• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Disclaimer & Policy

Elan Shudnow's Blog

MVP Logo
  • Azure
  • Exchange
  • Lync

Outlook 2007 Certificate Error?

August 10, 2007 by Elan Shudnow 231 Comments

When importing a new certificate into Exchange 2007/2010, you might encounter a certificate error in Outlook 2007/2010. I have included a screenshot of the error I encountered with Outlook 2007 :

When you choose the View Certificate button, it brings up another window that shows you what certificate is in error. In this case, the certificate name is “mail.shudnow.net.”

So the million dollar question? Why the error?

Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here.

So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) of mail.shudnow.net We install this certificate onto our Exchange box with its’ private key. In our case we were migrating so we did not have to request a certificate via IIS. We just exported it with its’ private key and imported onto the new box. We then assigned this certificate to IIS. Now I went to the Exchange Management Shell and enabled Exchange services to use this certificate. In order to do this, you must run the following commands:

Get-ExchangeCertificate

Thumbprint Services Subject
———- ——– ——-
BCF9F2C3D245E2588AB5895C37D8D914503D162E9 SIP.W CN=mail.shudnow.net.com

What I did was go ahead and enable all new services to use every available service by using the following command:

Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP –Thumbprint BCF9F2C3D245E2588AB5895C37D8D914503D162E9

The next step would be to ensure the AutodiscoverInternalURI is pointed to the CAS that will be your primary CAS for Autodiscover servicing.

Get-ClientAccessServer -Identity CASServer | FL

AutoDiscoverServiceInternalUri : https://casnetbiosname/Autodiscover/Autodiscover.xml

See the issue here? We are not using a UC certificate that contains the names, “casnetbiosname, casnetbiosname.shudnow.net, mail.shudnow.net, and autodiscover.shudnow.net” Since the Autodiscover directory in IIS will be requring SSL encryption, the url specified in the AutoDiscoverServiceInternalURI must match what is specified in your certificate. You must also ensure there is a DNS record that allows mail.shudnow.net to resolve to your CAS. We should re-configure the AutoDiscoverServiceInternalURI by using the following command:

Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml

We now need to go configure all the InternalURLs for each web distributed service.  If you are going to be utilizing the Autodiscover service from the outside or for non-domain joined clients, you may want to configure an -ExternalURL in addition to your -InternalURL.

Here is the reason why we were receiving the certificate errors. Your InternalURLs most likely are not using mail.shudnow.net. Your InternalURLs are most likely pointed to something such as https://casnetbiosname/ServiceURL which will fail since this is not the CN of your simple certificate.

You can run the following commands to fix your internalURLs so your Outlook 2007 client can successfully take advantage of your web distribution services.

Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://mail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true

Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://mail.shudnow.net/OAB

Note: You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The above command will only enable SSL, but will not ensure 128-bit SSL is required.

Enable-OutlookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False

Note: The above Enable-OutlookAnywhere command works on SP1. For RTM, substitute -ClientAuthenticationMethod with -ExternalAuthenticationMethod.

Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://mail.shudnow.net/Microsoft-Server-Activesync

Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” –InternalURL https://mail.shudnow.net/UnifiedMessaging/Service.asmx -BasicAuthentication:$true

Note: The above Set-UMVirtualDirectory command is not needed in Exchange 2010.  Exchange 2010 no longer contains a UnifiedMessaging virtual directory and instead uses the Web Services Virtual Directory.

Share this:

  • Twitter
  • LinkedIn
  • Reddit

Filed Under: Exchange Tagged With: Exchange, Exchange 2010, Office

Reader Interactions

Comments

  1. Josh says

    August 15, 2014 at 12:39 pm

    I've run into this problem, post-2010 SP3 update. Strange thing about this is that it only effects 5 computers throughout the enterprise. I've tried adding the certificate to the individual computers trusted certs directory to no avail. Thoughts?

    Reply
  2. Dan says

    July 28, 2014 at 3:52 pm

    I just can't seem to make this work. I've repeated the above steps; but I'm clearly missing something…

    internal server name = server2k8.domain.local
    external URL = mail.domain.com
    UCC Cert is in place for domain.com with alternate names of mail and autodiscover.domain.com (Outlook Anywhere is working properly for mobile devices)
    I also have a Cisco 501 Pix Firewall that does not allow hair pinning. (not sure if this is my issue or not)

    Outlook 2010 and Outlook 2007 continue to get the security mismatch alert message.

    Reply
  3. Tony Davis says

    May 9, 2014 at 1:12 pm

    YOU ARE MY HERO!!!!!!!

    Reply
  4. Chase says

    March 10, 2014 at 11:06 pm

    Thank you for this fix! Saved me a lot of time!

    Reply
  5. UMA GANESH says

    February 25, 2014 at 2:44 am

    Thank you so much…. Worked for me as well….

    Reply
  6. sregimand says

    April 17, 2013 at 8:34 pm

    Thank you for the article. In summary this is what I did to fix my issue:
    1. Ran the command from the Exchange server powershell: Get-WebServicesVirtualDirectory | fl *url*
    The result of the command was:
    InternalNLBBypassUrl : https://ex1.company.com/ews/exchange.asmx
    InternalUrl : https://ex1.company.com/EWS/Exchange.asmx
    ExternalUrl : https://mail.company.com/ews/exchange.asmx

    2. Ran this command:
    Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl "https://mail.company.com/ews/exchange.asmx"

    3. iisreset
    4. waited for 60 second, everything is all good now
    5. Make sure there is a mail.company.com A or C record in DNS

    Reply
  7. Evan says

    December 28, 2012 at 3:12 am

    hello there and thank you for your info – I’ve certainly picked up anything new from right here. I did however expertise several technical points using this web site, since I experienced to reload the web site lots of times previous to I could get it to load properly. I had been wondering if your web hosting is OK? Not that I am complaining, but slow loading instances times will sometimes affect your placement in google and can damage your high quality score if ads and marketing with Adwords. Anyway I’m adding this RSS to my email and can look out for much more of your respective interesting content.
    Ensure that you update this again soon.

    Reply
  8. Pansy says

    December 9, 2012 at 8:10 pm

    Very good post. I will be dealing with some of these issues as well.
    .

    Reply
  9. Brian says

    November 8, 2012 at 7:03 pm

    I always refer to this blog, good looking out!

    Reply
  10. sea ray marble falls says

    November 7, 2012 at 7:44 pm

    This is my first time visit at here and i am really impressed to read all at one
    place.

    Reply
  11. Alex says

    August 29, 2012 at 3:11 pm

    This article saved me a crap-ton of work. I has resigned to just doing a domain change to make things uniform with our website/ftp domain… but after looking into it and the complications brought on by having Exchange in the mix, I was relieved to find this and solve the issue in five minutes. My hat off to you sir.

    Reply
  12. David says

    June 24, 2012 at 7:27 am

    So why *must* I enable SSL on the OAB directory? Does that form part of the solution, or is just a recommendation over and above what is required?

    Reply
    • Elan Shudnow says

      June 24, 2012 at 9:36 am

      Not a requirement. The reason it's off by default is OAB download uses the BITS protocol which does not support self-signed certs. And because Exchange uses a self-signed cert by default, the OAB virtual directory is configured to use http://. But because you're replacing the self-signed cert with a CA-signed certificate, it's recommended to change http:// to https://.

      Reply
  13. Murray says

    April 16, 2012 at 5:31 am

    This resolved for me too, thanks for the trouble.

    Reply
  14. Brenda says

    March 22, 2012 at 11:28 pm

    My problem is that I was adding a network connection and was on the wrong line and accidentally erased mysecurity certificate number. I called my outlook express dial-up service and they said it was a Microsoft problem. The following message comes up every time I log on to outlook express before any e-mails come through. The server you are connected to is using a security certificate that can not be verified. The certificateds CN name does not match the pass value. Do you still want to use this server? I check yes and everything goes ok. My big problem is when I order things on line the companies do not want to deal with a security certificate that can not be verified. Please help!

    Reply
  15. matt says

    January 30, 2012 at 4:43 pm

    @elanshudnow

    I am having this same issue but really am stumped.

    When I run the Get-ClientAccessServer -Identity "ServerName" | FL

    I get the following:

    AutoDiscoverServiceInternalUri : https://access.dabbsco.com/Autodiscover/Autodi
    scover.xml

    My assigned certificate includes: access.dabbsco.com and autodiscover.dabbsco.com and sbs08 (local server name)

    When I open outlook I get that certificate request pop up and it refers to "sites" as the certificate mismatch. I have no idea where "sites" is coming from but I do see it in the binding of IIS.

    Please advise if you can.

    Reply
    • Elan Shudnow says

      January 31, 2012 at 9:11 am

      Check all the other services.
      Get-WebServicesVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
      Get-OABVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
      Get-OWAVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
      Get-ECPVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
      Get-ActiveSyncVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL

      Reply
      • matt says

        January 31, 2012 at 9:58 am

        When I run these commands I get

        [PS] C:Windowssystem32>Get-WebServicesVirtualDirectory -Identity SBS08.dcc.lo
        al | FL InternalURL,ExternalURL
        Get-WebServicesVirtualDirectory : The operation could not be performed because
        object 'SBS08.dcc.local' could not be found on domain controller 'SBS08.DCC.loc
        al'.
        At line:1 char:32
        + Get-WebServicesVirtualDirectory <<<< -Identity SBS08.dcc.local | FL Internal
        URL,ExternalURL
        + CategoryInfo : InvalidData: (:) [Get-WebServicesVirtualDirector
        y], ManagementObjectNotFoundException
        + FullyQualifiedErrorId : B0B185CC,Microsoft.Exchange.Management.SystemCon
        figurationTasks.GetWebServicesVirtualDirectory

        Reply
        • Elan Shudnow says

          January 31, 2012 at 10:06 am

          Because that's the wrong -Identity. Look at my original post and you'll see the format.

          Reply
          • matt says

            January 31, 2012 at 10:20 am

            Ok, so when I ran that first one it was

            Get-ClientAccessServer -Identity SBS08| FL

            which gave me results, I am doing the same with the new commands, am I totally missing something

            Isnt this the same-Get-ActiveSyncVirtualDirectory -Identity SBS08 | FL

          • matt says

            January 31, 2012 at 10:35 am

            Go this to run:

            [PS] C:Windowssystem32>Get-WebServicesVirtualDirectory | fl SBS08, InternalUrl
            , ExternalUrl

            InternalUrl : https://sites/EWS/Exchange.asmx
            ExternalUrl :

            Now I see where that SITES is coming from, now just to change it…..

            Not sure what it needs to be.

          • matt says

            January 31, 2012 at 10:38 am

            [PS] C:Windowssystem32>Get-WebServicesVirtualDirectory | fl SBS08, InternalUr
            , ExternalUrl

            InternalUrl : https://sites/EWS/Exchange.asmx
            ExternalUrl :

            [PS] C:Windowssystem32>Get-OABVirtualDirectory | fl SBS08, InternalUrl, Exter
            alUrl

            InternalUrl : https://sbs08/OAB
            ExternalUrl :

            [PS] C:Windowssystem32>Get-OWAVirtualDirectory | fl SBS08, InternalUrl, Exter
            alUrl

            InternalUrl : https://sbs08/owa/
            ExternalUrl :

            InternalUrl :
            ExternalUrl :

            InternalUrl :
            ExternalUrl :

            InternalUrl :
            ExternalUrl :

            InternalUrl :
            ExternalUrl :

            [PS] C:Windowssystem32>Get-ECPVirtualDirectory | fl SBS08, InternalUrl, Exter
            alUrl
            The term 'Get-ECPVirtualDirectory' is not recognized as the name of a cmdlet, f
            unction, script file, or operable program. Check the spelling of the name, or i
            f a path was included, verify that the path is correct and try again.
            At line:1 char:24
            + Get-ECPVirtualDirectory <<<< | fl SBS08, InternalUrl, ExternalUrl
            + CategoryInfo : ObjectNotFound: (Get-ECPVirtualDirectory:String)
            [], CommandNotFoundException
            + FullyQualifiedErrorId : CommandNotFoundException

            [PS] C:Windowssystem32>Get-ActiveSyncVirtualDirectory | fl SBS08, InternalUrl
            ExternalUrl

            InternalUrl : https://sbs08/Microsoft-Server-ActiveSync
            ExternalUrl :

            [PS] C:Windowssystem32>

  16. Lou says

    January 4, 2012 at 1:09 pm

    Thank you!!! I have been looking for this solution all over the Internet but could not find any clear instructions – even from Microsoft. Great article!

    Reply
  17. Dan C says

    December 13, 2011 at 4:29 am

    Hi,

    I'm having an issue running the commands on the exchange console. When I try to execute any of the commands I get the following error:

    Set-ClientAccessServer : Active Directory operation failed on [server name]. This error is not retriable. Additional information: Directory object not found.

    Anyone have any idea what could be causing this?

    Reply
    • Dan C says

      December 13, 2011 at 7:16 am

      I managed to resolve this issue but users are still getting the error even after making the changes needed, is there anything else I could be missing?

      Reply
      • Elan Shudnow says

        December 15, 2011 at 10:44 am

        Dan C, sometimes the changes are not picked up until you reset the IIS Application Pools. Give that a shot. The only time you'd get the certificate error is what is caused by the above. So if you are still getting the error, even after resetting the application pools, you may want to give MS Support a call.

        Reply
  18. wthrottle says

    November 9, 2011 at 4:39 pm

    Excellent step-by-step. Hit the nail on the head for fixing my issue. Thank you!

    Reply
  19. Perplexed says

    November 4, 2011 at 8:47 am

    Elan, I have installed the SAN certificate on our exchange 2007 server and enabled it. and assigned services. I have a few different names associated with this certificate, of course.

    when I do a ‘get-exchangecertificate’ in the shell, it only shows the common name of the SAN certificate in the output? should it show all of the names that are associated with the SAN cert? there are two other subject alternative names listed on the cert.

    Thanks.

    Reply
    • Elan Shudnow says

      November 4, 2011 at 3:27 pm

      Do a Get-ExchangeCertificate | Format-List

      Or the short version:
      Get-ExchangeCertificate | FL

      In all the output, you'll see the SAN fields.

      Reply
  20. Ray says

    October 18, 2011 at 1:50 pm

    we have installed a wildcard certificate on the 2010 exchange server. so it shows up as *.domain.com when you do a 'get-exchangecertificate' command. apparently I am unable to enter this as the FQDN for the Set-ClientAccessServer command. I get a 'cannont convert value' error. how can this be done with a wild card certificate?
    Thanks.

    Reply
    • Elan Shudnow says

      October 18, 2011 at 2:53 pm

      That's because *.domain.com is not an FQDN. You need to enter an actual FQDN using Set-ClientAccessServer.

      Reply
  21. PaulT says

    October 11, 2011 at 1:16 am

    Incredible.. I've spent days researching into this issue and your simple words of wisdom resolved the issue. Shame about my hair loss thou!

    Its clear that Microsoft is pushing down the larger path with UC integration (ie telephony on the desktop) but why didnt they give us poor admins the choice either at installation or at least with a simple GUI click option in the Manager….

    Reply
    • Elan Shudnow says

      October 17, 2011 at 8:20 am

      Ya, it is a bit confusing for admins trying to migrate on their own to Exchange 2007 or Exchange 2010 and wanting to use the same certificate. Exchange 2010 allows you to now set your ExternalURLs during a CAS installation but that still doesn't change your InternalURLs or your AutodiscoverServiceInternalURI. So there is still some complexity involved post-install with setting up the CAS the way you want and not getting certificate errors on the client side. Glad you found the article helpful.

      Reply
  22. Allison says

    October 3, 2011 at 9:43 am

    It was time to renew my certificate. I didn't want to have the cert include our internal CAS name or the names of our exchange servers. So i ordered a new cert with just mail.domainname.com and auto discover.domainname.com.

    I assigned the cert upon receiving it and received the message above when i launched my outlook client. I updated the internal urls to match the cn (https://mail.domainname.com). the cert message disappeared. YEAH!!

    BUT now outlook clients cannot get into their out of office settings. You an if you go in via OWA though.

    Error message is: Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later.

    I removed and recreated the ews application in IIS. (Which BTW was a gong show – as it failed when I tried recreating it via Exch management shell. I recreated it (and the related Application Pool) manually.

    All is back to what it was – that being, error in OOF via Outlook client – but OOF works via OWA.

    What am I missing here? Its got to be something SIMPLE.

    Please help! Does it reference the old SSL cert somewhere internally?

    Reply
    • Elan Shudnow says

      October 3, 2011 at 8:15 pm

      Single Server? If so, try Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL https://mail.domain.com/ews/exchange.asmx -ExternalURL https://mail.domain.com/ews/exchange.asmx

      Reply
  23. Michel Calle says

    October 1, 2011 at 12:09 am

    Hi, I have the same problem, then I found the MS Article ID: 940726 and run the same commands.When I chek the AutoDiscoverServiceInternalUri the URL is correct, but I get the same message when I run Outlook 2010. Outside work fine
    Any help?

    Reply
    • Elan Shudnow says

      October 17, 2011 at 8:23 am

      Sometimes you also have to restart the Autodiscover application pool within IIS after changing it. Give that a shot.

      Reply
  24. Alan says

    August 23, 2011 at 8:35 am

    Is there an easy way to simply disable ALL secure transmissions? My users are all internal in a company that has no need for any security, so I’d rather leave the whole thing clear than bother trying to fix the annoyance of having the certificate errors pop up. Is this possible?

    Reply
  25. Fernando says

    July 7, 2011 at 3:18 am

    Thanks Elan for your post, but I need some more help.

    I’ll try to describe the problem. Every body at office are logged to wSBS2008 and the problem comes when we start Outlook:
    – All the user are asked to introduce their password, that are refused when connecting to remote.xxxx.com
    – Then if we cancel then appears the autodiscover.xxxx.com certificate with the error that you mention.
    – When I do Get-ExchangeCertificate I got 22 certificates and I’m lost.
    And even more, our internal domain name is different than our external domain name
    So if you can help I really appreciate, because the one that began that is no localizable.

    Reply
  26. Maikel says

    July 3, 2011 at 10:37 am

    Great tutorial, thanks for the solution!

    Maikel

    Reply
  27. Thomas says

    June 23, 2011 at 7:53 am

    Excellent article !

    Reply
  28. micro20100 says

    June 15, 2011 at 10:37 pm

    Sorry, I must be dumb, as I cannot figure out what I need to do. Same issue as everyone: have a cas array with 2 servers(cas,dag/transport) and load balancer. Installed Verisign certificate on both server for outside OWA access. All working good, however Outlook 2007 keeps complaining about the OWA certificate. Outlook profile is setup for Exchange with name of cas array. We are using Public folder.
    Do I have to change all my internal URL to the external one that matches my OWA certificate? The name on it is resolves by its external IP address. Do I also need to hard code the IP address of the CAS array on each server, to resolve locally?
    Thanks in advance

    Reply
  29. Sanjay says

    May 24, 2011 at 6:18 pm

    Your article was perfect and to the point.. i was able to resolve the problem. You da man!!

    Reply
  30. Bob says

    May 23, 2011 at 11:14 pm

    Thank You Elan. I was wrestling with this and was at my wits end. Good Work! and greatly appreciated!

    Reply
  31. Abdul Waheed says

    May 22, 2011 at 4:16 am

    Hi, i have different scenario- my external domain name is different from my internal domain. so whenever users open outlook it prompts that certificates mismatch because i have certificate for external domain only-

    is there any workaround for this ?

    Reply
    • Elan Shudnow says

      June 6, 2011 at 12:12 pm

      Set all your internalURLs, externalURLs, and AutodiscoverServiceInternalURI to point to an FQDN that uses the external namespace. All URLs will point back to the Exchange Server.

      Reply
  32. @davedoeppel says

    May 11, 2011 at 6:44 pm

    Not sure if this is monitored. I had this exact issue on Exchange 2010. I followed all of the directions here and I was still having an issue. However very specific. A user logged onto a non-domain Windows profile, on our internal LAN, would get the error. These are companies I have setup using the Autodiscoverredirect method. If they are logged into a domain profile it works perfectly. If they are off out LAN either domain or non-domain works perfectly.

    Reply
    • @davedoeppel says

      May 11, 2011 at 6:48 pm

      cutoff the bottom of my post.

      I had done two steps in my Exchange setup, Autodiscoverredirect for supporting our other companies, and OWA easy redirect. In IIS7 the default website had bindings set to unassigned. This seemed to be causing some kind of weird routing for the above scenario. If I change that and force it to be bound to the IP of the server, not the autodiscoverredirect, then the above SSL issue goes away. However I can no longer run EMC or EMS on the server, see http://support.microsoft.com/kb/2027062

      If anyone has any ideas I would love to hear it. For now I will just run my management on my MBX boxes but I would certainly like to have it fixed..

      Thanks,

      Dave

      Reply
  33. francisco says

    May 9, 2011 at 8:26 pm

    Excellent post – after following your steps all works fine – except for our Public folders

    Would these changes affect the replication / access of public folders?

    Reply
    • Elan Shudnow says

      May 9, 2011 at 9:09 pm

      None of this would affect replication / access of public folders.

      Reply
  34. Mahmood says

    April 14, 2011 at 3:25 am

    Some progress..I managed to resolve this error..found out it was the firewall which was mapping to CAS2 ( instead of CAS1) and the policy was higher in the order so was being executed before the other policy to map to CAS1..
    Running the test again on testexchangeconnectivity.com gives a second error now:
    Validating certificate trust for Windows Mobile devices.
    Certificate trust validation failed.

    The certificate chain didn't end in a trusted root

    Reply
    • Mahmood says

      April 17, 2011 at 11:45 pm

      Never mind..solved

      Reply
  35. Mahmood says

    April 14, 2011 at 1:48 am

    Need your help to configure Activesync for Exchange 2007. This is my first time to set it up so I am not sure if I am doing it correctly.

    We have 2 CAS Servers, Call it CAS1 and CAS2. Have purchased SSL Certificate and imported it to CAS1 Server using the Exchange Shell Command: Import-ExchangeCertificate ….successfully imported and enabled the certificate on the server.

    External Domain FQDN is mail.mydomain.com

    When I connect using mobile device, synchronization does not work. I ran test at testexchangeconnectivity.com and gives me error on certificate:
    Host name mail.mydomain.com doesn't match any name found on the server certificate CN=CAS2

    What can I do to resolve this?
    Thanks

    Reply
    • Elan Shudnow says

      April 17, 2011 at 4:20 pm

      Don't forget to enable the new certificate for Exchange Services. I explain how to do that in the article using Enable-exchangecertificate.

      Reply
  36. TomTom says

    April 5, 2011 at 11:23 am

    Thank you for the GREAT information!

    This fixed my certificate problem. But I managed to create another problem in the process.

    My users typically access OWA simply by typing in exchange.mydomain.com, which defaults to an HTTP request. Now they get a 403 access denied error. But if they put in https://exchange.mydomain.com OWA works just fine.

    I didn't change anything besides what was outlined above. Any ideas why all of a sudden my http redirect to https isn't working?

    Thanks,
    Tom

    Reply
    • Elan Shudnow says

      April 17, 2011 at 4:22 pm

      Operating System and Exchange version would be helpful.

      Reply
  37. Jacob says

    April 4, 2011 at 10:09 pm

    Just awesome! Bravo sir! Saved me from having to buy a more expensive certificate!

    Reply
  38. Dewang says

    March 7, 2011 at 7:39 pm

    Great !!!!
    After steps recommended I also did below steps for it to work.
    Open IIS Manager.
    Expand the local computer, and then expand Application Pools.
    Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

    Reply
  39. K.M. Hahn says

    February 20, 2011 at 8:56 am

    Thanks for the article. It helped me solve our Outlook certificate error. Very much apprecated.

    Reply
  40. JasGot says

    February 9, 2011 at 8:48 pm

    I am stuck on the Cert issue regarding inside (LAN) usage and external (Internet) usage. Right now, I have installed a self signed cert and a CA cert.

    My public FQDN is owa.xxx.org
    My Internal FQD is exchange.yyy.com

    Don't yell! It was this way when I took over :)

    If I assign the CA cert to IIS the connections from outside are fine, but the inside connections get a cert error. If I assign the self signed cert to IIS, the connections on the inside are ok, but the connections on the outside get a cert error.

    Is there any way to have IIS use the CA cert for outside connections and the self signed cert for inside connections?

    Reply
    • JasGot says

      February 9, 2011 at 8:49 pm

      (Had to split my comment)

      Also, if I understand correctly, you can use one cert if the first part of the domain name is the same? So a CA cert of 123.abc.org will work on the inside too as long as the server name is 123.???.???. I think I read that Outlook 2007 only looks at ther first part of the FQDN?

      So now I am curious, if I change the name the exchange server gives to the outside clients to match what the inside clients use, ie; if I change my server to give exchange.xxx.org instead of owa.xxx.org, then the same exchange.xxx.org cert will make the internal outlook 2007 clients happy?

      Thanks for your feedback.

      Reply
  41. Samer says

    February 2, 2011 at 5:23 am

    realy thank u …
    ur great

    Reply
  42. Jim says

    January 25, 2011 at 2:14 pm

    Much better detail in your descriptions than the Microsoft knowledge base had. Thanks for the excellent article, made much more sense!

    Reply
  43. Dean says

    January 20, 2011 at 11:50 am

    Very handy. Excellent article.

    Reply
  44. andy says

    January 1, 2011 at 3:38 pm

    Hi, Can you help me translate

    “CASServerEWS (Default Web Site)”

    to match my environment? I have a SBS 2008 server and it's name is sbs2008.

    thanks,
    atn

    Reply
    • Elan Shudnow says

      January 4, 2011 at 7:12 pm

      I am not familiar with SBS. I would ask on the Technet SBS forums.

      Reply
  45. Waleed says

    December 10, 2010 at 8:13 am

    I have the same issue with SBS 2008. I have a cert with IPSCA and it is installed so my phones are syncing properly and I can access OWA without fail. I still get the certificate message with Outlook 2007. It comes up with autodiscover.domainname.co.za The name is invalid or does not match the name of the site. My AutoDiscoverServiceInternalUri : https://exchange.domainname.co.za/Autodiscover/Au… ( which is what my cert is published with)
    My server name is willow.domainnamesbs.local
    Any advice please?

    Reply
  46. colinv says

    December 9, 2010 at 8:49 pm

    many thanks, even though having the correct settings in internal/external urls following this article and resetting through console worked a treat. (active synch virtual directory was the culprit)

    I found that for sbs 2008, in the script commands, as well as replacing CASServer with ourservername I replaced (Default website) with (SBS Web Applications)
    eg: “CASServerMicrosoft-Server-ActiveSync (Default Web Site)” with “OurServerNameMicrosoft-Server-ActiveSync (SBS Web Applications)”

    Reply
  47. rGB says

    December 1, 2010 at 1:46 pm

    You saved my a$$ :) Thanks a lot

    Reply
  48. Jay says

    October 11, 2010 at 9:10 am

    Thanks for the article, helped me out!

    Reply
  49. Thomas says

    October 4, 2010 at 3:03 am

    Excellent article….Thanks you so much !

    Reply
  50. Brandon Schmitt says

    September 13, 2010 at 2:07 am

    For those still having issues and using Exchange over HTTP setup for outside clients, look into using a SRV record in dns to redirect to your single SSL cert; for example, mail.shudnow.net. If you do this you will get a popup in 07 Outlook for the redirect but all you need to do is check "do not show again" and it will work perfectly.

    Here is a link for setup of SRV record. http://www.thirdtier.net/2009/02/setting-up-an-ex…

    Reply
  51. Kush says

    September 7, 2010 at 3:32 pm

    After I applied the changes you suggested, I have a problem with the free/busy look-up via outlook 2007 client and I had to change the auto-discover URL back to https://FQDN//Autodiscover/Autodiscover.xml to make the free/busy work. Any ideas. We have 4 CAS servers in 2 sites, 2 in each site and we are using the round robin DNS alias pointing to these 4 servers. But looks like when a user is doing the free/busy lookup it is trying to fetch the free/busy info from another site instead of where the user's account is.

    Reply
    • Elan Shudnow says

      September 12, 2010 at 7:17 am

      Any CAS in any site can handle the request. And what you wrote doesn't really make sense. I had you change the FQDN to https://FQDN/Autodiscover/Autodiscover.xml but you said you changed it back to https://FQDN/Autodiscover/Autodiscover.xml. Hm?

      Reply
  52. Donmeado says

    August 20, 2010 at 12:04 pm

    Awesome document thanks very much!

    Reply
  53. Lynn Smith says

    August 11, 2010 at 1:37 am

    Thanks for the nice article.I get very good information for Outlook 2007 Certificate Error.

    Reply
  54. window recovery says

    August 10, 2010 at 4:19 am

    Basically, the certificate is for domain.net, and the internal network name is obviously not that. I do have that domain added in DNS, and it resolves internally and externally (which works great for EVERYTHING besides Outlook 2007). Visit here for more information :: http://www.msoutlookrecovery.com/ .

    Reply
  55. J W says

    August 8, 2010 at 7:07 pm

    Phew, 8 hours of Hell over… I was doing this with the microsoft stupid contoso fqdn pointing to the internal netbios.domain.local. I didn't realize I had to point to the external cert until you spelled it out. Tahnks

    Reply
  56. Beefeater says

    August 3, 2010 at 4:09 pm

    Just a follow up on my previous post.

    Being a newbie to exchange and powershell it didn't occur to me right away, but a lightbulb came on and I decided to use the get-webservicesvirtualdirectory cmdlet to find out what my server was calling it. Turns out rather than having "casserverews (default web site)" it is "casserverews (sbs web applications)"

    This is common for all the cmdlets stated in this article. Seems to have resolve my certificate issue, so now I'm just waiting with my fingers cross to see if it broke something else. Thanks for the article Elan, It works really well so far.

    I also failed to notice that there were 3 pages of comments so forgive me if someone had posted the answer to this on page 2 or later, i didn't read it, and for that, I apologize.

    Regards,

    Beefeater

    Reply
    • eshudnow says

      August 4, 2010 at 12:40 am

      Just realized you posted a follow up. Basically what I suggested is what you already did so nevermind!

      Reply
  57. Beefeater says

    August 3, 2010 at 3:19 pm

    Hi Elan,

    Your article is great and seems to be the solution to my problem, but when I try to type your cmdlets -Set-WebServicesVirtualDirectory -Identity "CASServerEWS (Default Web Site)" <rest of cmdlet entry here> I get an error saying "CASServerEWS (Default Web Site)" could not be found on domain controller: <DC FQDN>

    I'm using SBS 2008 which has exchange 2007 and while most of the info I have found regarding exchange has been relevant, I have found that stuff related to websites is different. I'm just wondering if you have some different instructions for those who are using SBS 2008. I know this article is quite old but it seems to be the solution and I would like to know how to get it to work on my system.

    Thanks

    Reply
    • eshudnow says

      August 4, 2010 at 12:39 am

      You know, I usually don't even follow what I have on my blogs. I always show how to set it against a single server. But in a single site scenario, I always just set InternalURLs to something like webmail.domain.com and point the DNS to the load balancer or to that specific server. Because of this, I just do Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL InternalUrLHere BasicAuthstuffHereIfYouWant. Even though you only have 1 CAS, this will work and is easier to do.

      Reply
  58. paypwip says

    July 21, 2010 at 7:26 pm

    +1 to People Helped, thanks.

    Reply
  59. jeff says

    July 19, 2010 at 5:09 pm

    wow!! this actually worked!! it is depressing that microsoft cannot create a simple article like this. this worked like a charm!! i hope people would actually find this article. thank you so much for putting this together!!!

    Reply
    • Elan Shudnow says

      July 19, 2010 at 5:42 pm

      They actually do have a KB on this. But I created this article before that KB existed. :)

      Reply
  60. Christo says

    July 15, 2010 at 2:33 am

    Hi Elan,

    Does this also apply to a Exchange environment that has multiple Exchange CAS(Geographically) Servers on the same domain (WAN)?

    I have noticed that all my CAS Servers have thier own Autodiscover URI. Would I need to configure each CAS Server individually? I only use one primary CAS Server for External OWA access. This CAS then routes Disrtict users to the District CAS/Mailbox server that hosts thier mail.

    We do not use Secure email (HTTPS) due to limitations on our WAN (Government Dept sitting on a Centrally supplied and managed WAN for ALL Dept).

    I hope I am not to confusing.

    Regards,
    Christo

    Reply
  61. Claudio says

    July 12, 2010 at 9:31 pm

    YOU ARE A LIFE SAVER!!!!! THANK YOU SO MUCH!!!!

    Reply
  62. Claudio says

    July 12, 2010 at 9:27 pm

    YOU ARE A LIFE SAVER!!!!! THANK YOU SO MUCH!!!!

    Claudio

    Reply
  63. yan says

    June 23, 2010 at 10:39 pm

    On SBS 2008 the commands need to include (SBS Web Applications) not default web site. Default website doesnt include those sites anymore.

    Reply
  64. Dagan Henderson says

    June 9, 2010 at 5:01 pm

    One thing you may want to add is that it may be necessary to reboot the system for the changes to take effect. I was going crazy trying to think of which service must still be directing to the internal server name and finally gave up for the night. The next day the error message had stopped appearing.

    Reply
  65. Jason says

    May 17, 2010 at 6:47 pm

    Hey, Thanks! This resolved a few things for me, but I'm still getting a Certificate Error in outlook with the title of "sites", before the Certificate Error had a different title.

    Can you help me?

    Reply
  66. Cillie says

    May 17, 2010 at 3:17 pm

    Dont know what I did.
    Tried everything in this post. But still getting the error "The name on the security certificate is invalid or does not match the name of the site."

    I'm on Exchange 2010 though. So leaveing the command Set-UMVirtualDirectory out.
    AD is on 2008 R2. Exchange is installed on one of the AD's. The GC of the 2.

    Reply
    • Nasatech says

      July 26, 2010 at 3:45 pm

      Me too…. :-(

      Reply
      • Nasatech says

        July 26, 2010 at 4:11 pm

        Just found the solution:

        Make a fake zone with the autodiscover."yourdomainname" and point it with a CNAME to your the external name resolving to you're internal mailserver IP. It must be a CNAME and not an A record.

        Go to your DNS management, Administrative tools->DNS. First in the Foward Lookup Zone (FLZ) for domain.com, RC the domain.com and select 'New Host (A)', enter: mail ,for the name and input the Internal IP of your CAS. Next RC the FLZ under your server and select 'New Zone', click 'Next' at the wizard introduction, leave the zone type as Primary and ActiveDirectory integrated, click 'Next', leave the zone replication on the default, which is to all domain dns servers, click 'Next', For the name enter: autodiscover.domain.com , click 'Next', for the dynamic updates change the setting to 'Allow both unsecure and secure dynamic updates, click 'next then click 'Finish'. Now RC the new autodiscover.domain.com and select 'New Alias (CNAME)', leave the name field blank and just click on the Browse button, In the new browse window, double-click (DC) the server name, DC the FLZ folder, DC domain.com and then select the mail entry, click 'ok' to complete. You can now close DNS.

        Reply
  67. Matt says

    May 12, 2010 at 7:56 pm

    Only had to change the Thumbprint and the AutoDiscover internally…. thanks so much!!
    This really helped!

    Reply
  68. chris says

    April 26, 2010 at 4:43 am

    I still use this as a list of all places to make changes to URLs in Exchange; it's useful when changing internal OR external values. Thanks for putting the effort in!

    Reply
  69. NSJ says

    April 19, 2010 at 3:48 pm

    What about when it happens to the remote site and not at the corporate office? I would think the same certificate would be used in both places, but the remote site is having the problem and corporate claims it never sees the error message. I would think that it would show up for both sites if a problem exists.

    Reply
    • eshudnow says

      April 20, 2010 at 11:55 am

      It depends on your setup. I would check out the following article to understand how proxying and redirection works: http://technet.microsoft.com/en-us/library/bb3107…

      Either way, you need to make sure that the sites trust each other's certificates and the AutodiscoverServiceInternalURL, InternalURLs, and ExternalURLs are all on the certificate. The same goes for autodiscover.domain.com if you want to support autodiscover for outside clients and internal non-domain joined clients.

      Reply
  70. Frank Cone says

    April 1, 2010 at 2:43 pm

    Hello,

    I have an Exchange 2010 server with this issue. I did multiple searches and found basically this info (Not as cleanly laid out though). I followed the instructions down to the last command

    (Set-UMVirtualDirectory -Identity “CASServerUnifiedMessaging (Default Web Site)” -InternalURL https://mail.shudnow.net/UnifiedMessaging/Service… -BasicAuthentication:$true)

    At that point I get the following:

    The term 'set-umvirtualdirectory' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

    I went ahead and created a new SRV record pointing mail.companyname.org to the ip and now if I ping mail.companyname.org it resolves ot the IP address of the casserver.

    Any assitance is appreciated.

    Thank you,
    Frank

    Reply
    • eshudnow says

      April 2, 2010 at 1:21 pm

      Frank, you do not have to do this in Exchange 2010 as there is no more Unified Messaging virtual directory. In Exchange 2010, Exchange Web Services (EWS) is now used for Unified Messaging functionality. I will make a note in the article about this.

      Reply
  71. NG GEE SING says

    March 25, 2010 at 2:41 am

    Hi Mr elan,

    I having issue on my exchange enviroment.

    Status : 3 exchange servers
    exchange-01 – role -> hub, client access, mailbox
    exchange-02 – role -> client access
    exchange-03 – role -> mailbox

    I have just import new sing name certificate with name "mail2.domain.com " at the exchange-02 and faced the problem you post on blog and solved it with your solution.

    but new problem ans shows up where user who using outlook 2007 unable to download offline address book and i tried to run test autoconfigure, found user who suing outlook 2007 are connected to exchange-01/OAB but not exchange-02.

    kindly need your help

    Reply
  72. Eve says

    February 8, 2010 at 6:30 am

    I wish I found your blog last week :)
    Big Thankyou

    Reply
  73. saint says

    February 1, 2010 at 7:22 am

    Hi,

    I'm using UC and having issue with 8004010f error in outlook 2007. Send/Receive works well but its annoying.
    Any hints?

    Thanks.

    Reply
    • Elan Shudnow says

      February 4, 2010 at 6:37 pm

      Try Best Practices Analyzer to see if it flags something that can possibly be fixed and thus possibly making your error code go away. Other than that, start Googling/Binging the error code and do things articles tell you till it's gone.

      Reply
  74. saint says

    February 1, 2010 at 2:09 am

    I’m using UC but still getting 8004010f error in outlook 2007. Send/receive works well but its annoying. Any hint?

    Thanks.

    Reply
  75. annalynn says

    January 27, 2010 at 10:56 pm

    i'm having this same issue, but i was never on an exchange server.

    Reply
  76. Radek says

    January 7, 2010 at 1:18 pm

    Hi guys,
    i have very similar problem, but only with internal access of my outlook clients.
    Everythings from outside network (internet) working fine, outlook anywhere, activesync to mobile devices, outlook web access … nothing have problem.

    But when my outlook clients trying to connect from local area network to the CAS server, i have the warning with certificate error.
    The same i have warning with certificate, if i am trying to access outlook web access.

    I have set all ways, directories etc in fight way. External things are to server.domain.com, internal things points to server.domain.local.
    SSL certificate is signed by STARTSSL CA, which is trusted CA from public and it points to server.domain.com name.

    So i can understand, why outlook clients have problems, if they trying to connect from local area network, because SSL certificate is pointing to another name of server? But why they are using SSL for connection, i have them inside company network, i dont need to use RPC over HTTPS for them. Maybe the problem is, my server have only one IP address, have all exchange roles together on one machine …?

    Thank you for any kind of tips

    With regards, Radek

    Reply
    • Elan Shudnow says

      January 8, 2010 at 6:14 am

      Because Outlook 2007+ uses web services not just for OWA or Outlook Anywhere. It uses it for OOF, Free/Busy, OAB, Autodiscover, etc… The entire article already explains this and why you need to set the InternalURLs properly. Basically, I have already answered your question in my article as to why the InternalURLs need to match the name of the certificate.

      Reply
  77. GCamacho says

    December 16, 2009 at 5:51 pm

    Thanks buddy! This was the easiest fix to the issue that I was able to find. Keep up the awesome work!

    Reply
  78. Darrell says

    December 9, 2009 at 5:21 pm

    Super! Great instructions!!!!

    Reply
  79. RBEX2007 says

    November 25, 2009 at 6:12 pm

    Everything works now for domainA. If i add domainB, will autodiscover work for owa and outlook anywhere? Can i still use single cert?

    Thanks for your help.

    Reply
  80. VXR Dave says

    November 25, 2009 at 2:37 pm

    You're a life saver mate.

    Reply
  81. T.C says

    November 24, 2009 at 1:31 pm

    Hi,
    I have a exchange 2010 and trying to get the Activesync to work for push e-mails

    testing using https://www.testexchangeconnectivity.com gives me an error with the certificate

    "Host name <domian name> does not match any name found on the server certificate CN=<computer name>"

    How do i add the domain name to the certificate?

    thanks

    Reply
    • Elan Shudnow says

      November 24, 2009 at 2:21 pm

      T.C., you can use the new certificate wizard to request a new certificate. Check out this video for more information:
      http://www.msexchange.org/articles_tutorials/vide…

      Reply
  82. J.P. says

    November 20, 2009 at 7:21 pm

    Worked Like a Charm!!!!

    Reply
  83. Tommy says

    November 5, 2009 at 9:25 pm

    all I understand the Docement and follow the steps but everything I get to (Default Web Site)” i get an error what am doing wrong. I am going isane

    Reply
    • Elan Shudnow says

      November 5, 2009 at 10:32 pm

      Can you provide the error you're getting?

      Reply
  84. chad says

    October 13, 2009 at 7:48 pm

    I would like to thank you for the easy to follow fix for this certificate error!

    I have a problem that has started since I did this fix. To give you some information, the certificate request was generated using IIS and was imported into IIS. We currently only use OWA externally. We were able to access https://mail.mydomain.com/OWA from the inside or outside of our network with no issues and with no certificate errors at this point, but we were getting the certificate error in Outlook 2007. I followed your guide and have verified the settings, but now when I go to https://mail.mydomain.com/OWA from inside or outside I get a certificate error and I am redirected to https://server.mydomain.com/owa/auth/logon.aspx?r… and since there isn't an external DNS entry for server.mydomain.com I can't get to my OWA. I am unable to figure out what would have changed this from the commands above but I am not getting anywhere. My certificate is for mail.mydomain.com.

    Thanks for all your help!

    Reply
    • Elan Shudnow says

      October 13, 2009 at 9:38 pm

      You'll probably want to use the Set-OWAVirtualDirectory command and use the InternalURL and/or ExternalURL to ensure that it has a name that is on your certificate. For example, Set-OWAVirtualDirectory -Identity "Owa (Default Web Site)" -InternalURL https://mail.mydomain.com/owa -ExternalURL https://mail.mydomain.com/owa.

      Reply
  85. Michael Butterworth says

    October 12, 2009 at 2:24 pm

    Thank's. It's a bit of a pain. Whichever way you do it you get certificate errors until you lots of stuff Microsoft don't tell you in training.

    Reply
  86. JeremyP says

    September 28, 2009 at 9:28 pm

    You saved me many, many headaches with this article. Thanks a ton!

    Reply
  87. Gabe says

    September 21, 2009 at 6:09 pm

    Elan,

    Great article. Thanks.

    My one big question, though, is how will these changes affect Outlook 2007 clients that are currently pointing to the netbios name? Will they automatically adjust or will each Outlook client have to be touched? While the cert pop-up is annoying, it's not nearly as bad as a few hundred people without Outlook access would be.

    Thanks,
    Gabe

    Reply
    • Elan Shudnow says

      September 22, 2009 at 8:25 pm

      It really shouldn't matter. As long as DNS/NetBIOS can hit the server and the certificate that is on the Exchange Server has that name, it should be transparent to the user.

      Reply
  88. PMD says

    September 16, 2009 at 5:04 am

    THis really sorted me out. Thanks alot

    Reply
  89. Daniel says

    September 10, 2009 at 11:29 pm

    Thanks very much, I was spending a lot time in internet to find the anwser…

    I am not Exchange admin, so, this guide help a lot.

    Thanks

    Reply
  90. Eduardo Almeida says

    August 21, 2009 at 10:00 am

    Hi,

    Excelent article, you can only add as last step to recycle the MSExchangeAutodiscoverAppPool pool on IIS.

    Thanks,

    Eduardo

    Reply
  91. RTessanne says

    August 12, 2009 at 9:13 am

    I too have followed this amazing post and it resolved all but one issue that is driving me insane.

    I have 2 sites connected via Site-to-Site VPN tunnel. The Exchange 2007 server is at Site 1 and clients are at Site 1 and Site 2. All of the users in Site 1 are working fine however, all the users in Site 2 still get the certificate popup when they open Outlook 2007.

    Background:
    1 Domain “domain.local” internal Windows 2003 AD with Domain Controllers in each location with updated DNS entries to match my certificate “mail.domain.com” pointing to the INTERNAL IP of the Exchange 2007 server. Again, everything is fine from Site 1.

    Site 2 is fully replicated with the DC’s and they are also GC’s (not that it would matter). They can perform NSLOOKUP and resolve mail.domain.com to the internal IP address just fine, so I am not sure why I am still getting this error message.

    I have re-pasted CLI’s and restarted the POOL and the server so many times that the power button is wearing out (just kidding).

    Please if you can offer any more assistance on this it would save my hide!!

    Rob

    Reply
  92. wow-Impressed says

    July 30, 2009 at 3:21 pm

    I have to say!!! WOW!! I spent 2 months on this, everyone said different things, I found your article and had it working before lunch!!!

    Thank you SO MUCH m8, you saved my bacon!!

    .
    . .

    Reply
  93. Todd says

    July 30, 2009 at 11:49 am

    Elan, you are amazing…your instructions worked flawlessly…THANKS!!!

    Reply
  94. Martins says

    July 21, 2009 at 1:35 pm

    Hi Elan Shudnow

    We have the same problem. The Outlook 2007 reclaim about the error certificate just internally.
    From External access we don’t have this problem. We use an external certificate (Unicert) to webmail.ourcompany.com.

    I’m thinking to follow your procedure step-by-step but the CAS and HUB roles are in two servers in NLB.

    The question is: Do you see any problem in a enviroment like this? Or better, Is not necessary another additional procedure in a CAS/HUB in NLB?

    Thank you

    Martins

    Reply
  95. Nilson says

    July 7, 2009 at 12:34 am

    Your article, combined with post 65 solved the problem on my SBS2008. Works perfectly now.

    Thanks a lot!

    Reply
  96. Ramiro says

    July 6, 2009 at 3:17 pm

    Ok,
    Today I realized that the problem was only with my mailbox. It didn’t happens with the other already moved mailboxes.
    Finally I figured it out that was only a problem of a password stored on “Vista Network passwords” feature. In short, I had mail.mycompany.com stored there with who knows what, so I deleted that entry and Outlook stop bothering with asking for the password.

    Thank you for the help Elan, the important thing here is that the explanation of your article totally solve my certificate issue, and this other thing had nothing to do with your instructions.

    Thanks again

    Reply
  97. Elan Shudnow says

    July 2, 2009 at 2:46 pm

    Well one of the things I have in there is disabling IPv6. In short, when IPv6 is enabled, the RPC/Proxy service doesn’t listen on port 6004 for IPv6 so Outlook Anywhere fails. So you need to completely disable ipv6 (not just uncheck it from the NIC.)

    Also, configuring OA by Autodiscover doesn’t configure it to always connect Via OA. Only when you don’t have RPC connectivity directly to your mailbox server unless you’ve configured it otherwise.

    Reply
  98. Ramiro says

    July 2, 2009 at 1:53 pm

    Yes I’m running it on a 2008 Server, and I read you other post, but I couldn’t find anything relevant since I did have Rollup 8 for Exchange 2007 SP1 installed.
    What I noticed, though, is that Outlook anywhere is atoconfigured as part of the autodiscover function, so Outlook is behaving as if it is outside of the network, that’s why is asking for credentials at startup.

    Reply
  99. Ramiro says

    July 1, 2009 at 8:59 am

    Update: I didn’t tell you that I was upgrading from Ex 2003 to 2007. Knowing that, I am at the point of replicating the public folders, and I already move my mailbox to the 2007 server. I have a certificate for mail.mycompany.com (GoDaddy) working good on the 2003 exchange, so when I installed the same certificate on the new server, is when I had the issue described in your article. As I said following your instructions the certificate issue disappear, but now Outlook ask me for credentials when it opens, and this happens ONLY if DNS (or I modify the host file in my computer for testing) points “mail.mycompany.com” to the new server. So I guess has something to do with the public folders that are not moved yet. Am I right?

    Reply
    • Elan Shudnow says

      July 1, 2009 at 11:17 pm

      Ramiro, that shouldn’t be an issue. Are you running on Server 2008? If so, you may want to check out my following blog post here.

      Reply
  100. ChrisPogi says

    July 1, 2009 at 7:24 am

    Great Article!

    I had a difficult time however (I’m on SBS2008) setting the OAB and WebServices internal URLs, kept getting the “object not found as outlined in *63. Tried answer from *68 and it didn’t work.

    Just fixed it today by leaving out the -identity tag, which it would ask me for afterwards; doing it that way worked for me.

    OAB and EWS was under the (Default Web Site) for me [in reference to post 68 above]

    Thanks Elan!

    Reply
    • Elan Shudnow says

      July 1, 2009 at 11:14 pm

      ChrisPogi, you’re welcome. And thanks for posting the thank you as well as your issue and what you did to work around it.

      Reply
  101. Ramiro says

    June 30, 2009 at 6:39 pm

    Elan,
    I followed all your instructions and finally I have my cert running well. Error on Outlook dissapear, but I have another issue now. Each time I open Outlook it ask for credentials, even being connected to the network at the office.

    Any thoughts?

    Reply
  102. Elan Shudnow says

    June 29, 2009 at 11:10 pm

    Welcome. Ya, it can be confusing for those who don’t work with Exchange much or who are new to Exchange 2007 and don’t understand Autodiscover or the services that utilize InternalURL and ExternalURL. Exchange 2010 makes it a little easier by allowing you to specify if a new CAS server is an Internet Facing CAS and automatically set your ExternalURLs. But it doesn’t let you automatically specify InternalURLs if using a regular SSL certificate. So the issue will still exist in Exchange 2010.

    Reply
  103. Larry says

    June 29, 2009 at 9:46 pm

    Thanks a zillion…this eliminated the problem…why is this not straight forward when installing the original certificate?

    Reply
  104. Elan Shudnow says

    June 25, 2009 at 1:55 pm

    That’s what split DNS is. So yes.

    Reply
  105. James says

    June 25, 2009 at 1:15 pm

    OK, but if my internal and external DNS are all “domain.com” will this approach still work?

    Reply
  106. James says

    June 25, 2009 at 9:08 am

    So just to be clear, there is no way to make the certificate error go away unless you have a certificate with multiple names?

    I have my SSL certificate that says “mail.domain.com” and I have an alias for “autodiscover.domain.com” pointing to “mail.domain.com”. Everything works perfectly but on startup of Outlook there is a security warning indicating the certificate name does not match for “autodiscover.domain.com”.

    I just want to confirm that I need to resolve with a multi named certificate. Mine is from a trusted root provider so I would have to replace it with a more expensivecertificate if this is true.

    Thanks,
    James

    PS – Nice article and reply string. It is very useful.

    Reply
    • Elan Shudnow says

      June 25, 2009 at 10:02 am

      This whole article explains how to make the error go away without a UC certificate. :P You just need to have split DNS and set your InternalURLs and ExternalURLs to be the same as well as the AutodiscoverServiceInternalURI. If you had a SAN cert, you could put the Server FQDN on the certificate and then leave all the InternalURLs and AutodiscoverServiceInternalURI and then just set your ExternalURLs.

      Reply
  107. joe says

    June 24, 2009 at 7:52 pm

    got it working.

    Reply
  108. Elan Shudnow says

    June 22, 2009 at 6:26 pm

    joe, if using an internal CA, you need to make sure your server contains the root certificate of your CA.

    Reply
  109. Jannes Labaere says

    June 19, 2009 at 7:08 am

    Nice!! Thank you!!

    Reply
  110. Dawn says

    June 18, 2009 at 1:42 pm

    Worked great!!!! Thank you, thank you!

    Reply
  111. joe says

    June 17, 2009 at 10:35 pm

    Ok by following this guide http://www.exchangeinbox.com/article.aspx?i=126 and replacing the installed cert by the exchange install, and using a new cert generated by Windows server 2008 CA, the issue is resolved. However, I have a new error, by using my own private CA cert that I generated, I know get a red x, for the first item “the security certificate is from a trusted certificate authority” which I expect since this is not from a public CA. So, when I get that error all I should have to do is view the cert and install it manually into my PC, however, it doesn’t seem to work it continoues complains about the cert even though I manually insalled which once again I expect since this is not from a public CA but my own private. Any ideas suggestions?

    Reply
  112. joe says

    June 17, 2009 at 7:45 pm

    I’ve read numerious articles, found this one.. but I still can’t get it to work.. I’m at my witts end. First issue is when I OL 2007 gives me this error, and I click on VIEW CERTIFICATE I don’t get the name of the cert. How do I get this info? When do a get-exchangecertificate cmdlet I get the following

    Thumbprint services subject
    lots of numbers IP.WS CN=BMW
    logs of numbers …… CN=WMSvc-BMW

    so the name of my cert BMW? BMW is the name of my Exchange 2007 server. So what should be my internal an external url? I tried various mail.bmw.domainname I tried bmw.domainame using the cmdlets above to no avail. Microsoft made this autodiscover so darn complicated geez..

    Also, unlike on my exchange 2003 server looks like I can’t use a self created cert anymore for OWA, activesync, outlook anywhere? No way around this? I know the drawbacks, but can I use a self created insert?

    Reply
  113. Perry says

    June 7, 2009 at 8:07 am

    @ 63 .. In SBS (2008) you should use SBS1\EWS (SBS Web Applications) instead of ( default web site ) because the oab and ews are not under the default website!

    I have a problem after doing all this that outlook 2007 keeps asking for a password.
    Anyone know how to solve that?

    regards
    Perry

    Reply
  114. Elan Shudnow says

    May 29, 2009 at 1:45 pm

    Should work but I’m not familiar with any differences in SBS that would prevent this.

    Reply
  115. David Nicholas says

    May 29, 2009 at 10:10 am

    We have SBS2008. When applying your fixes above, these commands fail because the “object could not be found on the domain controller”

    Set-WebServicesVirtualDirectory -Identity “SBS1\EWS (Default Web Site)” -InternalURL https://mail.ourdomain.com/EWS/Exchange.asmx -BasicAuthentication:$true

    Set-OABVirtualDirectory -Identity “SBS1\OAB (Default Web Site)” -InternalURL https://mail.ourdomain.com/OAB

    Am i missing something in the syntax?

    Reply
  116. Elan Shudnow says

    May 15, 2009 at 9:38 am

    Thanks Dorian.

    Reply
  117. Dorian Groenewegen says

    May 14, 2009 at 2:22 pm

    Hi Elan,

    Thanks man!!
    This guide was very helpfull and fixed the problem.
    saved me a lot of time.

    GreetZ Dorian

    Reply
  118. AC says

    May 7, 2009 at 9:31 am

    When is microsoft going to get thier documentation right. I understand the need to provide full documentation, but a simple outline like this is all we typically need. Thanks.

    Reply
  119. Mike Connor says

    May 2, 2009 at 8:59 pm

    This seems to have cleared up the same annoying problem in Entourage! Everything I could find on it would mostly send a person in the direction of SAN certificates, etc..

    Reply
  120. fuji says

    April 16, 2009 at 5:17 pm

    Your the man.
    Everything was fine until I ran the lasted Office 2007 Updates on my users. Then I start to get the Cert error. I changed the NETBIOS name to Cert name no more Securtity alerts THANKS

    Reply
  121. Elan Shudnow says

    April 3, 2009 at 2:41 pm

    I’m not the person you want to be asking SBS questions to. I’ve never worked with SBS.

    Reply
  122. Dane says

    March 31, 2009 at 7:40 am

    Hi Elan,

    I too have been helped by this so thankyou for that.

    I have a questione though, what procedure should be followed to avoid having to perform this fix from the shell anyway? I’ve dealt with two examples in SBS 2008 now, both had a deafult self signed certificate installed when the OS was installed: remote.domain.com. This was assigned to pretty much everything, internal and external etc. Both clients purchased their own mail.domain.com certificates, is there a way i should have applied them that would have automatically updated all the internal and external addresses, rather then having to manually go in via the shell and change them all?

    Thanks,
    Dane

    Reply
  123. Elan Shudnow says

    March 20, 2009 at 11:53 am

    Vicks, I wrote a pretty comprehensive article on the Autodiscover and what names you need on certs, dns, using ISA in the mix, etc… I’d give it a read:
    https://www.shudnow.io/2008/11/18/autodiscover-dns-certificates-and-what-you-need-to-know/

    Reply
  124. Vicks says

    March 19, 2009 at 12:44 pm

    Hi Elan,

    We provide exchange hosting service to our clients. Recently we migrated one client to our Exchange Hosted Environment from POP3 services like many of our clients.

    Client is using Outlook 2007 and when ever ever the Outlook is started it comes with the certificate error. But the error doesn’t comes in Outlook 2003.

    Even we try to use this ULR the same certificate error comes (the same error in Outlook 2007)
    https://autodiscover.xyz.co.uk/

    However our clients using different domains have no issue irrespective of the Outllok version.
    So seems to be something to do with IIS ? We are not sure. Microsoft support is also no good!
    Please advice.

    Many thanks,

    Vikas

    Reply
  125. Mike says

    March 6, 2009 at 12:49 pm

    Thanks a bunch for the article!

    Note to all: don’t forget to restart Exchange services or reboot for this to take effect, like this dummy did!

    Reply
  126. waz says

    February 17, 2009 at 6:36 am

    cheers mate, this worked a treat it also resolved the issue i had with outlook and operation failed :-)

    thank you

    Reply
  127. waz says

    February 17, 2009 at 6:35 am

    Cheers, that worked brilliantly, it also solved the issue i had with outlook giving an operation failed error when doing a send/receive :-)

    thanks agian

    Reply
  128. Cam says

    February 12, 2009 at 10:45 am

    Thank you! Your acticle helped and saved me lots of time. Much appreciated.

    Reply
  129. Kevin Decor says

    February 6, 2009 at 11:56 am

    Hey, thanks for the fix. Worked for me as well!

    Reply
  130. Sidewinder says

    February 4, 2009 at 7:38 pm

    It should be autodiscover.mydomain.com – no “y”.

    Reply
  131. pragma says

    January 27, 2009 at 9:32 am

    Hi :)

    Thank you for that article – it helped me ALOT ! :) This error you mentioned on the top dissapeared but another one shown up – it’s almost same with small difference: instead of my Exchange Server Name (mail2 in your case) I’ve autodiscovery.mydomain.com – Can you tell where I should look for that entry ?

    regards

    pragma

    Reply
  132. Elan Shudnow says

    January 1, 2009 at 4:03 pm

    What errors? You can try the Set-OWAVirtualDirectory command to set the -InternalURL and -ExternalURL.

    Reply
  133. Jason says

    December 31, 2008 at 12:24 pm

    Elan,

    I was able to make the security warning go away but now I can’t hit OWA external or internal, any thoughts? Thank you very much!!

    Reply
  134. PemB says

    December 18, 2008 at 10:21 pm

    YOU ARE THE MAN

    Reply
  135. megatherion says

    October 22, 2008 at 11:22 am

    Really useful post! I had spent a lot of time trying to solve this problem, then I find this entry and solve the problem in just a couple of minutes. *bows*

    Reply
  136. dtstanton says

    October 15, 2008 at 8:18 am

    I must have been asleep, I retried everything this morning, and it worked. thanks.

    Reply
  137. Elan Shudnow says

    October 14, 2008 at 7:09 pm

    You need to use the Exchange Management Shell. I assume you’re opening PowerShell itself which doesn’t execute the Exchange Snap-Ins.

    Reply
  138. dtstanton says

    October 14, 2008 at 6:53 pm

    I’ll preface this with the fact that I am a newbie with powershell, but I have been beating my head against the wall with this one, none of the commands you have listed are recognized. even Get-ExchangeCertificate came back saying unrecognized command or script. Hopefully I am just doing something simple wrong. any thoughts?

    Reply
  139. Elan Shudnow says

    August 29, 2008 at 7:28 am

    Here’s the Autodiscover whitepaper:
    http://technet.microsoft.com/en-us/library/bb332063.aspx

    There’s a couple things you can do. You can use an SRV record for Autodiscover, or you can get a UC/SAN certificate from a provider such as Entrust/Digicert/Etc. that contains a Subject Alternative Name of autodiscover.domain.com. As far as I remember, the SRV record option will prompt your users for acceptance while the SAN name method will not and is the recommended method. I would read the whitepaper for more information.

    Reply
  140. lotusbob says

    August 27, 2008 at 10:54 pm

    Thanks for this post. I followed the instructions and the error went away…..for all the users inside the LAN.

    Now I am being told that Outlook Anywhere users outside are getting an error because they are looking for autodiscover.mydomain.com

    I thought I had the problem solved

    Reply
  141. Elan Shudnow says

    July 29, 2008 at 3:30 pm

    Make sure you configured the EWS for the correct InternalURL and ExternalURL:
    Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://owa.domainname.dk/EWS/Exchange.asmx -ExternalURL https://owa.domainname.dk/EWS/Exchange.asmx -BasicAuthentication:$true

    Reply
    • Marcos says

      July 2, 2012 at 9:12 pm

      Thanks, your comment help me to solve the problem i had!!

      Reply
  142. vedholm says

    July 26, 2008 at 2:14 am

    Hi Elan

    Internal the record owa.domainname.dk points to my CAS internal – i can see that i resolves just fine. But stille when i change the autodiscover to this DNS name which matches internal and external the “out of office” gets broken again.

    The name on the Exchange webservice is mtaching the certificate called owa.domainname.dk – and external it works as well with the same name

    Best regards
    Jesper

    Reply
  143. Elan Shudnow says

    July 25, 2008 at 6:01 pm

    That means DNS doesn’t point to your CAS or the FQDN you specify doesn’t match a name on your certificate, or maybe you require SSL on the autodiscover but you didn’t specify https://.

    Reply
  144. vedholm says

    July 24, 2008 at 8:36 am

    Hi

    Great post! BUT after changing this my “Out of office” wont workm anymore

    This was related to:
    Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml

    when i change i back to “https://servername/Autodiscover/Autodiscover.xml” it works again

    I have created a record in the internal DNS so this “external name” works internal as well, but i still get the same error.

    Se article:
    http://www.proexchange.be/modules.php?name=News&file=article&sid=686

    How to fix this :-) ?

    Best regards
    Jesper

    Reply
  145. Elan Shudnow says

    June 30, 2008 at 3:47 pm

    Brent, one is your self-signed certificate and one is the mail.somecompany.com certificate. You really don’t have to delete your self-signed certificate because Exchange will always use a certificate signed by a trusted CA before it uses a self-signed certificate. If you are talking about an Edge Server, I would leave the self-signed certificate on there as the Edge Server will copy the self-signed certificate to Active Directory which the Hub Transport Server will use as a trusted mechanism without needing to import the self-signed certificate into the Trusted Root Certificate store on the Hub Transport Server.

    Here is a guide on how to renew the self-signed certificate:
    http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html

    For the regular certificate, you can just request a certificate the same way you originally did. If you have exported this certificate and imported it onto other servers such as ISA, make sure you update ISA with the new certificate (importing, attaching to ISA web listener, etc..)

    Reply
  146. brentvw says

    June 30, 2008 at 6:36 am

    Hi, someone just brought to my attention our certificate IS expiring in 536 hours, it is only valid until July 22nd, so this is perfectly normal I guess. One question would be then do I have to do anything with the new certificate.

    Reply
  147. brentvw says

    June 30, 2008 at 6:34 am

    Hi Elan,

    This worked great! Thank you very much. One concern I am having is the following error. This seems to come up every 20 or so minutes.

    An internal transport certificate will expire soon. Thumbprint:9B32B314CB5ABC963F9F0F6A03F22FCD7E832896, hours remaining: 536

    The only difference from your post is when I run Get-ExchangeCertificate, I see two thumbprints… One for the NETBIOS name and then one for the certificate name. I used the thumbprint for the certificate name.

    Thumbprint Services Subject
    ———- ——– ——-
    752714FF7F34CBCCC49A3A72 ….S CN=SM5500SRV
    9B32B314CB522FCD7E832896 IP.WS CN=mail.somecompany.com,…

    Reply
  148. kingofbytes says

    May 5, 2008 at 4:53 pm

    Sir, you are to be commended for your contributions. Thank you very much!
    -Kingofbytes

    Reply
  149. ketrasap says

    April 17, 2008 at 2:03 am

    Thanks Alot,

    I’ve been trying to fix this issue for months now.

    Reply
  150. Elan Shudnow says

    April 1, 2008 at 5:13 am

    I have an article that details publishing the autodiscover service in ISA:
    https://www.shudnow.io/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/

    One of the things is that ISA 2006 will only read the CN or the 1st SAN name, so you have to trick ISA to make autodiscover publishing to work. I explain how to do that.

    Reply
  151. petoulachi says

    April 1, 2008 at 3:57 am

    Hi,

    I can’t make autodiscover work from outside, maybe you could take a look at http://forums.msexchange.org/Another_Autodiscover_problem/m_1800470564/tm.htm if you have a solution :)

    Reply
  152. njaggers says

    March 23, 2008 at 4:40 pm

    Thanks! I went into EMC and changed the setting that way. The PS script kept giving me problems.

    Reply
  153. Elan Shudnow says

    March 22, 2008 at 10:06 am

    It’s not saying it cannot find your DC, it’s saying it cannot find CASServer, which is your client access server, but might also be a DC if you configured it that way (not recommended). Make sure you replace the word CASServer with the server that has the RPC over HTTP Proxy component installed on it which should be a Client Access Server.

    So if your Client Access Server’s name is CHIEXCCAS01 and your certificate has a name of mail.shudnow.net, you would do:

    set-outlookanywhere -identity CHIEXCCAS01 -externalhostname “mail.shudnow.net” -externalauthenticationmethod “basic”-ssloffloading:$false

    Make sure you replace externalauthenticationmethod with clientauthenticationmethod if you’re using SP1.

    If that doesn’t work, as I said, go into the Exchange Management Console and just manually set it.

    Reply
  154. njaggers says

    March 21, 2008 at 9:27 pm

    Thanks for the reply. I inputed this command into PS:

    set-outlookanywhere -identity CAServer -externalhostname “mail.domain.com” -externalauthenticationmethod “basic”-ssloffloading:$false

    This is the response from PS: set-outlookanywhere : the operation could not be performed because object ‘CAServer’ could not be found on the domain controller ‘server.local’

    What am I missing here? All my mail flow is working correctly so I don’t know why PS reported cannot locate my dc. Also, when I attempted to input the command into PS using the -server command instead of the -identity command, this is what returned: set-outlookanywhere :

    a parameter cannot be found that matches parameter name ‘server’

    I think I have been messing with this so long I am missing something obvious. Any insight would be appreciated.

    Reply
  155. Elan Shudnow says

    March 20, 2008 at 4:08 pm

    You can try going into the Exchange Management Console and specifying the proper URL there.

    Or you can try doing Set instead of Enable.

    RTM:
    Set-OulookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ExternalAuthenticationMethod “Basic”-SSLOffloading:$False

    SP1:
    Set-OulookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False

    Reply
  156. njaggers says

    March 20, 2008 at 3:59 pm

    Thanks for the great article. However, I am having a problem with one of the powershell scripts. When I execute the enable-outlookanywhere command, this is the error I receive:

    enable-outlookanywhere : the virtual directory ‘rpc’ already exists under ‘CAServer.domain.local/default web site’. Parameter name: virtualdirectoryname

    Any thoughts on what this means and how to properly execute the script in powershell?

    Reply
  157. Elan Shudnow says

    March 19, 2008 at 9:37 am

    Set the URL appropraitely for the ActiveSync service and make sure the FQDN of the URL is contained in the certificate. You really need to get your DNS set up and get all the FQDN’s you need in your certificate. None of your services will work properly until you do so.

    If you need more assistance, I’ll check back later today. I need to get back to work. Hope you get this sorted.

    Reply
  158. petoulachi says

    March 19, 2008 at 9:34 am

    Well for testing purpose I have had the autodiscover.domain.com in my HOST file.

    Now I have a certificated warning, OK, my certificate currently doesn’t have this FQDN. So I have to change my certificate with a new one that contains this FQDN ? so bad, I just send to activesync users the other certificate…

    Anyway, after that warning there’s still the sync error. Now I really don’t know what to do.

    Reply
  159. Elan Shudnow says

    March 19, 2008 at 9:26 am

    You’re welcome. Glad I could be of help.

    Reply
  160. petoulachi says

    March 19, 2008 at 9:23 am

    Okay so the problem should come from that, as this host does not exist for my public DNS.

    I keep you informed, but it seems to be on good way :)

    Thanks a lot !

    Reply
  161. Elan Shudnow says

    March 19, 2008 at 9:21 am

    Yes, you will need to have an internet resolvable forward lookup zone for every smtpdomain. You will then have to have the autodiscover host (A) record in every forward lookup zone. You will then have to make sure your certificate contains an autodiscover.domain.com FQDN for every smtp domain you have.

    Reply
  162. petoulachi says

    March 19, 2008 at 9:18 am

    Sorry I have Tab/Enter unfortunatelly :p

    So as this dns is not resolved it’s maybe why my roaming users can’t find the OAB ?

    Anyway, the OAB (Default Web Site) didn’t have an externalUrl set, to I’ve just set it one. Regenerating the OAB seems not to resolve the problem.

    Reply
  163. petoulachi says

    March 19, 2008 at 9:16 am

    It just sound pretty clear to me.

    My InternalUrl for autodiscover is correctly set. However, I have a question about the autodiscover.acceptedsmtp.com. Does this url needs to be resolved by my external users ? It’s not the case at the moment.

    Reply
  164. Elan Shudnow says

    March 19, 2008 at 8:49 am

    Vividdm –
    Thank you for the comments. I will update my article later today to include the new syntax for SP1.

    petoulachi –
    Roaming users will not use the InternalURL. They will use the ExternalURL. The way this works, is that when a domain-joined client is on the corporate network, and they have connectivity with Active Directory, the client will be able to contact a Service Connection Point stored in Active Directory which contains all the InternalURL’s for the services on the internal network.

    When a client is not domain-joined or is outside of the corporate network and does not have direct connectivity to Active Directory, the Outlook client will contact the Autodiscover Service via autodiscover.smtpdomain.com. Note that I say smtpdomain.com. This does not necessarily mean your Active Directory domain. This is mostly your Accepted Domains. You would only really need autodiscover.acceptedsmtpdomain.com for the primary smtp addresses in your e-mail address policy.

    So when a client contacts the Autodiscover Service, the Autodiscover Service will reply with -ExternalURL since the client is either not domain joined or outside of the corporate network. It essentially just means, “Not Connectivity to AD? No -InternalURL for you!”

    So because of this, -InternalURL could be https://CASServer/Service and work just fine since you know this client is Internal and should be able to contact the CASServer via NetBIOS. But when a client is not domain joined or outside of the corporate network, you want to make sure that you specify the -ExternalURL as a FQDN, mail.domain.com/service. You wouldn’t want it to be a NetBIOS name since you’ll be doing this connection through the Internet.

    You also want to make sure you configure the AutodiscoverInternalURI correctly. This can be FQDN or NetBIOS name. Get-ClientAccessServer to see what it’s set at. Make sure it’s set to something compatible in your certificate.

    After you set all this up, do an update on the OAB and do an update-filedistributionservice which takes the OAB from the OAB generation server and pushes it to the CAS for Outlook 2007 Web Distribution.

    Reply
  165. petoulachi says

    March 19, 2008 at 3:13 am

    Hi Elan Shudnow,

    I think that in fact I have a problem with my InternalUrl. Actually, they are default value (CASServer.domain.local). As I have a certificate with multiple host name, my local users don’t have any problem.

    But my roaming users, using Outlook Anywhere, have a sync issue :
    not downloading offline address book files. A server (URL) could not be located
    0x8004010f

    Searching on the net I have found that it’s often related to the autodiscover InternalUrl. I was thinking that it was more related to OAB InternalUrl.
    As I’m not really sure, maybe you could confirm me what should I do ?

    Thanks in advance !

    Reply
  166. vividdm says

    March 18, 2008 at 11:28 pm

    All Hail Elan, All Hail Elan :)

    I wish i came across this months ago.. thank you sooo much!!!

    only difference i had was with SP1
    -ExternalAuthenticationMethod becomes> -ClientAuthenticationMethod

    can i be the like the fifth person to say ‘you are awesome!!’ :)

    dm.

    Reply
  167. Elan Shudnow says

    March 12, 2008 at 1:15 pm

    petoulachi, I stated that this solution is for single-name certificates and is specifically for people who are not using UC/SAN certificates. Even if you do have a UC/SAN certificate, you still need to ensure that the Internal and External URLs are specified correctly.

    I posted a more informative reply in regards to your comment at your post on msexchange.org forums. Check it out at the following URL:
    http://forums.msexchange.org/m_1800468544/mpage_1/key_/tm.htm#1800468544

    Reply
  168. petoulachi says

    March 12, 2008 at 11:29 am

    Hi,

    I had the same problem but solved it in a different way. Unstead of modify the Exchange InternalUrl, I have request a certificate with multiple host names, as Microsoft shown here : http://technet.microsoft.com/en-us/library/aa995942.aspx

    I don’t know which solution is the best, but I think these is a little more simple.

    Hope this help

    Reply
  169. motsis666 says

    March 11, 2008 at 9:07 pm

    Sorry
    I found your reply at:
    http://forums.msexchange.org/m_1800468295/mpage_1/key_/tm.htm#1800468447

    You are awesome

    Reply
  170. motsis666 says

    March 11, 2008 at 9:01 pm

    I had the same problem with Farist, and i find your reply at msexchange.org forum, but i can not find your post, pls send me link ok post your reply again,
    Thank u very much

    Reply
  171. Elan Shudnow says

    March 8, 2008 at 5:01 pm

    I replied to your question on msexchange.org forums. Go there and read my reply.

    Reply
  172. farisnt says

    March 8, 2008 at 2:41 pm

    HI
    I have this problem and I had all the Certificate CN are correct and match for the FQDN
    what can I do
    THanks alootttt

    Reply
  173. tibby812 says

    March 6, 2008 at 3:58 pm

    You are awesome. Thanx for the fix.

    Reply
  174. Elan Shudnow says

    February 22, 2008 at 5:03 pm

    Thanks for the positive comments! I’m glad the article was of help to you.

    Reply
    • MAXhYpe says

      September 23, 2009 at 5:33 pm

      Great post and i think i understand more now about certificates. I have been battling for days a scenario where i have a thawte certificate that is purchased for webmail access. I ordered one where i only added webmail.data.com as servername while server internally is EXCBACK and EXCBACK.domain.local. So i created a self signed certificate that i wanted to use for Outlook users but for some reason its only the thawte certificate they "pull" when connection. I did run the Enable-exchangecertificate -services IMAP, POP, SMTP on the selfsigned and Enable-exchangecertificate -services IIS on the Thawte. But still, Outlook connects and throw warning saying thawte certificate is not having the EXCBACK name listed in it. Only webmail.data.com. What is it i am missing here?

      Reply
      • eshudnow says

        September 24, 2009 at 3:27 am

        You need to update your InternalURLs and possibly ExternalURLs as well as AutodiscoverServiceInternalURI so they don't have the EXCBACK. That way they connect to Exchange using the webmail.data.com name which the certificate will have.

        Reply
  175. red-erik says

    February 22, 2008 at 10:24 am

    U saved my job…tnx a lot

    Red.

    P.S. There is a lot of confusing documentation over the net regarding Exchange 2007 certificates (ad ISA Publishing..)
    You document is really clear and usefull

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • YouTube

More to See

Using Python 3.8.0 Azure Runbooks with Python Packages

July 11, 2022 By Elan Shudnow

Preserving UNC Path after Azure Files Migration using DFS-N

April 10, 2022 By Elan Shudnow

Pin Azure VM Availability Sets into an Availability Zone

April 9, 2022 By Elan Shudnow

Azure Private Endpoints and Storage Account Firewalls

March 10, 2022 By Elan Shudnow

Tags

ACR Always Encrypted Ansible Automation Availability Sets Availability Zones Azure Azure AD Connect Azure Application Gateway Azure Files Azure Firewall Azure Key Vault Azure Load Balancer Azure Monitor Azure Web App Backup Exec CDN Cluster DevOps DFS Docker DPM Event Grid Exchange Exchange 2010 Function App ISA iSCSI Log Analytics Logic App Lync Microsoft Graph OCS Office Office 365 Personal PowerShell Proximity Placement Groups Runbook SCOM SQL Storage Accounts Virtual Machines Windows Server 2008 Windows Server 2008 R2

Footer

About Me

Microsoft Cloud Solution Architect focused on Azure IaaS, PaaS, DevOps, Ansible, Terraform, ARM and PowerShell.

Previously a 6x Microsoft MVP in Exchange Server and Lync Server.

My hobbies include watching sports (Baseball, Football and Hockey) as well as Aviation.

Recent

  • Azure Runbooks Connecting to Exchange Online and Microsoft Graph
  • Using Python 3.8.0 Azure Runbooks with Python Packages
  • Preserving UNC Path after Azure Files Migration using DFS-N
  • Pin Azure VM Availability Sets into an Availability Zone
  • Azure Private Endpoints and Storage Account Firewalls

Search

Tags

ACR Always Encrypted Ansible Automation Availability Sets Availability Zones Azure Azure AD Connect Azure Application Gateway Azure Files Azure Firewall Azure Key Vault Azure Load Balancer Azure Monitor Azure Web App Backup Exec CDN Cluster DevOps DFS Docker DPM Event Grid Exchange Exchange 2010 Function App ISA iSCSI Log Analytics Logic App Lync Microsoft Graph OCS Office Office 365 Personal PowerShell Proximity Placement Groups Runbook SCOM SQL Storage Accounts Virtual Machines Windows Server 2008 Windows Server 2008 R2

Copyright © 2022 · Magazine Pro on Genesis Framework · WordPress · Log in