Running Exchange 2007 SP1 with rollups 1-9Our Exchange 2007 best practice analyzer has this Error message:Certificate SAN mismatchThe subject alternative name (SAN) of SSL certificate for https://owa.domain.com/autodiscover/autodiscover.xl does not appear to match the host address. Host address: owa.domain.com. Current SAN: DNS Name=*.domain.com, DNS Name=domain.comThere are two other error messages, exactly the same for https://owa.domain.com/owa and for https://server.domain.com/Microsoft-Server-ActiveSync Interestingly enough we dont have any issues with OWA, autodiscovery or our handhelds. We've been running on our new certificate for well over a month now. Can anyone shed any light on this? Is it just a glitch in the analyzer not acknowledging "*" as a wildcard?

Could you please run GetExchangeCertificate | fl and see if the certificates are recognized properly? Vinod |CCNA|MCSE 2003 +Messaging|MCTS|ITIL V3|

Running Exchange 2007 SP1 with rollups 1-9Our Exchange 2007 best practice analyzer has this Error message:Certificate SAN mismatchThe subject alternative name (SAN) of SSL certificate for https://owa.domain.com/autodiscover/autodiscover.xl does not appear to match the host address. Host address: owa.domain.com. Current SAN: DNS Name=*.domain.com, DNS Name=domain.comThere are two other error messages, exactly the same for https://owa.domain.com/owa and for https://server.domain.com/Microsoft-Server-ActiveSync Interestingly enough we dont have any issues with OWA, autodiscovery or our handhelds. We've been running on our new certificate for well over a month now. Can anyone shed any light on this? Is it just a glitch in the analyzer not acknowledging "*" as a wildcard? I've seen ExBpa flag on that in the past on SAN certs despite the fact they were working correctly.

It occured to me that I also activated this certificate using the IIS Management UI for the OWA site rather than the Exchange Shell - FYI

Below is the output from the command. We are currently not using IMAP or POP. Would the SMTP running on a different cert cause this?AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {*.domain.com, domain.com}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : SERIALNUMBER=xxxxxxxx, CN=Go Daddy Secure Certification Au thority, OU=http://certificates.godaddy.com/repository, O= "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=USNotAfter : 5/26/2012 11:14:02 AMNotBefore : 6/16/2009 1:53:26 PMPublicKeySize : 1024RootCAType : ThirdPartySerialNumber : xxxxxxxxxxServices : IISStatus : ValidSubject : CN=*.domain.com, OU=Corporate, O="organization", L=Seattle, S=WA, C=USThumbprint : xxxxxxxxxxxxxxxxxxxx ----------------------------------------------- AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule}CertificateDomains : {owa.domain.com, www.owa.domain.com}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : SERIALNUMBER=yyyyyyyyy, CN=Go Daddy Secure Certification Au thority, OU=http://certificates.godaddy.com/repository, O= "GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=USNotAfter : 4/9/2010 6:41:15 PMNotBefore : 4/9/2008 6:41:15 PMPublicKeySize : 2048RootCAType : ThirdPartySerialNumber : yyyyyyyyyyServices : SMTPStatus : ValidSubject : CN=owa.domain.com, OU=Domain Control Validated, O= owa.domain.comThumbprint : yyyyyyyyyyyyyyyyyyyyyyyyyy ----------------------------------------------- AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule}CertificateDomains : {serverhostname, serverhostname.domain.com}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=serverhostnameNotAfter : 4/25/2008 11:29:51 AMNotBefore : 4/25/2007 11:29:51 AMPublicKeySize : 2048RootCAType : UnknownSerialNumber : zzzzzzzzzzzzzzzzzzzzzServices : IMAP, POP, SMTPStatus : InvalidSubject : CN=serverhostnameThumbprint : zzzzzzzzzzzzzzzzzzzzz

Andy has already said it, if you are being prompted for the principal name mismatch for a wild card certificate it is just okay. There is nothing wrong with it unless your outlook anywhere or EAS is broken. In either of stated cases it may not be a problem with wild card certificate though. I have seen that prompt several times on a perfectly working Exchange CAS box and all clients still work absolutely fine. If at all its a problem for any of the client it has already been addressed by MS in http://technet.microsoft.com/en-us/library/cc535023.aspxMMilind Naphade | MCTS:M | http://www.msexchangegeek.com

Hi, Since we are using Wildcard certificate, so this error can be ignored. It is a generic error and we don't have to worry about that. Regards, Xiu