95 98 8f 40 10 71 7d V.pq..%.H...@.q}
0020 - 5d 28 02 db 76 71 eb 10-d7 ac 01 c9 60 1f 4e c5 ](..vq......`.N.
0030 - 27 aa 3b 81 50 2f 73 41-6a e6 66 6d be 1e a6 22 '.;.P/"
0040 - 20 ed 3a 87 fe 99 22 6e-f1 a4 5e db 03 e4 ab ba .:..."n..^.....
0050 - 31 24 45 7a 6e fb 29 f4-59 b0 67 a1 a6 4d 3a e8 1$Ezn.).Y.g..M:.
0060 - 9b 4a c6 4d d5 8f a1 80-ac a3 ab 87 44 86 3c 1d .J.M........D.<.
0070 - 5c cc f1 38 df ce 0a e5-1b 6c 03 4c 2c b5 1f 75 \..8.....l.L,..u
0080 - 17 24 ab 6c aa 77 e8 2c-53 1b fe 17 e4 53 f1 38 .$.l.w.,S....S.8
0090 - 2d d3 83 14 03 83 3b d4-7a 1f 2e bf 95 7e 5a 56 -.....;.z....~ZV
00a0 - 43 f1 05 7c cc 02 b7 4e-5f 92 5e 70 89 90 dd dc C..|...N_.^p....
00b0 - ca 2c 1e ba 2c e6 4a ff-64 f6 31 87 6d 9d 48 42 .,..,.J.d.1.m.HB

Start Time: 1447780445
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

« Last Edit: November 18, 2015, 10:44:50 pm by avfccolin »


  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +1/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #8 on: November 19, 2015, 02:24:06 am »
That doesn't look like the output of the command I gave you.

Code: [Select]
openssl s_client -connect your_mailserver' | openssl x509 -noout -text | grep DNS:
Basically if you setup your server's hostname and domain properly and rerun the setup of openchange I think you should get the correct certificates automatically generated. (I also seem to remember that if your change the hostname and domain of the server the openchange setup has to be rerun anyway.)


  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #9 on: November 26, 2015, 04:03:09 pm »
I've configure a new server as you suggested with a domain "" and a hostname  "mail"
the san is then and still does not match . what am I missing here?


  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +1/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #10 on: November 26, 2015, 05:28:22 pm »
I'm not too sure then. I'll try setting up another server myself in a VM and see what happens.


  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +1/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #11 on: November 26, 2015, 06:00:39 pm »
Just ran through the setup again in a VM and it worked as I expected. The SANs on the cert are and which is correct.

Here is what I entered in the setup:



Mail Domain:
(NB by default the installer wants this to be "" and you have to change this)

First Organisation:

That's it.

Can you setup a VM so you can go through the install process quickly (maybe do a snapshot after the first reboot and before starting the package installation of domain services, mail, groupware etc)

If you hover your mouse over the "Access Webmail" link on the openchange page does the domain in the URL match properly like they do in that image?


  • Zen Apprentice
  • *
  • Posts: 27
  • Karma: +0/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #12 on: November 30, 2015, 05:08:32 pm »
Yes that is all as discribed.
this is the output from command to check SAN;
oadmin@mail:~$ openssl s_client -connect | openssl x509 -noout -text |grep DNS:
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = First Organization, CN =
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = First Organization, CN =
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = UK, ST = Undefined, L = SUTTON COLDFIELD, O = First Organization, CN =
verify error:num=21:unable to verify the first certificate
verify return:1


  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +1/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #13 on: November 30, 2015, 07:41:47 pm »
Well I'm sure it's something silly rather than anything else. Here's a video I made going through an install that gets the right SANs in the certificates.

Hope it helps


  • Zen Monk
  • **
  • Posts: 52
  • Karma: +2/-0
    • View Profile
Re: Outloook Anywhere -The name on the security certificate is invalid
« Reply #14 on: January 20, 2016, 03:06:34 pm »
This relates to connecting outlook locally but follows on from the above post.
I have set up Zentyal on a virtual following exactly as described in the previous post and video.
I have checked the cert as suggested and the DNS refers to and
I have installed the cert into the trusted root in windows 7.
I an using the Zentyal machine for dns and it pings correctly for and

I set up the mail in outloook as
Name **********
Email   username
Password *******

It pops up a dialog box asking me to log in.

I try       lan,\myusername
and password  **********

But it just keeps popping up the same log in dialogue.

I have tried numerous options to no avail.

Any suggestions as to how I can get this to work would be much appreciated.
