When importing a new certificate into Exchange 2007/2010, you might encounter a certificate error in Outlook 2007/2010. I have included a screenshot of the error I encountered with Outlook 2007 :
When you choose the View Certificate button, it brings up another window that shows you what certificate is in error. In this case, the certificate name is “mail.shudnow.net.”
So the million dollar question? Why the error?
Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here.
So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) of mail.shudnow.net We install this certificate onto our Exchange box with its’ private key. In our case we were migrating so we did not have to request a certificate via IIS. We just exported it with its’ private key and imported onto the new box. We then assigned this certificate to IIS. Now I went to the Exchange Management Shell and enabled Exchange services to use this certificate. In order to do this, you must run the following commands:
Get-ExchangeCertificate
Thumbprint Services Subject
———- ——– ——-
BCF9F2C3D245E2588AB5895C37D8D914503D162E9 SIP.W CN=mail.shudnow.net.com
What I did was go ahead and enable all new services to use every available service by using the following command:
Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP –Thumbprint BCF9F2C3D245E2588AB5895C37D8D914503D162E9
The next step would be to ensure the AutodiscoverInternalURI is pointed to the CAS that will be your primary CAS for Autodiscover servicing.
Get-ClientAccessServer -Identity CASServer | FL
AutoDiscoverServiceInternalUri : https://casnetbiosname/Autodiscover/Autodiscover.xml
See the issue here? We are not using a UC certificate that contains the names, “casnetbiosname, casnetbiosname.shudnow.net, mail.shudnow.net, and autodiscover.shudnow.net” Since the Autodiscover directory in IIS will be requring SSL encryption, the url specified in the AutoDiscoverServiceInternalURI must match what is specified in your certificate. You must also ensure there is a DNS record that allows mail.shudnow.net to resolve to your CAS. We should re-configure the AutoDiscoverServiceInternalURI by using the following command:
Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml
We now need to go configure all the InternalURLs for each web distributed service. If you are going to be utilizing the Autodiscover service from the outside or for non-domain joined clients, you may want to configure an -ExternalURL in addition to your -InternalURL.
Here is the reason why we were receiving the certificate errors. Your InternalURLs most likely are not using mail.shudnow.net. Your InternalURLs are most likely pointed to something such as https://casnetbiosname/ServiceURL which will fail since this is not the CN of your simple certificate.
You can run the following commands to fix your internalURLs so your Outlook 2007 client can successfully take advantage of your web distribution services.
Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://mail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true
Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://mail.shudnow.net/OAB
Note: You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The above command will only enable SSL, but will not ensure 128-bit SSL is required.
Enable-OutlookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False
Note: The above Enable-OutlookAnywhere command works on SP1. For RTM, substitute -ClientAuthenticationMethod with -ExternalAuthenticationMethod.
Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://mail.shudnow.net/Microsoft-Server-Activesync
Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” –InternalURL https://mail.shudnow.net/UnifiedMessaging/Service.asmx -BasicAuthentication:$true
Note: The above Set-UMVirtualDirectory command is not needed in Exchange 2010. Exchange 2010 no longer contains a UnifiedMessaging virtual directory and instead uses the Web Services Virtual Directory.
I've run into this problem, post-2010 SP3 update. Strange thing about this is that it only effects 5 computers throughout the enterprise. I've tried adding the certificate to the individual computers trusted certs directory to no avail. Thoughts?
I just can't seem to make this work. I've repeated the above steps; but I'm clearly missing something…
internal server name = server2k8.domain.local
external URL = mail.domain.com
UCC Cert is in place for domain.com with alternate names of mail and autodiscover.domain.com (Outlook Anywhere is working properly for mobile devices)
I also have a Cisco 501 Pix Firewall that does not allow hair pinning. (not sure if this is my issue or not)
Outlook 2010 and Outlook 2007 continue to get the security mismatch alert message.
YOU ARE MY HERO!!!!!!!
Thank you for this fix! Saved me a lot of time!
Thank you so much…. Worked for me as well….
Thank you for the article. In summary this is what I did to fix my issue:
1. Ran the command from the Exchange server powershell: Get-WebServicesVirtualDirectory | fl *url*
The result of the command was:
InternalNLBBypassUrl : https://ex1.company.com/ews/exchange.asmx
InternalUrl : https://ex1.company.com/EWS/Exchange.asmx
ExternalUrl : https://mail.company.com/ews/exchange.asmx
2. Ran this command:
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl "https://mail.company.com/ews/exchange.asmx"
3. iisreset
4. waited for 60 second, everything is all good now
5. Make sure there is a mail.company.com A or C record in DNS
hello there and thank you for your info – I’ve certainly picked up anything new from right here. I did however expertise several technical points using this web site, since I experienced to reload the web site lots of times previous to I could get it to load properly. I had been wondering if your web hosting is OK? Not that I am complaining, but slow loading instances times will sometimes affect your placement in google and can damage your high quality score if ads and marketing with Adwords. Anyway I’m adding this RSS to my email and can look out for much more of your respective interesting content.
Ensure that you update this again soon.
Very good post. I will be dealing with some of these issues as well.
.
I always refer to this blog, good looking out!
This is my first time visit at here and i am really impressed to read all at one
place.
This article saved me a crap-ton of work. I has resigned to just doing a domain change to make things uniform with our website/ftp domain… but after looking into it and the complications brought on by having Exchange in the mix, I was relieved to find this and solve the issue in five minutes. My hat off to you sir.
So why *must* I enable SSL on the OAB directory? Does that form part of the solution, or is just a recommendation over and above what is required?
Not a requirement. The reason it's off by default is OAB download uses the BITS protocol which does not support self-signed certs. And because Exchange uses a self-signed cert by default, the OAB virtual directory is configured to use http://. But because you're replacing the self-signed cert with a CA-signed certificate, it's recommended to change http:// to https://.
This resolved for me too, thanks for the trouble.
My problem is that I was adding a network connection and was on the wrong line and accidentally erased mysecurity certificate number. I called my outlook express dial-up service and they said it was a Microsoft problem. The following message comes up every time I log on to outlook express before any e-mails come through. The server you are connected to is using a security certificate that can not be verified. The certificateds CN name does not match the pass value. Do you still want to use this server? I check yes and everything goes ok. My big problem is when I order things on line the companies do not want to deal with a security certificate that can not be verified. Please help!
@elanshudnow
I am having this same issue but really am stumped.
When I run the Get-ClientAccessServer -Identity "ServerName" | FL
I get the following:
AutoDiscoverServiceInternalUri : https://access.dabbsco.com/Autodiscover/Autodi
scover.xml
My assigned certificate includes: access.dabbsco.com and autodiscover.dabbsco.com and sbs08 (local server name)
When I open outlook I get that certificate request pop up and it refers to "sites" as the certificate mismatch. I have no idea where "sites" is coming from but I do see it in the binding of IIS.
Please advise if you can.
Check all the other services.
Get-WebServicesVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
Get-OABVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
Get-OWAVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
Get-ECPVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
Get-ActiveSyncVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
When I run these commands I get
[PS] C:Windowssystem32>Get-WebServicesVirtualDirectory -Identity SBS08.dcc.lo
al | FL InternalURL,ExternalURL
Get-WebServicesVirtualDirectory : The operation could not be performed because
object 'SBS08.dcc.local' could not be found on domain controller 'SBS08.DCC.loc
al'.
At line:1 char:32
+ Get-WebServicesVirtualDirectory <<<< -Identity SBS08.dcc.local | FL Internal
URL,ExternalURL
+ CategoryInfo : InvalidData: (:) [Get-WebServicesVirtualDirector
y], ManagementObjectNotFoundException
+ FullyQualifiedErrorId : B0B185CC,Microsoft.Exchange.Management.SystemCon
figurationTasks.GetWebServicesVirtualDirectory
Because that's the wrong -Identity. Look at my original post and you'll see the format.
Ok, so when I ran that first one it was
Get-ClientAccessServer -Identity SBS08| FL
which gave me results, I am doing the same with the new commands, am I totally missing something
Isnt this the same-Get-ActiveSyncVirtualDirectory -Identity SBS08 | FL
Go this to run:
[PS] C:Windowssystem32>Get-WebServicesVirtualDirectory | fl SBS08, InternalUrl
, ExternalUrl
InternalUrl : https://sites/EWS/Exchange.asmx
ExternalUrl :
Now I see where that SITES is coming from, now just to change it…..
Not sure what it needs to be.
[PS] C:Windowssystem32>Get-WebServicesVirtualDirectory | fl SBS08, InternalUr
, ExternalUrl
InternalUrl : https://sites/EWS/Exchange.asmx
ExternalUrl :
[PS] C:Windowssystem32>Get-OABVirtualDirectory | fl SBS08, InternalUrl, Exter
alUrl
InternalUrl : https://sbs08/OAB
ExternalUrl :
[PS] C:Windowssystem32>Get-OWAVirtualDirectory | fl SBS08, InternalUrl, Exter
alUrl
InternalUrl : https://sbs08/owa/
ExternalUrl :
InternalUrl :
ExternalUrl :
InternalUrl :
ExternalUrl :
InternalUrl :
ExternalUrl :
InternalUrl :
ExternalUrl :
[PS] C:Windowssystem32>Get-ECPVirtualDirectory | fl SBS08, InternalUrl, Exter
alUrl
The term 'Get-ECPVirtualDirectory' is not recognized as the name of a cmdlet, f
unction, script file, or operable program. Check the spelling of the name, or i
f a path was included, verify that the path is correct and try again.
At line:1 char:24
+ Get-ECPVirtualDirectory <<<< | fl SBS08, InternalUrl, ExternalUrl
+ CategoryInfo : ObjectNotFound: (Get-ECPVirtualDirectory:String)
[], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
[PS] C:Windowssystem32>Get-ActiveSyncVirtualDirectory | fl SBS08, InternalUrl
ExternalUrl
InternalUrl : https://sbs08/Microsoft-Server-ActiveSync
ExternalUrl :
[PS] C:Windowssystem32>
Thank you!!! I have been looking for this solution all over the Internet but could not find any clear instructions – even from Microsoft. Great article!
Hi,
I'm having an issue running the commands on the exchange console. When I try to execute any of the commands I get the following error:
Set-ClientAccessServer : Active Directory operation failed on [server name]. This error is not retriable. Additional information: Directory object not found.
Anyone have any idea what could be causing this?
I managed to resolve this issue but users are still getting the error even after making the changes needed, is there anything else I could be missing?
Dan C, sometimes the changes are not picked up until you reset the IIS Application Pools. Give that a shot. The only time you'd get the certificate error is what is caused by the above. So if you are still getting the error, even after resetting the application pools, you may want to give MS Support a call.
Excellent step-by-step. Hit the nail on the head for fixing my issue. Thank you!
Elan, I have installed the SAN certificate on our exchange 2007 server and enabled it. and assigned services. I have a few different names associated with this certificate, of course.
when I do a ‘get-exchangecertificate’ in the shell, it only shows the common name of the SAN certificate in the output? should it show all of the names that are associated with the SAN cert? there are two other subject alternative names listed on the cert.
Thanks.
Do a Get-ExchangeCertificate | Format-List
Or the short version:
Get-ExchangeCertificate | FL
In all the output, you'll see the SAN fields.
we have installed a wildcard certificate on the 2010 exchange server. so it shows up as *.domain.com when you do a 'get-exchangecertificate' command. apparently I am unable to enter this as the FQDN for the Set-ClientAccessServer command. I get a 'cannont convert value' error. how can this be done with a wild card certificate?
Thanks.
That's because *.domain.com is not an FQDN. You need to enter an actual FQDN using Set-ClientAccessServer.
Incredible.. I've spent days researching into this issue and your simple words of wisdom resolved the issue. Shame about my hair loss thou!
Its clear that Microsoft is pushing down the larger path with UC integration (ie telephony on the desktop) but why didnt they give us poor admins the choice either at installation or at least with a simple GUI click option in the Manager….
Ya, it is a bit confusing for admins trying to migrate on their own to Exchange 2007 or Exchange 2010 and wanting to use the same certificate. Exchange 2010 allows you to now set your ExternalURLs during a CAS installation but that still doesn't change your InternalURLs or your AutodiscoverServiceInternalURI. So there is still some complexity involved post-install with setting up the CAS the way you want and not getting certificate errors on the client side. Glad you found the article helpful.
It was time to renew my certificate. I didn't want to have the cert include our internal CAS name or the names of our exchange servers. So i ordered a new cert with just mail.domainname.com and auto discover.domainname.com.
I assigned the cert upon receiving it and received the message above when i launched my outlook client. I updated the internal urls to match the cn (https://mail.domainname.com). the cert message disappeared. YEAH!!
BUT now outlook clients cannot get into their out of office settings. You an if you go in via OWA though.
Error message is: Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later.
I removed and recreated the ews application in IIS. (Which BTW was a gong show – as it failed when I tried recreating it via Exch management shell. I recreated it (and the related Application Pool) manually.
All is back to what it was – that being, error in OOF via Outlook client – but OOF works via OWA.
What am I missing here? Its got to be something SIMPLE.
Please help! Does it reference the old SSL cert somewhere internally?
Single Server? If so, try Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL https://mail.domain.com/ews/exchange.asmx -ExternalURL https://mail.domain.com/ews/exchange.asmx
Hi, I have the same problem, then I found the MS Article ID: 940726 and run the same commands.When I chek the AutoDiscoverServiceInternalUri the URL is correct, but I get the same message when I run Outlook 2010. Outside work fine
Any help?
Sometimes you also have to restart the Autodiscover application pool within IIS after changing it. Give that a shot.
Is there an easy way to simply disable ALL secure transmissions? My users are all internal in a company that has no need for any security, so I’d rather leave the whole thing clear than bother trying to fix the annoyance of having the certificate errors pop up. Is this possible?
Thanks Elan for your post, but I need some more help.
I’ll try to describe the problem. Every body at office are logged to wSBS2008 and the problem comes when we start Outlook:
– All the user are asked to introduce their password, that are refused when connecting to remote.xxxx.com
– Then if we cancel then appears the autodiscover.xxxx.com certificate with the error that you mention.
– When I do Get-ExchangeCertificate I got 22 certificates and I’m lost.
And even more, our internal domain name is different than our external domain name
So if you can help I really appreciate, because the one that began that is no localizable.
Great tutorial, thanks for the solution!
Maikel
Excellent article !
Sorry, I must be dumb, as I cannot figure out what I need to do. Same issue as everyone: have a cas array with 2 servers(cas,dag/transport) and load balancer. Installed Verisign certificate on both server for outside OWA access. All working good, however Outlook 2007 keeps complaining about the OWA certificate. Outlook profile is setup for Exchange with name of cas array. We are using Public folder.
Do I have to change all my internal URL to the external one that matches my OWA certificate? The name on it is resolves by its external IP address. Do I also need to hard code the IP address of the CAS array on each server, to resolve locally?
Thanks in advance
Your article was perfect and to the point.. i was able to resolve the problem. You da man!!
Thank You Elan. I was wrestling with this and was at my wits end. Good Work! and greatly appreciated!
Hi, i have different scenario- my external domain name is different from my internal domain. so whenever users open outlook it prompts that certificates mismatch because i have certificate for external domain only-
is there any workaround for this ?
Set all your internalURLs, externalURLs, and AutodiscoverServiceInternalURI to point to an FQDN that uses the external namespace. All URLs will point back to the Exchange Server.
Not sure if this is monitored. I had this exact issue on Exchange 2010. I followed all of the directions here and I was still having an issue. However very specific. A user logged onto a non-domain Windows profile, on our internal LAN, would get the error. These are companies I have setup using the Autodiscoverredirect method. If they are logged into a domain profile it works perfectly. If they are off out LAN either domain or non-domain works perfectly.
cutoff the bottom of my post.
I had done two steps in my Exchange setup, Autodiscoverredirect for supporting our other companies, and OWA easy redirect. In IIS7 the default website had bindings set to unassigned. This seemed to be causing some kind of weird routing for the above scenario. If I change that and force it to be bound to the IP of the server, not the autodiscoverredirect, then the above SSL issue goes away. However I can no longer run EMC or EMS on the server, see http://support.microsoft.com/kb/2027062
If anyone has any ideas I would love to hear it. For now I will just run my management on my MBX boxes but I would certainly like to have it fixed..
Thanks,
Dave
Excellent post – after following your steps all works fine – except for our Public folders
Would these changes affect the replication / access of public folders?
None of this would affect replication / access of public folders.
Some progress..I managed to resolve this error..found out it was the firewall which was mapping to CAS2 ( instead of CAS1) and the policy was higher in the order so was being executed before the other policy to map to CAS1..
Running the test again on testexchangeconnectivity.com gives a second error now:
Validating certificate trust for Windows Mobile devices.
Certificate trust validation failed.
The certificate chain didn't end in a trusted root
Never mind..solved
Need your help to configure Activesync for Exchange 2007. This is my first time to set it up so I am not sure if I am doing it correctly.
We have 2 CAS Servers, Call it CAS1 and CAS2. Have purchased SSL Certificate and imported it to CAS1 Server using the Exchange Shell Command: Import-ExchangeCertificate ….successfully imported and enabled the certificate on the server.
External Domain FQDN is mail.mydomain.com
When I connect using mobile device, synchronization does not work. I ran test at testexchangeconnectivity.com and gives me error on certificate:
Host name mail.mydomain.com doesn't match any name found on the server certificate CN=CAS2
What can I do to resolve this?
Thanks
Don't forget to enable the new certificate for Exchange Services. I explain how to do that in the article using Enable-exchangecertificate.
Thank you for the GREAT information!
This fixed my certificate problem. But I managed to create another problem in the process.
My users typically access OWA simply by typing in exchange.mydomain.com, which defaults to an HTTP request. Now they get a 403 access denied error. But if they put in https://exchange.mydomain.com OWA works just fine.
I didn't change anything besides what was outlined above. Any ideas why all of a sudden my http redirect to https isn't working?
Thanks,
Tom
Operating System and Exchange version would be helpful.
Just awesome! Bravo sir! Saved me from having to buy a more expensive certificate!
Great !!!!
After steps recommended I also did below steps for it to work.
Open IIS Manager.
Expand the local computer, and then expand Application Pools.
Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Thanks for the article. It helped me solve our Outlook certificate error. Very much apprecated.
I am stuck on the Cert issue regarding inside (LAN) usage and external (Internet) usage. Right now, I have installed a self signed cert and a CA cert.
My public FQDN is owa.xxx.org
My Internal FQD is exchange.yyy.com
Don't yell! It was this way when I took over :)
If I assign the CA cert to IIS the connections from outside are fine, but the inside connections get a cert error. If I assign the self signed cert to IIS, the connections on the inside are ok, but the connections on the outside get a cert error.
Is there any way to have IIS use the CA cert for outside connections and the self signed cert for inside connections?
(Had to split my comment)
Also, if I understand correctly, you can use one cert if the first part of the domain name is the same? So a CA cert of 123.abc.org will work on the inside too as long as the server name is 123.???.???. I think I read that Outlook 2007 only looks at ther first part of the FQDN?
So now I am curious, if I change the name the exchange server gives to the outside clients to match what the inside clients use, ie; if I change my server to give exchange.xxx.org instead of owa.xxx.org, then the same exchange.xxx.org cert will make the internal outlook 2007 clients happy?
Thanks for your feedback.
realy thank u …
ur great
Much better detail in your descriptions than the Microsoft knowledge base had. Thanks for the excellent article, made much more sense!
Very handy. Excellent article.
Hi, Can you help me translate
“CASServerEWS (Default Web Site)”
to match my environment? I have a SBS 2008 server and it's name is sbs2008.
thanks,
atn
I am not familiar with SBS. I would ask on the Technet SBS forums.
I have the same issue with SBS 2008. I have a cert with IPSCA and it is installed so my phones are syncing properly and I can access OWA without fail. I still get the certificate message with Outlook 2007. It comes up with autodiscover.domainname.co.za The name is invalid or does not match the name of the site. My AutoDiscoverServiceInternalUri : https://exchange.domainname.co.za/Autodiscover/Au… ( which is what my cert is published with)
My server name is willow.domainnamesbs.local
Any advice please?
many thanks, even though having the correct settings in internal/external urls following this article and resetting through console worked a treat. (active synch virtual directory was the culprit)
I found that for sbs 2008, in the script commands, as well as replacing CASServer with ourservername I replaced (Default website) with (SBS Web Applications)
eg: “CASServerMicrosoft-Server-ActiveSync (Default Web Site)” with “OurServerNameMicrosoft-Server-ActiveSync (SBS Web Applications)”
You saved my a$$ :) Thanks a lot
Thanks for the article, helped me out!
Excellent article….Thanks you so much !
For those still having issues and using Exchange over HTTP setup for outside clients, look into using a SRV record in dns to redirect to your single SSL cert; for example, mail.shudnow.net. If you do this you will get a popup in 07 Outlook for the redirect but all you need to do is check "do not show again" and it will work perfectly.
Here is a link for setup of SRV record. http://www.thirdtier.net/2009/02/setting-up-an-ex…
After I applied the changes you suggested, I have a problem with the free/busy look-up via outlook 2007 client and I had to change the auto-discover URL back to https://FQDN//Autodiscover/Autodiscover.xml to make the free/busy work. Any ideas. We have 4 CAS servers in 2 sites, 2 in each site and we are using the round robin DNS alias pointing to these 4 servers. But looks like when a user is doing the free/busy lookup it is trying to fetch the free/busy info from another site instead of where the user's account is.
Any CAS in any site can handle the request. And what you wrote doesn't really make sense. I had you change the FQDN to https://FQDN/Autodiscover/Autodiscover.xml but you said you changed it back to https://FQDN/Autodiscover/Autodiscover.xml. Hm?
Awesome document thanks very much!
Thanks for the nice article.I get very good information for Outlook 2007 Certificate Error.
Basically, the certificate is for domain.net, and the internal network name is obviously not that. I do have that domain added in DNS, and it resolves internally and externally (which works great for EVERYTHING besides Outlook 2007). Visit here for more information :: http://www.msoutlookrecovery.com/ .
Phew, 8 hours of Hell over… I was doing this with the microsoft stupid contoso fqdn pointing to the internal netbios.domain.local. I didn't realize I had to point to the external cert until you spelled it out. Tahnks
Just a follow up on my previous post.
Being a newbie to exchange and powershell it didn't occur to me right away, but a lightbulb came on and I decided to use the get-webservicesvirtualdirectory cmdlet to find out what my server was calling it. Turns out rather than having "casserverews (default web site)" it is "casserverews (sbs web applications)"
This is common for all the cmdlets stated in this article. Seems to have resolve my certificate issue, so now I'm just waiting with my fingers cross to see if it broke something else. Thanks for the article Elan, It works really well so far.
I also failed to notice that there were 3 pages of comments so forgive me if someone had posted the answer to this on page 2 or later, i didn't read it, and for that, I apologize.
Regards,
Beefeater
Just realized you posted a follow up. Basically what I suggested is what you already did so nevermind!
Hi Elan,
Your article is great and seems to be the solution to my problem, but when I try to type your cmdlets -Set-WebServicesVirtualDirectory -Identity "CASServerEWS (Default Web Site)" <rest of cmdlet entry here> I get an error saying "CASServerEWS (Default Web Site)" could not be found on domain controller: <DC FQDN>
I'm using SBS 2008 which has exchange 2007 and while most of the info I have found regarding exchange has been relevant, I have found that stuff related to websites is different. I'm just wondering if you have some different instructions for those who are using SBS 2008. I know this article is quite old but it seems to be the solution and I would like to know how to get it to work on my system.
Thanks
You know, I usually don't even follow what I have on my blogs. I always show how to set it against a single server. But in a single site scenario, I always just set InternalURLs to something like webmail.domain.com and point the DNS to the load balancer or to that specific server. Because of this, I just do Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL InternalUrLHere BasicAuthstuffHereIfYouWant. Even though you only have 1 CAS, this will work and is easier to do.
+1 to People Helped, thanks.
wow!! this actually worked!! it is depressing that microsoft cannot create a simple article like this. this worked like a charm!! i hope people would actually find this article. thank you so much for putting this together!!!
They actually do have a KB on this. But I created this article before that KB existed. :)
Hi Elan,
Does this also apply to a Exchange environment that has multiple Exchange CAS(Geographically) Servers on the same domain (WAN)?
I have noticed that all my CAS Servers have thier own Autodiscover URI. Would I need to configure each CAS Server individually? I only use one primary CAS Server for External OWA access. This CAS then routes Disrtict users to the District CAS/Mailbox server that hosts thier mail.
We do not use Secure email (HTTPS) due to limitations on our WAN (Government Dept sitting on a Centrally supplied and managed WAN for ALL Dept).
I hope I am not to confusing.
Regards,
Christo
YOU ARE A LIFE SAVER!!!!! THANK YOU SO MUCH!!!!
YOU ARE A LIFE SAVER!!!!! THANK YOU SO MUCH!!!!
Claudio
On SBS 2008 the commands need to include (SBS Web Applications) not default web site. Default website doesnt include those sites anymore.
One thing you may want to add is that it may be necessary to reboot the system for the changes to take effect. I was going crazy trying to think of which service must still be directing to the internal server name and finally gave up for the night. The next day the error message had stopped appearing.
Hey, Thanks! This resolved a few things for me, but I'm still getting a Certificate Error in outlook with the title of "sites", before the Certificate Error had a different title.
Can you help me?
Dont know what I did.
Tried everything in this post. But still getting the error "The name on the security certificate is invalid or does not match the name of the site."
I'm on Exchange 2010 though. So leaveing the command Set-UMVirtualDirectory out.
AD is on 2008 R2. Exchange is installed on one of the AD's. The GC of the 2.
Me too…. :-(
Just found the solution:
Make a fake zone with the autodiscover."yourdomainname" and point it with a CNAME to your the external name resolving to you're internal mailserver IP. It must be a CNAME and not an A record.
Go to your DNS management, Administrative tools->DNS. First in the Foward Lookup Zone (FLZ) for domain.com, RC the domain.com and select 'New Host (A)', enter: mail ,for the name and input the Internal IP of your CAS. Next RC the FLZ under your server and select 'New Zone', click 'Next' at the wizard introduction, leave the zone type as Primary and ActiveDirectory integrated, click 'Next', leave the zone replication on the default, which is to all domain dns servers, click 'Next', For the name enter: autodiscover.domain.com , click 'Next', for the dynamic updates change the setting to 'Allow both unsecure and secure dynamic updates, click 'next then click 'Finish'. Now RC the new autodiscover.domain.com and select 'New Alias (CNAME)', leave the name field blank and just click on the Browse button, In the new browse window, double-click (DC) the server name, DC the FLZ folder, DC domain.com and then select the mail entry, click 'ok' to complete. You can now close DNS.
Only had to change the Thumbprint and the AutoDiscover internally…. thanks so much!!
This really helped!
I still use this as a list of all places to make changes to URLs in Exchange; it's useful when changing internal OR external values. Thanks for putting the effort in!
What about when it happens to the remote site and not at the corporate office? I would think the same certificate would be used in both places, but the remote site is having the problem and corporate claims it never sees the error message. I would think that it would show up for both sites if a problem exists.
It depends on your setup. I would check out the following article to understand how proxying and redirection works: http://technet.microsoft.com/en-us/library/bb3107…
Either way, you need to make sure that the sites trust each other's certificates and the AutodiscoverServiceInternalURL, InternalURLs, and ExternalURLs are all on the certificate. The same goes for autodiscover.domain.com if you want to support autodiscover for outside clients and internal non-domain joined clients.
Hello,
I have an Exchange 2010 server with this issue. I did multiple searches and found basically this info (Not as cleanly laid out though). I followed the instructions down to the last command
(Set-UMVirtualDirectory -Identity “CASServerUnifiedMessaging (Default Web Site)” -InternalURL https://mail.shudnow.net/UnifiedMessaging/Service… -BasicAuthentication:$true)
At that point I get the following:
The term 'set-umvirtualdirectory' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I went ahead and created a new SRV record pointing mail.companyname.org to the ip and now if I ping mail.companyname.org it resolves ot the IP address of the casserver.
Any assitance is appreciated.
Thank you,
Frank
Frank, you do not have to do this in Exchange 2010 as there is no more Unified Messaging virtual directory. In Exchange 2010, Exchange Web Services (EWS) is now used for Unified Messaging functionality. I will make a note in the article about this.
Hi Mr elan,
I having issue on my exchange enviroment.
Status : 3 exchange servers
exchange-01 – role -> hub, client access, mailbox
exchange-02 – role -> client access
exchange-03 – role -> mailbox
I have just import new sing name certificate with name "mail2.domain.com " at the exchange-02 and faced the problem you post on blog and solved it with your solution.
but new problem ans shows up where user who using outlook 2007 unable to download offline address book and i tried to run test autoconfigure, found user who suing outlook 2007 are connected to exchange-01/OAB but not exchange-02.
kindly need your help
I wish I found your blog last week :)
Big Thankyou
Hi,
I'm using UC and having issue with 8004010f error in outlook 2007. Send/Receive works well but its annoying.
Any hints?
Thanks.
Try Best Practices Analyzer to see if it flags something that can possibly be fixed and thus possibly making your error code go away. Other than that, start Googling/Binging the error code and do things articles tell you till it's gone.
I’m using UC but still getting 8004010f error in outlook 2007. Send/receive works well but its annoying. Any hint?
Thanks.
i'm having this same issue, but i was never on an exchange server.
Hi guys,
i have very similar problem, but only with internal access of my outlook clients.
Everythings from outside network (internet) working fine, outlook anywhere, activesync to mobile devices, outlook web access … nothing have problem.
But when my outlook clients trying to connect from local area network to the CAS server, i have the warning with certificate error.
The same i have warning with certificate, if i am trying to access outlook web access.
I have set all ways, directories etc in fight way. External things are to server.domain.com, internal things points to server.domain.local.
SSL certificate is signed by STARTSSL CA, which is trusted CA from public and it points to server.domain.com name.
So i can understand, why outlook clients have problems, if they trying to connect from local area network, because SSL certificate is pointing to another name of server? But why they are using SSL for connection, i have them inside company network, i dont need to use RPC over HTTPS for them. Maybe the problem is, my server have only one IP address, have all exchange roles together on one machine …?
Thank you for any kind of tips
With regards, Radek
Because Outlook 2007+ uses web services not just for OWA or Outlook Anywhere. It uses it for OOF, Free/Busy, OAB, Autodiscover, etc… The entire article already explains this and why you need to set the InternalURLs properly. Basically, I have already answered your question in my article as to why the InternalURLs need to match the name of the certificate.
Thanks buddy! This was the easiest fix to the issue that I was able to find. Keep up the awesome work!
Super! Great instructions!!!!
Everything works now for domainA. If i add domainB, will autodiscover work for owa and outlook anywhere? Can i still use single cert?
Thanks for your help.
You're a life saver mate.
Hi,
I have a exchange 2010 and trying to get the Activesync to work for push e-mails
testing using https://www.testexchangeconnectivity.com gives me an error with the certificate
"Host name <domian name> does not match any name found on the server certificate CN=<computer name>"
How do i add the domain name to the certificate?
thanks
T.C., you can use the new certificate wizard to request a new certificate. Check out this video for more information:
http://www.msexchange.org/articles_tutorials/vide…
Worked Like a Charm!!!!
all I understand the Docement and follow the steps but everything I get to (Default Web Site)” i get an error what am doing wrong. I am going isane
Can you provide the error you're getting?
I would like to thank you for the easy to follow fix for this certificate error!
I have a problem that has started since I did this fix. To give you some information, the certificate request was generated using IIS and was imported into IIS. We currently only use OWA externally. We were able to access https://mail.mydomain.com/OWA from the inside or outside of our network with no issues and with no certificate errors at this point, but we were getting the certificate error in Outlook 2007. I followed your guide and have verified the settings, but now when I go to https://mail.mydomain.com/OWA from inside or outside I get a certificate error and I am redirected to https://server.mydomain.com/owa/auth/logon.aspx?r… and since there isn't an external DNS entry for server.mydomain.com I can't get to my OWA. I am unable to figure out what would have changed this from the commands above but I am not getting anywhere. My certificate is for mail.mydomain.com.
Thanks for all your help!
You'll probably want to use the Set-OWAVirtualDirectory command and use the InternalURL and/or ExternalURL to ensure that it has a name that is on your certificate. For example, Set-OWAVirtualDirectory -Identity "Owa (Default Web Site)" -InternalURL https://mail.mydomain.com/owa -ExternalURL https://mail.mydomain.com/owa.
Thank's. It's a bit of a pain. Whichever way you do it you get certificate errors until you lots of stuff Microsoft don't tell you in training.
You saved me many, many headaches with this article. Thanks a ton!
Elan,
Great article. Thanks.
My one big question, though, is how will these changes affect Outlook 2007 clients that are currently pointing to the netbios name? Will they automatically adjust or will each Outlook client have to be touched? While the cert pop-up is annoying, it's not nearly as bad as a few hundred people without Outlook access would be.
Thanks,
Gabe
It really shouldn't matter. As long as DNS/NetBIOS can hit the server and the certificate that is on the Exchange Server has that name, it should be transparent to the user.
THis really sorted me out. Thanks alot
Thanks very much, I was spending a lot time in internet to find the anwser…
I am not Exchange admin, so, this guide help a lot.
Thanks
Hi,
Excelent article, you can only add as last step to recycle the MSExchangeAutodiscoverAppPool pool on IIS.
Thanks,
Eduardo
I too have followed this amazing post and it resolved all but one issue that is driving me insane.
I have 2 sites connected via Site-to-Site VPN tunnel. The Exchange 2007 server is at Site 1 and clients are at Site 1 and Site 2. All of the users in Site 1 are working fine however, all the users in Site 2 still get the certificate popup when they open Outlook 2007.
Background:
1 Domain “domain.local” internal Windows 2003 AD with Domain Controllers in each location with updated DNS entries to match my certificate “mail.domain.com” pointing to the INTERNAL IP of the Exchange 2007 server. Again, everything is fine from Site 1.
Site 2 is fully replicated with the DC’s and they are also GC’s (not that it would matter). They can perform NSLOOKUP and resolve mail.domain.com to the internal IP address just fine, so I am not sure why I am still getting this error message.
I have re-pasted CLI’s and restarted the POOL and the server so many times that the power button is wearing out (just kidding).
Please if you can offer any more assistance on this it would save my hide!!
Rob
I have to say!!! WOW!! I spent 2 months on this, everyone said different things, I found your article and had it working before lunch!!!
Thank you SO MUCH m8, you saved my bacon!!
.
. .
Elan, you are amazing…your instructions worked flawlessly…THANKS!!!
Hi Elan Shudnow
We have the same problem. The Outlook 2007 reclaim about the error certificate just internally.
From External access we don’t have this problem. We use an external certificate (Unicert) to webmail.ourcompany.com.
I’m thinking to follow your procedure step-by-step but the CAS and HUB roles are in two servers in NLB.
The question is: Do you see any problem in a enviroment like this? Or better, Is not necessary another additional procedure in a CAS/HUB in NLB?
Thank you
Martins
Your article, combined with post 65 solved the problem on my SBS2008. Works perfectly now.
Thanks a lot!
Ok,
Today I realized that the problem was only with my mailbox. It didn’t happens with the other already moved mailboxes.
Finally I figured it out that was only a problem of a password stored on “Vista Network passwords” feature. In short, I had mail.mycompany.com stored there with who knows what, so I deleted that entry and Outlook stop bothering with asking for the password.
Thank you for the help Elan, the important thing here is that the explanation of your article totally solve my certificate issue, and this other thing had nothing to do with your instructions.
Thanks again
Well one of the things I have in there is disabling IPv6. In short, when IPv6 is enabled, the RPC/Proxy service doesn’t listen on port 6004 for IPv6 so Outlook Anywhere fails. So you need to completely disable ipv6 (not just uncheck it from the NIC.)
Also, configuring OA by Autodiscover doesn’t configure it to always connect Via OA. Only when you don’t have RPC connectivity directly to your mailbox server unless you’ve configured it otherwise.
Yes I’m running it on a 2008 Server, and I read you other post, but I couldn’t find anything relevant since I did have Rollup 8 for Exchange 2007 SP1 installed.
What I noticed, though, is that Outlook anywhere is atoconfigured as part of the autodiscover function, so Outlook is behaving as if it is outside of the network, that’s why is asking for credentials at startup.
Update: I didn’t tell you that I was upgrading from Ex 2003 to 2007. Knowing that, I am at the point of replicating the public folders, and I already move my mailbox to the 2007 server. I have a certificate for mail.mycompany.com (GoDaddy) working good on the 2003 exchange, so when I installed the same certificate on the new server, is when I had the issue described in your article. As I said following your instructions the certificate issue disappear, but now Outlook ask me for credentials when it opens, and this happens ONLY if DNS (or I modify the host file in my computer for testing) points “mail.mycompany.com” to the new server. So I guess has something to do with the public folders that are not moved yet. Am I right?
Ramiro, that shouldn’t be an issue. Are you running on Server 2008? If so, you may want to check out my following blog post here.
Great Article!
I had a difficult time however (I’m on SBS2008) setting the OAB and WebServices internal URLs, kept getting the “object not found as outlined in *63. Tried answer from *68 and it didn’t work.
Just fixed it today by leaving out the -identity tag, which it would ask me for afterwards; doing it that way worked for me.
OAB and EWS was under the (Default Web Site) for me [in reference to post 68 above]
Thanks Elan!
ChrisPogi, you’re welcome. And thanks for posting the thank you as well as your issue and what you did to work around it.
Elan,
I followed all your instructions and finally I have my cert running well. Error on Outlook dissapear, but I have another issue now. Each time I open Outlook it ask for credentials, even being connected to the network at the office.
Any thoughts?
Welcome. Ya, it can be confusing for those who don’t work with Exchange much or who are new to Exchange 2007 and don’t understand Autodiscover or the services that utilize InternalURL and ExternalURL. Exchange 2010 makes it a little easier by allowing you to specify if a new CAS server is an Internet Facing CAS and automatically set your ExternalURLs. But it doesn’t let you automatically specify InternalURLs if using a regular SSL certificate. So the issue will still exist in Exchange 2010.
Thanks a zillion…this eliminated the problem…why is this not straight forward when installing the original certificate?
That’s what split DNS is. So yes.
OK, but if my internal and external DNS are all “domain.com” will this approach still work?
So just to be clear, there is no way to make the certificate error go away unless you have a certificate with multiple names?
I have my SSL certificate that says “mail.domain.com” and I have an alias for “autodiscover.domain.com” pointing to “mail.domain.com”. Everything works perfectly but on startup of Outlook there is a security warning indicating the certificate name does not match for “autodiscover.domain.com”.
I just want to confirm that I need to resolve with a multi named certificate. Mine is from a trusted root provider so I would have to replace it with a more expensivecertificate if this is true.
Thanks,
James
PS – Nice article and reply string. It is very useful.
This whole article explains how to make the error go away without a UC certificate. :P You just need to have split DNS and set your InternalURLs and ExternalURLs to be the same as well as the AutodiscoverServiceInternalURI. If you had a SAN cert, you could put the Server FQDN on the certificate and then leave all the InternalURLs and AutodiscoverServiceInternalURI and then just set your ExternalURLs.
got it working.
joe, if using an internal CA, you need to make sure your server contains the root certificate of your CA.
Nice!! Thank you!!
Worked great!!!! Thank you, thank you!
Ok by following this guide http://www.exchangeinbox.com/article.aspx?i=126 and replacing the installed cert by the exchange install, and using a new cert generated by Windows server 2008 CA, the issue is resolved. However, I have a new error, by using my own private CA cert that I generated, I know get a red x, for the first item “the security certificate is from a trusted certificate authority” which I expect since this is not from a public CA. So, when I get that error all I should have to do is view the cert and install it manually into my PC, however, it doesn’t seem to work it continoues complains about the cert even though I manually insalled which once again I expect since this is not from a public CA but my own private. Any ideas suggestions?
I’ve read numerious articles, found this one.. but I still can’t get it to work.. I’m at my witts end. First issue is when I OL 2007 gives me this error, and I click on VIEW CERTIFICATE I don’t get the name of the cert. How do I get this info? When do a get-exchangecertificate cmdlet I get the following
Thumbprint services subject
lots of numbers IP.WS CN=BMW
logs of numbers …… CN=WMSvc-BMW
so the name of my cert BMW? BMW is the name of my Exchange 2007 server. So what should be my internal an external url? I tried various mail.bmw.domainname I tried bmw.domainame using the cmdlets above to no avail. Microsoft made this autodiscover so darn complicated geez..
Also, unlike on my exchange 2003 server looks like I can’t use a self created cert anymore for OWA, activesync, outlook anywhere? No way around this? I know the drawbacks, but can I use a self created insert?
@ 63 .. In SBS (2008) you should use SBS1\EWS (SBS Web Applications) instead of ( default web site ) because the oab and ews are not under the default website!
I have a problem after doing all this that outlook 2007 keeps asking for a password.
Anyone know how to solve that?
regards
Perry
Should work but I’m not familiar with any differences in SBS that would prevent this.
We have SBS2008. When applying your fixes above, these commands fail because the “object could not be found on the domain controller”
Set-WebServicesVirtualDirectory -Identity “SBS1\EWS (Default Web Site)” -InternalURL https://mail.ourdomain.com/EWS/Exchange.asmx -BasicAuthentication:$true
Set-OABVirtualDirectory -Identity “SBS1\OAB (Default Web Site)” -InternalURL https://mail.ourdomain.com/OAB
Am i missing something in the syntax?
Thanks Dorian.
Hi Elan,
Thanks man!!
This guide was very helpfull and fixed the problem.
saved me a lot of time.
GreetZ Dorian
When is microsoft going to get thier documentation right. I understand the need to provide full documentation, but a simple outline like this is all we typically need. Thanks.
This seems to have cleared up the same annoying problem in Entourage! Everything I could find on it would mostly send a person in the direction of SAN certificates, etc..
Your the man.
Everything was fine until I ran the lasted Office 2007 Updates on my users. Then I start to get the Cert error. I changed the NETBIOS name to Cert name no more Securtity alerts THANKS
I’m not the person you want to be asking SBS questions to. I’ve never worked with SBS.
Hi Elan,
I too have been helped by this so thankyou for that.
I have a questione though, what procedure should be followed to avoid having to perform this fix from the shell anyway? I’ve dealt with two examples in SBS 2008 now, both had a deafult self signed certificate installed when the OS was installed: remote.domain.com. This was assigned to pretty much everything, internal and external etc. Both clients purchased their own mail.domain.com certificates, is there a way i should have applied them that would have automatically updated all the internal and external addresses, rather then having to manually go in via the shell and change them all?
Thanks,
Dane
Vicks, I wrote a pretty comprehensive article on the Autodiscover and what names you need on certs, dns, using ISA in the mix, etc… I’d give it a read:
https://www.shudnow.io/2008/11/18/autodiscover-dns-certificates-and-what-you-need-to-know/
Hi Elan,
We provide exchange hosting service to our clients. Recently we migrated one client to our Exchange Hosted Environment from POP3 services like many of our clients.
Client is using Outlook 2007 and when ever ever the Outlook is started it comes with the certificate error. But the error doesn’t comes in Outlook 2003.
Even we try to use this ULR the same certificate error comes (the same error in Outlook 2007)
https://autodiscover.xyz.co.uk/
However our clients using different domains have no issue irrespective of the Outllok version.
So seems to be something to do with IIS ? We are not sure. Microsoft support is also no good!
Please advice.
Many thanks,
Vikas
Thanks a bunch for the article!
Note to all: don’t forget to restart Exchange services or reboot for this to take effect, like this dummy did!
cheers mate, this worked a treat it also resolved the issue i had with outlook and operation failed :-)
thank you
Cheers, that worked brilliantly, it also solved the issue i had with outlook giving an operation failed error when doing a send/receive :-)
thanks agian
Thank you! Your acticle helped and saved me lots of time. Much appreciated.
Hey, thanks for the fix. Worked for me as well!
It should be autodiscover.mydomain.com – no “y”.
Hi :)
Thank you for that article – it helped me ALOT ! :) This error you mentioned on the top dissapeared but another one shown up – it’s almost same with small difference: instead of my Exchange Server Name (mail2 in your case) I’ve autodiscovery.mydomain.com – Can you tell where I should look for that entry ?
regards
pragma
What errors? You can try the Set-OWAVirtualDirectory command to set the -InternalURL and -ExternalURL.
Elan,
I was able to make the security warning go away but now I can’t hit OWA external or internal, any thoughts? Thank you very much!!
YOU ARE THE MAN
Really useful post! I had spent a lot of time trying to solve this problem, then I find this entry and solve the problem in just a couple of minutes. *bows*
I must have been asleep, I retried everything this morning, and it worked. thanks.
You need to use the Exchange Management Shell. I assume you’re opening PowerShell itself which doesn’t execute the Exchange Snap-Ins.
I’ll preface this with the fact that I am a newbie with powershell, but I have been beating my head against the wall with this one, none of the commands you have listed are recognized. even Get-ExchangeCertificate came back saying unrecognized command or script. Hopefully I am just doing something simple wrong. any thoughts?
Here’s the Autodiscover whitepaper:
http://technet.microsoft.com/en-us/library/bb332063.aspx
There’s a couple things you can do. You can use an SRV record for Autodiscover, or you can get a UC/SAN certificate from a provider such as Entrust/Digicert/Etc. that contains a Subject Alternative Name of autodiscover.domain.com. As far as I remember, the SRV record option will prompt your users for acceptance while the SAN name method will not and is the recommended method. I would read the whitepaper for more information.
Thanks for this post. I followed the instructions and the error went away…..for all the users inside the LAN.
Now I am being told that Outlook Anywhere users outside are getting an error because they are looking for autodiscover.mydomain.com
I thought I had the problem solved
Make sure you configured the EWS for the correct InternalURL and ExternalURL:
Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://owa.domainname.dk/EWS/Exchange.asmx -ExternalURL https://owa.domainname.dk/EWS/Exchange.asmx -BasicAuthentication:$true
Thanks, your comment help me to solve the problem i had!!
Hi Elan
Internal the record owa.domainname.dk points to my CAS internal – i can see that i resolves just fine. But stille when i change the autodiscover to this DNS name which matches internal and external the “out of office” gets broken again.
The name on the Exchange webservice is mtaching the certificate called owa.domainname.dk – and external it works as well with the same name
Best regards
Jesper
That means DNS doesn’t point to your CAS or the FQDN you specify doesn’t match a name on your certificate, or maybe you require SSL on the autodiscover but you didn’t specify https://.
Hi
Great post! BUT after changing this my “Out of office” wont workm anymore
This was related to:
Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml
when i change i back to “https://servername/Autodiscover/Autodiscover.xml” it works again
I have created a record in the internal DNS so this “external name” works internal as well, but i still get the same error.
Se article:
http://www.proexchange.be/modules.php?name=News&file=article&sid=686
How to fix this :-) ?
Best regards
Jesper
Brent, one is your self-signed certificate and one is the mail.somecompany.com certificate. You really don’t have to delete your self-signed certificate because Exchange will always use a certificate signed by a trusted CA before it uses a self-signed certificate. If you are talking about an Edge Server, I would leave the self-signed certificate on there as the Edge Server will copy the self-signed certificate to Active Directory which the Hub Transport Server will use as a trusted mechanism without needing to import the self-signed certificate into the Trusted Root Certificate store on the Hub Transport Server.
Here is a guide on how to renew the self-signed certificate:
http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
For the regular certificate, you can just request a certificate the same way you originally did. If you have exported this certificate and imported it onto other servers such as ISA, make sure you update ISA with the new certificate (importing, attaching to ISA web listener, etc..)
Hi, someone just brought to my attention our certificate IS expiring in 536 hours, it is only valid until July 22nd, so this is perfectly normal I guess. One question would be then do I have to do anything with the new certificate.
Hi Elan,
This worked great! Thank you very much. One concern I am having is the following error. This seems to come up every 20 or so minutes.
An internal transport certificate will expire soon. Thumbprint:9B32B314CB5ABC963F9F0F6A03F22FCD7E832896, hours remaining: 536
The only difference from your post is when I run Get-ExchangeCertificate, I see two thumbprints… One for the NETBIOS name and then one for the certificate name. I used the thumbprint for the certificate name.
Thumbprint Services Subject
———- ——– ——-
752714FF7F34CBCCC49A3A72 ….S CN=SM5500SRV
9B32B314CB522FCD7E832896 IP.WS CN=mail.somecompany.com,…
Sir, you are to be commended for your contributions. Thank you very much!
-Kingofbytes
Thanks Alot,
I’ve been trying to fix this issue for months now.
I have an article that details publishing the autodiscover service in ISA:
https://www.shudnow.io/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/
One of the things is that ISA 2006 will only read the CN or the 1st SAN name, so you have to trick ISA to make autodiscover publishing to work. I explain how to do that.
Hi,
I can’t make autodiscover work from outside, maybe you could take a look at http://forums.msexchange.org/Another_Autodiscover_problem/m_1800470564/tm.htm if you have a solution :)
Thanks! I went into EMC and changed the setting that way. The PS script kept giving me problems.
It’s not saying it cannot find your DC, it’s saying it cannot find CASServer, which is your client access server, but might also be a DC if you configured it that way (not recommended). Make sure you replace the word CASServer with the server that has the RPC over HTTP Proxy component installed on it which should be a Client Access Server.
So if your Client Access Server’s name is CHIEXCCAS01 and your certificate has a name of mail.shudnow.net, you would do:
set-outlookanywhere -identity CHIEXCCAS01 -externalhostname “mail.shudnow.net” -externalauthenticationmethod “basic”-ssloffloading:$false
Make sure you replace externalauthenticationmethod with clientauthenticationmethod if you’re using SP1.
If that doesn’t work, as I said, go into the Exchange Management Console and just manually set it.
Thanks for the reply. I inputed this command into PS:
set-outlookanywhere -identity CAServer -externalhostname “mail.domain.com” -externalauthenticationmethod “basic”-ssloffloading:$false
This is the response from PS: set-outlookanywhere : the operation could not be performed because object ‘CAServer’ could not be found on the domain controller ‘server.local’
What am I missing here? All my mail flow is working correctly so I don’t know why PS reported cannot locate my dc. Also, when I attempted to input the command into PS using the -server command instead of the -identity command, this is what returned: set-outlookanywhere :
a parameter cannot be found that matches parameter name ‘server’
I think I have been messing with this so long I am missing something obvious. Any insight would be appreciated.
You can try going into the Exchange Management Console and specifying the proper URL there.
Or you can try doing Set instead of Enable.
RTM:
Set-OulookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ExternalAuthenticationMethod “Basic”-SSLOffloading:$False
SP1:
Set-OulookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False
Thanks for the great article. However, I am having a problem with one of the powershell scripts. When I execute the enable-outlookanywhere command, this is the error I receive:
enable-outlookanywhere : the virtual directory ‘rpc’ already exists under ‘CAServer.domain.local/default web site’. Parameter name: virtualdirectoryname
Any thoughts on what this means and how to properly execute the script in powershell?
Set the URL appropraitely for the ActiveSync service and make sure the FQDN of the URL is contained in the certificate. You really need to get your DNS set up and get all the FQDN’s you need in your certificate. None of your services will work properly until you do so.
If you need more assistance, I’ll check back later today. I need to get back to work. Hope you get this sorted.
Well for testing purpose I have had the autodiscover.domain.com in my HOST file.
Now I have a certificated warning, OK, my certificate currently doesn’t have this FQDN. So I have to change my certificate with a new one that contains this FQDN ? so bad, I just send to activesync users the other certificate…
Anyway, after that warning there’s still the sync error. Now I really don’t know what to do.
You’re welcome. Glad I could be of help.
Okay so the problem should come from that, as this host does not exist for my public DNS.
I keep you informed, but it seems to be on good way :)
Thanks a lot !
Yes, you will need to have an internet resolvable forward lookup zone for every smtpdomain. You will then have to have the autodiscover host (A) record in every forward lookup zone. You will then have to make sure your certificate contains an autodiscover.domain.com FQDN for every smtp domain you have.
Sorry I have Tab/Enter unfortunatelly :p
So as this dns is not resolved it’s maybe why my roaming users can’t find the OAB ?
Anyway, the OAB (Default Web Site) didn’t have an externalUrl set, to I’ve just set it one. Regenerating the OAB seems not to resolve the problem.
It just sound pretty clear to me.
My InternalUrl for autodiscover is correctly set. However, I have a question about the autodiscover.acceptedsmtp.com. Does this url needs to be resolved by my external users ? It’s not the case at the moment.
Vividdm –
Thank you for the comments. I will update my article later today to include the new syntax for SP1.
petoulachi –
Roaming users will not use the InternalURL. They will use the ExternalURL. The way this works, is that when a domain-joined client is on the corporate network, and they have connectivity with Active Directory, the client will be able to contact a Service Connection Point stored in Active Directory which contains all the InternalURL’s for the services on the internal network.
When a client is not domain-joined or is outside of the corporate network and does not have direct connectivity to Active Directory, the Outlook client will contact the Autodiscover Service via autodiscover.smtpdomain.com. Note that I say smtpdomain.com. This does not necessarily mean your Active Directory domain. This is mostly your Accepted Domains. You would only really need autodiscover.acceptedsmtpdomain.com for the primary smtp addresses in your e-mail address policy.
So when a client contacts the Autodiscover Service, the Autodiscover Service will reply with -ExternalURL since the client is either not domain joined or outside of the corporate network. It essentially just means, “Not Connectivity to AD? No -InternalURL for you!”
So because of this, -InternalURL could be https://CASServer/Service and work just fine since you know this client is Internal and should be able to contact the CASServer via NetBIOS. But when a client is not domain joined or outside of the corporate network, you want to make sure that you specify the -ExternalURL as a FQDN, mail.domain.com/service. You wouldn’t want it to be a NetBIOS name since you’ll be doing this connection through the Internet.
You also want to make sure you configure the AutodiscoverInternalURI correctly. This can be FQDN or NetBIOS name. Get-ClientAccessServer to see what it’s set at. Make sure it’s set to something compatible in your certificate.
After you set all this up, do an update on the OAB and do an update-filedistributionservice which takes the OAB from the OAB generation server and pushes it to the CAS for Outlook 2007 Web Distribution.
Hi Elan Shudnow,
I think that in fact I have a problem with my InternalUrl. Actually, they are default value (CASServer.domain.local). As I have a certificate with multiple host name, my local users don’t have any problem.
But my roaming users, using Outlook Anywhere, have a sync issue :
not downloading offline address book files. A server (URL) could not be located
0x8004010f
Searching on the net I have found that it’s often related to the autodiscover InternalUrl. I was thinking that it was more related to OAB InternalUrl.
As I’m not really sure, maybe you could confirm me what should I do ?
Thanks in advance !
All Hail Elan, All Hail Elan :)
I wish i came across this months ago.. thank you sooo much!!!
only difference i had was with SP1
-ExternalAuthenticationMethod becomes> -ClientAuthenticationMethod
can i be the like the fifth person to say ‘you are awesome!!’ :)
dm.
petoulachi, I stated that this solution is for single-name certificates and is specifically for people who are not using UC/SAN certificates. Even if you do have a UC/SAN certificate, you still need to ensure that the Internal and External URLs are specified correctly.
I posted a more informative reply in regards to your comment at your post on msexchange.org forums. Check it out at the following URL:
http://forums.msexchange.org/m_1800468544/mpage_1/key_/tm.htm#1800468544
Hi,
I had the same problem but solved it in a different way. Unstead of modify the Exchange InternalUrl, I have request a certificate with multiple host names, as Microsoft shown here : http://technet.microsoft.com/en-us/library/aa995942.aspx
I don’t know which solution is the best, but I think these is a little more simple.
Hope this help
Sorry
I found your reply at:
http://forums.msexchange.org/m_1800468295/mpage_1/key_/tm.htm#1800468447
You are awesome
I had the same problem with Farist, and i find your reply at msexchange.org forum, but i can not find your post, pls send me link ok post your reply again,
Thank u very much
I replied to your question on msexchange.org forums. Go there and read my reply.
HI
I have this problem and I had all the Certificate CN are correct and match for the FQDN
what can I do
THanks alootttt
You are awesome. Thanx for the fix.
Thanks for the positive comments! I’m glad the article was of help to you.
Great post and i think i understand more now about certificates. I have been battling for days a scenario where i have a thawte certificate that is purchased for webmail access. I ordered one where i only added webmail.data.com as servername while server internally is EXCBACK and EXCBACK.domain.local. So i created a self signed certificate that i wanted to use for Outlook users but for some reason its only the thawte certificate they "pull" when connection. I did run the Enable-exchangecertificate -services IMAP, POP, SMTP on the selfsigned and Enable-exchangecertificate -services IIS on the Thawte. But still, Outlook connects and throw warning saying thawte certificate is not having the EXCBACK name listed in it. Only webmail.data.com. What is it i am missing here?
You need to update your InternalURLs and possibly ExternalURLs as well as AutodiscoverServiceInternalURI so they don't have the EXCBACK. That way they connect to Exchange using the webmail.data.com name which the certificate will have.
U saved my job…tnx a lot
Red.
P.S. There is a lot of confusing documentation over the net regarding Exchange 2007 certificates (ad ISA Publishing..)
You document is really clear and usefull