RSS Subscription 167 Posts and 2,769 Comments

Outlook 2007 Certificate Error?

When importing a new certificate into Exchange 2007/2010, you might encounter a certificate error in Outlook 2007/2010. I have included a screenshot of the error I encountered with Outlook 2007 :

When you choose the View Certificate button, it brings up another window that shows you what certificate is in error. In this case, the certificate name is “mail.shudnow.net.”

So the million dollar question? Why the error?

Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here.

So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) of mail.shudnow.net We install this certificate onto our Exchange box with its’ private key. In our case we were migrating so we did not have to request a certificate via IIS. We just exported it with its’ private key and imported onto the new box. We then assigned this certificate to IIS. Now I went to the Exchange Management Shell and enabled Exchange services to use this certificate. In order to do this, you must run the following commands:

Get-ExchangeCertificate

Thumbprint Services Subject
———- ——– ——-
BCF9F2C3D245E2588AB5895C37D8D914503D162E9 SIP.W CN=mail.shudnow.net.com

What I did was go ahead and enable all new services to use every available service by using the following command:

Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP Thumbprint BCF9F2C3D245E2588AB5895C37D8D914503D162E9

The next step would be to ensure the AutodiscoverInternalURI is pointed to the CAS that will be your primary CAS for Autodiscover servicing.

Get-ClientAccessServer -Identity CASServer | FL

AutoDiscoverServiceInternalUri : https://casnetbiosname/Autodiscover/Autodiscover.xml

See the issue here? We are not using a UC certificate that contains the names, “casnetbiosname, casnetbiosname.shudnow.net, mail.shudnow.net, and autodiscover.shudnow.net” Since the Autodiscover directory in IIS will be requring SSL encryption, the url specified in the AutoDiscoverServiceInternalURI must match what is specified in your certificate. You must also ensure there is a DNS record that allows mail.shudnow.net to resolve to your CAS. We should re-configure the AutoDiscoverServiceInternalURI by using the following command:

Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml

We now need to go configure all the InternalURLs for each web distributed service.  If you are going to be utilizing the Autodiscover service from the outside or for non-domain joined clients, you may want to configure an -ExternalURL in addition to your -InternalURL.

Here is the reason why we were receiving the certificate errors. Your InternalURLs most likely are not using mail.shudnow.net. Your InternalURLs are most likely pointed to something such as https://casnetbiosname/ServiceURL which will fail since this is not the CN of your simple certificate.

You can run the following commands to fix your internalURLs so your Outlook 2007 client can successfully take advantage of your web distribution services.

Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://mail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true

Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://mail.shudnow.net/OAB

Note: You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The above command will only enable SSL, but will not ensure 128-bit SSL is required.

Enable-OutlookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False

Note: The above Enable-OutlookAnywhere command works on SP1. For RTM, substitute -ClientAuthenticationMethod with -ExternalAuthenticationMethod.

Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://mail.shudnow.net/Microsoft-Server-Activesync

Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” –InternalURL https://mail.shudnow.net/UnifiedMessaging/Service.asmx -BasicAuthentication:$true

Note: The above Set-UMVirtualDirectory command is not needed in Exchange 2010.  Exchange 2010 no longer contains a UnifiedMessaging virtual directory and instead uses the Web Services Virtual Directory.

Share

231 Responses to “Outlook 2007 Certificate Error?”

  1. on 14 Apr 2011 at 3:25 amMahmood

    Some progress..I managed to resolve this error..found out it was the firewall which was mapping to CAS2 ( instead of CAS1) and the policy was higher in the order so was being executed before the other policy to map to CAS1..
    Running the test again on testexchangeconnectivity.com gives a second error now:
    Validating certificate trust for Windows Mobile devices.
    Certificate trust validation failed.

    The certificate chain didn't end in a trusted root

  2. on 17 Apr 2011 at 11:45 pmMahmood

    Never mind..solved

  3. on 09 May 2011 at 8:26 pmfrancisco

    Excellent post – after following your steps all works fine – except for our Public folders

    Would these changes affect the replication / access of public folders?

  4. on 09 May 2011 at 9:09 pmElan Shudnow

    None of this would affect replication / access of public folders.

  5. on 11 May 2011 at 6:44 pm@davedoeppel

    Not sure if this is monitored. I had this exact issue on Exchange 2010. I followed all of the directions here and I was still having an issue. However very specific. A user logged onto a non-domain Windows profile, on our internal LAN, would get the error. These are companies I have setup using the Autodiscoverredirect method. If they are logged into a domain profile it works perfectly. If they are off out LAN either domain or non-domain works perfectly.

  6. on 11 May 2011 at 6:48 pm@davedoeppel

    cutoff the bottom of my post.

    I had done two steps in my Exchange setup, Autodiscoverredirect for supporting our other companies, and OWA easy redirect. In IIS7 the default website had bindings set to unassigned. This seemed to be causing some kind of weird routing for the above scenario. If I change that and force it to be bound to the IP of the server, not the autodiscoverredirect, then the above SSL issue goes away. However I can no longer run EMC or EMS on the server, see http://support.microsoft.com/kb/2027062

    If anyone has any ideas I would love to hear it. For now I will just run my management on my MBX boxes but I would certainly like to have it fixed..

    Thanks,

    Dave

  7. on 22 May 2011 at 4:16 amAbdul Waheed

    Hi, i have different scenario- my external domain name is different from my internal domain. so whenever users open outlook it prompts that certificates mismatch because i have certificate for external domain only-

    is there any workaround for this ?

  8. on 06 Jun 2011 at 12:12 pmElan Shudnow

    Set all your internalURLs, externalURLs, and AutodiscoverServiceInternalURI to point to an FQDN that uses the external namespace. All URLs will point back to the Exchange Server.

  9. on 23 May 2011 at 11:14 pmBob

    Thank You Elan. I was wrestling with this and was at my wits end. Good Work! and greatly appreciated!

  10. on 24 May 2011 at 6:18 pmSanjay

    Your article was perfect and to the point.. i was able to resolve the problem. You da man!!

  11. on 15 Jun 2011 at 10:37 pmmicro20100

    Sorry, I must be dumb, as I cannot figure out what I need to do. Same issue as everyone: have a cas array with 2 servers(cas,dag/transport) and load balancer. Installed Verisign certificate on both server for outside OWA access. All working good, however Outlook 2007 keeps complaining about the OWA certificate. Outlook profile is setup for Exchange with name of cas array. We are using Public folder.
    Do I have to change all my internal URL to the external one that matches my OWA certificate? The name on it is resolves by its external IP address. Do I also need to hard code the IP address of the CAS array on each server, to resolve locally?
    Thanks in advance

  12. on 23 Jun 2011 at 7:53 amThomas

    Excellent article !

  13. on 03 Jul 2011 at 10:37 amMaikel

    Great tutorial, thanks for the solution!

    Maikel

  14. on 07 Jul 2011 at 3:18 amFernando

    Thanks Elan for your post, but I need some more help.

    I’ll try to describe the problem. Every body at office are logged to wSBS2008 and the problem comes when we start Outlook:
    – All the user are asked to introduce their password, that are refused when connecting to remote.xxxx.com
    – Then if we cancel then appears the autodiscover.xxxx.com certificate with the error that you mention.
    – When I do Get-ExchangeCertificate I got 22 certificates and I’m lost.
    And even more, our internal domain name is different than our external domain name
    So if you can help I really appreciate, because the one that began that is no localizable.

  15. […] I’m using Windows DNS service on Server 2003. I’m trying to get internal clients to resolve the mail. The problem I am getting is shown here. […]

  16. on 23 Aug 2011 at 8:35 amAlan

    Is there an easy way to simply disable ALL secure transmissions? My users are all internal in a company that has no need for any security, so I’d rather leave the whole thing clear than bother trying to fix the annoyance of having the certificate errors pop up. Is this possible?

  17. on 01 Oct 2011 at 12:09 amMichel Calle

    Hi, I have the same problem, then I found the MS Article ID: 940726 and run the same commands.When I chek the AutoDiscoverServiceInternalUri the URL is correct, but I get the same message when I run Outlook 2010. Outside work fine
    Any help?

  18. on 17 Oct 2011 at 8:23 amElan Shudnow

    Sometimes you also have to restart the Autodiscover application pool within IIS after changing it. Give that a shot.

  19. on 03 Oct 2011 at 9:43 amAllison

    It was time to renew my certificate. I didn't want to have the cert include our internal CAS name or the names of our exchange servers. So i ordered a new cert with just mail.domainname.com and auto discover.domainname.com.

    I assigned the cert upon receiving it and received the message above when i launched my outlook client. I updated the internal urls to match the cn (https://mail.domainname.com). the cert message disappeared. YEAH!!

    BUT now outlook clients cannot get into their out of office settings. You an if you go in via OWA though.

    Error message is: Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later.

    I removed and recreated the ews application in IIS. (Which BTW was a gong show – as it failed when I tried recreating it via Exch management shell. I recreated it (and the related Application Pool) manually.

    All is back to what it was – that being, error in OOF via Outlook client – but OOF works via OWA.

    What am I missing here? Its got to be something SIMPLE.

    Please help! Does it reference the old SSL cert somewhere internally?

  20. on 03 Oct 2011 at 8:15 pmElan Shudnow

    Single Server? If so, try Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL https://mail.domain.com/ews/exchange.asmx -ExternalURL https://mail.domain.com/ews/exchange.asmx

  21. on 11 Oct 2011 at 1:16 amPaulT

    Incredible.. I've spent days researching into this issue and your simple words of wisdom resolved the issue. Shame about my hair loss thou!

    Its clear that Microsoft is pushing down the larger path with UC integration (ie telephony on the desktop) but why didnt they give us poor admins the choice either at installation or at least with a simple GUI click option in the Manager….

  22. on 17 Oct 2011 at 8:20 amElan Shudnow

    Ya, it is a bit confusing for admins trying to migrate on their own to Exchange 2007 or Exchange 2010 and wanting to use the same certificate. Exchange 2010 allows you to now set your ExternalURLs during a CAS installation but that still doesn't change your InternalURLs or your AutodiscoverServiceInternalURI. So there is still some complexity involved post-install with setting up the CAS the way you want and not getting certificate errors on the client side. Glad you found the article helpful.

  23. on 18 Oct 2011 at 1:50 pmRay

    we have installed a wildcard certificate on the 2010 exchange server. so it shows up as *.domain.com when you do a 'get-exchangecertificate' command. apparently I am unable to enter this as the FQDN for the Set-ClientAccessServer command. I get a 'cannont convert value' error. how can this be done with a wild card certificate?
    Thanks.

  24. on 18 Oct 2011 at 2:53 pmElan Shudnow

    That's because *.domain.com is not an FQDN. You need to enter an actual FQDN using Set-ClientAccessServer.

  25. on 04 Nov 2011 at 8:47 amPerplexed

    Elan, I have installed the SAN certificate on our exchange 2007 server and enabled it. and assigned services. I have a few different names associated with this certificate, of course.

    when I do a ‘get-exchangecertificate’ in the shell, it only shows the common name of the SAN certificate in the output? should it show all of the names that are associated with the SAN cert? there are two other subject alternative names listed on the cert.

    Thanks.

  26. on 04 Nov 2011 at 3:27 pmElan Shudnow

    Do a Get-ExchangeCertificate | Format-List

    Or the short version:
    Get-ExchangeCertificate | FL

    In all the output, you'll see the SAN fields.

  27. on 09 Nov 2011 at 4:39 pmwthrottle

    Excellent step-by-step. Hit the nail on the head for fixing my issue. Thank you!

  28. on 13 Dec 2011 at 4:29 amDan C

    Hi,

    I'm having an issue running the commands on the exchange console. When I try to execute any of the commands I get the following error:

    Set-ClientAccessServer : Active Directory operation failed on [server name]. This error is not retriable. Additional information: Directory object not found.

    Anyone have any idea what could be causing this?

  29. on 13 Dec 2011 at 7:16 amDan C

    I managed to resolve this issue but users are still getting the error even after making the changes needed, is there anything else I could be missing?

  30. on 15 Dec 2011 at 10:44 amElan Shudnow

    Dan C, sometimes the changes are not picked up until you reset the IIS Application Pools. Give that a shot. The only time you'd get the certificate error is what is caused by the above. So if you are still getting the error, even after resetting the application pools, you may want to give MS Support a call.

  31. on 04 Jan 2012 at 1:09 pmLou

    Thank you!!! I have been looking for this solution all over the Internet but could not find any clear instructions – even from Microsoft. Great article!

  32. on 30 Jan 2012 at 4:43 pmmatt

    @elanshudnow

    I am having this same issue but really am stumped.

    When I run the Get-ClientAccessServer -Identity "ServerName" | FL

    I get the following:

    AutoDiscoverServiceInternalUri : https://access.dabbsco.com/Autodiscover/Autodi
    scover.xml

    My assigned certificate includes: access.dabbsco.com and autodiscover.dabbsco.com and sbs08 (local server name)

    When I open outlook I get that certificate request pop up and it refers to "sites" as the certificate mismatch. I have no idea where "sites" is coming from but I do see it in the binding of IIS.

    Please advise if you can.

  33. on 31 Jan 2012 at 9:11 amElan Shudnow

    Check all the other services.
    Get-WebServicesVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
    Get-OABVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
    Get-OWAVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
    Get-ECPVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
    Get-ActiveSyncVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL

  34. on 31 Jan 2012 at 9:58 ammatt

    When I run these commands I get

    [PS] C:Windowssystem32>Get-WebServicesVirtualDirectory -Identity SBS08.dcc.lo
    al | FL InternalURL,ExternalURL
    Get-WebServicesVirtualDirectory : The operation could not be performed because
    object 'SBS08.dcc.local' could not be found on domain controller 'SBS08.DCC.loc
    al'.
    At line:1 char:32
    + Get-WebServicesVirtualDirectory <<<< -Identity SBS08.dcc.local | FL Internal
    URL,ExternalURL
    + CategoryInfo : InvalidData: (:) [Get-WebServicesVirtualDirector
    y], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : B0B185CC,Microsoft.Exchange.Management.SystemCon
    figurationTasks.GetWebServicesVirtualDirectory

  35. on 31 Jan 2012 at 10:06 amElan Shudnow

    Because that's the wrong -Identity. Look at my original post and you'll see the format.

  36. on 31 Jan 2012 at 10:20 ammatt

    Ok, so when I ran that first one it was

    Get-ClientAccessServer -Identity SBS08| FL

    which gave me results, I am doing the same with the new commands, am I totally missing something

    Isnt this the same-Get-ActiveSyncVirtualDirectory -Identity SBS08 | FL

  37. on 31 Jan 2012 at 10:35 ammatt

    Go this to run:

    [PS] C:Windowssystem32>Get-WebServicesVirtualDirectory | fl SBS08, InternalUrl
    , ExternalUrl

    InternalUrl : https://sites/EWS/Exchange.asmx
    ExternalUrl :

    Now I see where that SITES is coming from, now just to change it…..

    Not sure what it needs to be.

  38. on 31 Jan 2012 at 10:38 ammatt

    [PS] C:Windowssystem32>Get-WebServicesVirtualDirectory | fl SBS08, InternalUr
    , ExternalUrl

    InternalUrl : https://sites/EWS/Exchange.asmx
    ExternalUrl :

    [PS] C:Windowssystem32>Get-OABVirtualDirectory | fl SBS08, InternalUrl, Exter
    alUrl

    InternalUrl : https://sbs08/OAB
    ExternalUrl :

    [PS] C:Windowssystem32>Get-OWAVirtualDirectory | fl SBS08, InternalUrl, Exter
    alUrl

    InternalUrl : https://sbs08/owa/
    ExternalUrl :

    InternalUrl :
    ExternalUrl :

    InternalUrl :
    ExternalUrl :

    InternalUrl :
    ExternalUrl :

    InternalUrl :
    ExternalUrl :

    [PS] C:Windowssystem32>Get-ECPVirtualDirectory | fl SBS08, InternalUrl, Exter
    alUrl
    The term 'Get-ECPVirtualDirectory' is not recognized as the name of a cmdlet, f
    unction, script file, or operable program. Check the spelling of the name, or i
    f a path was included, verify that the path is correct and try again.
    At line:1 char:24
    + Get-ECPVirtualDirectory <<<< | fl SBS08, InternalUrl, ExternalUrl
    + CategoryInfo : ObjectNotFound: (Get-ECPVirtualDirectory:String)
    [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    [PS] C:Windowssystem32>Get-ActiveSyncVirtualDirectory | fl SBS08, InternalUrl
    ExternalUrl

    InternalUrl : https://sbs08/Microsoft-Server-ActiveSync
    ExternalUrl :

    [PS] C:Windowssystem32>

  39. […] http://www.shudnow.net/20…k-2007-certificate-error/ […]

  40. on 22 Mar 2012 at 11:28 pmBrenda

    My problem is that I was adding a network connection and was on the wrong line and accidentally erased mysecurity certificate number. I called my outlook express dial-up service and they said it was a Microsoft problem. The following message comes up every time I log on to outlook express before any e-mails come through. The server you are connected to is using a security certificate that can not be verified. The certificateds CN name does not match the pass value. Do you still want to use this server? I check yes and everything goes ok. My big problem is when I order things on line the companies do not want to deal with a security certificate that can not be verified. Please help!

  41. on 16 Apr 2012 at 5:31 amMurray

    This resolved for me too, thanks for the trouble.

  42. […] will like to thank Elan Shudnow’s Blog for the post on this because it helped me confirm the steps I had applied were correct, they just didn’t […]

  43. on 24 Jun 2012 at 7:27 amDavid

    So why *must* I enable SSL on the OAB directory? Does that form part of the solution, or is just a recommendation over and above what is required?

  44. on 24 Jun 2012 at 9:36 amElan Shudnow

    Not a requirement. The reason it's off by default is OAB download uses the BITS protocol which does not support self-signed certs. And because Exchange uses a self-signed cert by default, the OAB virtual directory is configured to use http://. But because you're replacing the self-signed cert with a CA-signed certificate, it's recommended to change http:// to https://.

  45. […] http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/ – so thank you Elan for this. […]

  46. on 29 Aug 2012 at 3:11 pmAlex

    This article saved me a crap-ton of work. I has resigned to just doing a domain change to make things uniform with our website/ftp domain… but after looking into it and the complications brought on by having Exchange in the mix, I was relieved to find this and solve the issue in five minutes. My hat off to you sir.

  47. on 07 Nov 2012 at 7:44 pmsea ray marble falls

    This is my first time visit at here and i am really impressed to read all at one
    place.

  48. on 08 Nov 2012 at 7:03 pmBrian

    I always refer to this blog, good looking out!

  49. on 09 Dec 2012 at 8:10 pmPansy

    Very good post. I will be dealing with some of these issues as well.
    .

  50. on 28 Dec 2012 at 3:12 amEvan

    hello there and thank you for your info – I’ve certainly picked up anything new from right here. I did however expertise several technical points using this web site, since I experienced to reload the web site lots of times previous to I could get it to load properly. I had been wondering if your web hosting is OK? Not that I am complaining, but slow loading instances times will sometimes affect your placement in google and can damage your high quality score if ads and marketing with Adwords. Anyway I’m adding this RSS to my email and can look out for much more of your respective interesting content.
    Ensure that you update this again soon.

  51. […] http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/ – so thank you Elan for this. […]

  52. on 17 Apr 2013 at 8:34 pmsregimand

    Thank you for the article. In summary this is what I did to fix my issue:
    1. Ran the command from the Exchange server powershell: Get-WebServicesVirtualDirectory | fl *url*
    The result of the command was:
    InternalNLBBypassUrl : https://ex1.company.com/ews/exchange.asmx
    InternalUrl : https://ex1.company.com/EWS/Exchange.asmx
    ExternalUrl : https://mail.company.com/ews/exchange.asmx

    2. Ran this command:
    Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl "https://mail.company.com/ews/exchange.asmx&quot;

    3. iisreset
    4. waited for 60 second, everything is all good now
    5. Make sure there is a mail.company.com A or C record in DNS

  53. on 25 Feb 2014 at 2:44 amUMA GANESH

    Thank you so much…. Worked for me as well….

  54. on 10 Mar 2014 at 11:06 pmChase

    Thank you for this fix! Saved me a lot of time!

  55. on 09 May 2014 at 1:12 pmTony Davis

    YOU ARE MY HERO!!!!!!!

  56. on 28 Jul 2014 at 3:52 pmDan

    I just can't seem to make this work. I've repeated the above steps; but I'm clearly missing something…

    internal server name = server2k8.domain.local
    external URL = mail.domain.com
    UCC Cert is in place for domain.com with alternate names of mail and autodiscover.domain.com (Outlook Anywhere is working properly for mobile devices)
    I also have a Cisco 501 Pix Firewall that does not allow hair pinning. (not sure if this is my issue or not)

    Outlook 2010 and Outlook 2007 continue to get the security mismatch alert message.

  57. on 15 Aug 2014 at 12:39 pmJosh

    I've run into this problem, post-2010 SP3 update. Strange thing about this is that it only effects 5 computers throughout the enterprise. I've tried adding the certificate to the individual computers trusted certs directory to no avail. Thoughts?

Trackback this post | Feed on Comments to this post

Leave a Reply