RSS Subscription 167 Posts and 2,769 Comments

Outlook 2007 Certificate Error?

When importing a new certificate into Exchange 2007/2010, you might encounter a certificate error in Outlook 2007/2010. I have included a screenshot of the error I encountered with Outlook 2007 :

When you choose the View Certificate button, it brings up another window that shows you what certificate is in error. In this case, the certificate name is “”

So the million dollar question? Why the error?

Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here.

So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) of We install this certificate onto our Exchange box with its’ private key. In our case we were migrating so we did not have to request a certificate via IIS. We just exported it with its’ private key and imported onto the new box. We then assigned this certificate to IIS. Now I went to the Exchange Management Shell and enabled Exchange services to use this certificate. In order to do this, you must run the following commands:


Thumbprint Services Subject
———- ——– ——-
BCF9F2C3D245E2588AB5895C37D8D914503D162E9 SIP.W

What I did was go ahead and enable all new services to use every available service by using the following command:

Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP Thumbprint BCF9F2C3D245E2588AB5895C37D8D914503D162E9

The next step would be to ensure the AutodiscoverInternalURI is pointed to the CAS that will be your primary CAS for Autodiscover servicing.

Get-ClientAccessServer -Identity CASServer | FL

AutoDiscoverServiceInternalUri : https://casnetbiosname/Autodiscover/Autodiscover.xml

See the issue here? We are not using a UC certificate that contains the names, “casnetbiosname,,, and” Since the Autodiscover directory in IIS will be requring SSL encryption, the url specified in the AutoDiscoverServiceInternalURI must match what is specified in your certificate. You must also ensure there is a DNS record that allows to resolve to your CAS. We should re-configure the AutoDiscoverServiceInternalURI by using the following command:

Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri

We now need to go configure all the InternalURLs for each web distributed service.  If you are going to be utilizing the Autodiscover service from the outside or for non-domain joined clients, you may want to configure an -ExternalURL in addition to your -InternalURL.

Here is the reason why we were receiving the certificate errors. Your InternalURLs most likely are not using Your InternalURLs are most likely pointed to something such as https://casnetbiosname/ServiceURL which will fail since this is not the CN of your simple certificate.

You can run the following commands to fix your internalURLs so your Outlook 2007 client can successfully take advantage of your web distribution services.

Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL -BasicAuthentication:$true

Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL

Note: You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The above command will only enable SSL, but will not ensure 128-bit SSL is required.

Enable-OutlookAnywhere -Server CASServer -ExternalHostname “” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False

Note: The above Enable-OutlookAnywhere command works on SP1. For RTM, substitute -ClientAuthenticationMethod with -ExternalAuthenticationMethod.

Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL

Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” –InternalURL -BasicAuthentication:$true

Note: The above Set-UMVirtualDirectory command is not needed in Exchange 2010.  Exchange 2010 no longer contains a UnifiedMessaging virtual directory and instead uses the Web Services Virtual Directory.


231 Responses to “Outlook 2007 Certificate Error?”

  1. on 22 Feb 2008 at 10:24 amred-erik

    U saved my job…tnx a lot


    P.S. There is a lot of confusing documentation over the net regarding Exchange 2007 certificates (ad ISA Publishing..)
    You document is really clear and usefull

  2. on 22 Feb 2008 at 5:03 pmElan Shudnow

    Thanks for the positive comments! I’m glad the article was of help to you.

  3. on 06 Mar 2008 at 3:58 pmtibby812

    You are awesome. Thanx for the fix.

  4. on 08 Mar 2008 at 2:41 pmfarisnt

    I have this problem and I had all the Certificate CN are correct and match for the FQDN
    what can I do
    THanks alootttt

  5. on 08 Mar 2008 at 5:01 pmElan Shudnow

    I replied to your question on forums. Go there and read my reply.

  6. on 11 Mar 2008 at 9:01 pmmotsis666

    I had the same problem with Farist, and i find your reply at forum, but i can not find your post, pls send me link ok post your reply again,
    Thank u very much

  7. on 11 Mar 2008 at 9:07 pmmotsis666

    I found your reply at:

    You are awesome

  8. on 12 Mar 2008 at 11:29 ampetoulachi


    I had the same problem but solved it in a different way. Unstead of modify the Exchange InternalUrl, I have request a certificate with multiple host names, as Microsoft shown here :

    I don’t know which solution is the best, but I think these is a little more simple.

    Hope this help

  9. on 12 Mar 2008 at 1:15 pmElan Shudnow

    petoulachi, I stated that this solution is for single-name certificates and is specifically for people who are not using UC/SAN certificates. Even if you do have a UC/SAN certificate, you still need to ensure that the Internal and External URLs are specified correctly.

    I posted a more informative reply in regards to your comment at your post on forums. Check it out at the following URL:

  10. on 18 Mar 2008 at 11:28 pmvividdm

    All Hail Elan, All Hail Elan :)

    I wish i came across this months ago.. thank you sooo much!!!

    only difference i had was with SP1
    -ExternalAuthenticationMethod becomes> -ClientAuthenticationMethod

    can i be the like the fifth person to say ‘you are awesome!!’ :)


  11. on 19 Mar 2008 at 3:13 ampetoulachi

    Hi Elan Shudnow,

    I think that in fact I have a problem with my InternalUrl. Actually, they are default value (CASServer.domain.local). As I have a certificate with multiple host name, my local users don’t have any problem.

    But my roaming users, using Outlook Anywhere, have a sync issue :
    not downloading offline address book files. A server (URL) could not be located

    Searching on the net I have found that it’s often related to the autodiscover InternalUrl. I was thinking that it was more related to OAB InternalUrl.
    As I’m not really sure, maybe you could confirm me what should I do ?

    Thanks in advance !

  12. on 19 Mar 2008 at 8:49 amElan Shudnow

    Vividdm –
    Thank you for the comments. I will update my article later today to include the new syntax for SP1.

    petoulachi –
    Roaming users will not use the InternalURL. They will use the ExternalURL. The way this works, is that when a domain-joined client is on the corporate network, and they have connectivity with Active Directory, the client will be able to contact a Service Connection Point stored in Active Directory which contains all the InternalURL’s for the services on the internal network.

    When a client is not domain-joined or is outside of the corporate network and does not have direct connectivity to Active Directory, the Outlook client will contact the Autodiscover Service via Note that I say This does not necessarily mean your Active Directory domain. This is mostly your Accepted Domains. You would only really need for the primary smtp addresses in your e-mail address policy.

    So when a client contacts the Autodiscover Service, the Autodiscover Service will reply with -ExternalURL since the client is either not domain joined or outside of the corporate network. It essentially just means, “Not Connectivity to AD? No -InternalURL for you!”

    So because of this, -InternalURL could be https://CASServer/Service and work just fine since you know this client is Internal and should be able to contact the CASServer via NetBIOS. But when a client is not domain joined or outside of the corporate network, you want to make sure that you specify the -ExternalURL as a FQDN, You wouldn’t want it to be a NetBIOS name since you’ll be doing this connection through the Internet.

    You also want to make sure you configure the AutodiscoverInternalURI correctly. This can be FQDN or NetBIOS name. Get-ClientAccessServer to see what it’s set at. Make sure it’s set to something compatible in your certificate.

    After you set all this up, do an update on the OAB and do an update-filedistributionservice which takes the OAB from the OAB generation server and pushes it to the CAS for Outlook 2007 Web Distribution.

  13. on 19 Mar 2008 at 9:16 ampetoulachi

    It just sound pretty clear to me.

    My InternalUrl for autodiscover is correctly set. However, I have a question about the Does this url needs to be resolved by my external users ? It’s not the case at the moment.

  14. on 19 Mar 2008 at 9:18 ampetoulachi

    Sorry I have Tab/Enter unfortunatelly :p

    So as this dns is not resolved it’s maybe why my roaming users can’t find the OAB ?

    Anyway, the OAB (Default Web Site) didn’t have an externalUrl set, to I’ve just set it one. Regenerating the OAB seems not to resolve the problem.

  15. on 19 Mar 2008 at 9:21 amElan Shudnow

    Yes, you will need to have an internet resolvable forward lookup zone for every smtpdomain. You will then have to have the autodiscover host (A) record in every forward lookup zone. You will then have to make sure your certificate contains an FQDN for every smtp domain you have.

  16. on 19 Mar 2008 at 9:23 ampetoulachi

    Okay so the problem should come from that, as this host does not exist for my public DNS.

    I keep you informed, but it seems to be on good way :)

    Thanks a lot !

  17. on 19 Mar 2008 at 9:26 amElan Shudnow

    You’re welcome. Glad I could be of help.

  18. on 19 Mar 2008 at 9:34 ampetoulachi

    Well for testing purpose I have had the in my HOST file.

    Now I have a certificated warning, OK, my certificate currently doesn’t have this FQDN. So I have to change my certificate with a new one that contains this FQDN ? so bad, I just send to activesync users the other certificate…

    Anyway, after that warning there’s still the sync error. Now I really don’t know what to do.

  19. on 19 Mar 2008 at 9:37 amElan Shudnow

    Set the URL appropraitely for the ActiveSync service and make sure the FQDN of the URL is contained in the certificate. You really need to get your DNS set up and get all the FQDN’s you need in your certificate. None of your services will work properly until you do so.

    If you need more assistance, I’ll check back later today. I need to get back to work. Hope you get this sorted.

  20. on 20 Mar 2008 at 3:59 pmnjaggers

    Thanks for the great article. However, I am having a problem with one of the powershell scripts. When I execute the enable-outlookanywhere command, this is the error I receive:

    enable-outlookanywhere : the virtual directory ‘rpc’ already exists under ‘CAServer.domain.local/default web site’. Parameter name: virtualdirectoryname

    Any thoughts on what this means and how to properly execute the script in powershell?

  21. on 20 Mar 2008 at 4:08 pmElan Shudnow

    You can try going into the Exchange Management Console and specifying the proper URL there.

    Or you can try doing Set instead of Enable.

    Set-OulookAnywhere -Server CASServer -ExternalHostname “” -ExternalAuthenticationMethod “Basic”-SSLOffloading:$False

    Set-OulookAnywhere -Server CASServer -ExternalHostname “” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False

  22. on 21 Mar 2008 at 9:27 pmnjaggers

    Thanks for the reply. I inputed this command into PS:

    set-outlookanywhere -identity CAServer -externalhostname “” -externalauthenticationmethod “basic”-ssloffloading:$false

    This is the response from PS: set-outlookanywhere : the operation could not be performed because object ‘CAServer’ could not be found on the domain controller ‘server.local’

    What am I missing here? All my mail flow is working correctly so I don’t know why PS reported cannot locate my dc. Also, when I attempted to input the command into PS using the -server command instead of the -identity command, this is what returned: set-outlookanywhere :

    a parameter cannot be found that matches parameter name ‘server’

    I think I have been messing with this so long I am missing something obvious. Any insight would be appreciated.

  23. on 22 Mar 2008 at 10:06 amElan Shudnow

    It’s not saying it cannot find your DC, it’s saying it cannot find CASServer, which is your client access server, but might also be a DC if you configured it that way (not recommended). Make sure you replace the word CASServer with the server that has the RPC over HTTP Proxy component installed on it which should be a Client Access Server.

    So if your Client Access Server’s name is CHIEXCCAS01 and your certificate has a name of, you would do:

    set-outlookanywhere -identity CHIEXCCAS01 -externalhostname “” -externalauthenticationmethod “basic”-ssloffloading:$false

    Make sure you replace externalauthenticationmethod with clientauthenticationmethod if you’re using SP1.

    If that doesn’t work, as I said, go into the Exchange Management Console and just manually set it.

  24. on 23 Mar 2008 at 4:40 pmnjaggers

    Thanks! I went into EMC and changed the setting that way. The PS script kept giving me problems.

  25. on 01 Apr 2008 at 3:57 ampetoulachi


    I can’t make autodiscover work from outside, maybe you could take a look at if you have a solution :)

  26. on 01 Apr 2008 at 5:13 amElan Shudnow

    I have an article that details publishing the autodiscover service in ISA:

    One of the things is that ISA 2006 will only read the CN or the 1st SAN name, so you have to trick ISA to make autodiscover publishing to work. I explain how to do that.

  27. on 17 Apr 2008 at 2:03 amketrasap

    Thanks Alot,

    I’ve been trying to fix this issue for months now.

  28. on 05 May 2008 at 4:53 pmkingofbytes

    Sir, you are to be commended for your contributions. Thank you very much!

  29. […] Wenn der Out of Office Assistant von Outlook 2007 die OOF Konfiguration vornehmen möchte, wird eine Verbindung zum “Exchange Web Services” (EWS) Virtual Directory hergestellt. Da Outlook den Pfad zum EWS Virtual Directory nicht kennt, muss dazu der Autodiscover Service kontaktiert werden. Dies geschieht für Domain Member mithilfe des Active Directory, oder für alle anderen mittels DNS. Probleme können also bereits entstehen, wenn der benötigte Autodiscover Service nicht gefunden, oder nicht kontaktiert werden kann. Mit dem bei Outlook 2007 integrierten Funktion “E-Mail AutoKonfiguration testen… / Test E-Mail AutoConfiguration” kann sehr einfach die Verbindung mit dem Exchange Server kontrolliert werden (Beim Outlook-Symbol im System Tray [CTRL] und “rechte Maustaste” drücken). Falsch konfigurierte URL’s können mit dem PowerShell Command “Set-WebServicesVirtualDirectory” angepasst werden. Eine gute Anleitung zur Konfiguration der Web Services gibt es bei Elan Shudnow’s Blog. […]

  30. on 30 Jun 2008 at 6:34 ambrentvw

    Hi Elan,

    This worked great! Thank you very much. One concern I am having is the following error. This seems to come up every 20 or so minutes.

    An internal transport certificate will expire soon. Thumbprint:9B32B314CB5ABC963F9F0F6A03F22FCD7E832896, hours remaining: 536

    The only difference from your post is when I run Get-ExchangeCertificate, I see two thumbprints… One for the NETBIOS name and then one for the certificate name. I used the thumbprint for the certificate name.

    Thumbprint Services Subject
    ———- ——– ——-
    752714FF7F34CBCCC49A3A72 ….S CN=SM5500SRV
    9B32B314CB522FCD7E832896 IP.WS,…

  31. on 30 Jun 2008 at 6:36 ambrentvw

    Hi, someone just brought to my attention our certificate IS expiring in 536 hours, it is only valid until July 22nd, so this is perfectly normal I guess. One question would be then do I have to do anything with the new certificate.

  32. on 30 Jun 2008 at 3:47 pmElan Shudnow

    Brent, one is your self-signed certificate and one is the certificate. You really don’t have to delete your self-signed certificate because Exchange will always use a certificate signed by a trusted CA before it uses a self-signed certificate. If you are talking about an Edge Server, I would leave the self-signed certificate on there as the Edge Server will copy the self-signed certificate to Active Directory which the Hub Transport Server will use as a trusted mechanism without needing to import the self-signed certificate into the Trusted Root Certificate store on the Hub Transport Server.

    Here is a guide on how to renew the self-signed certificate:

    For the regular certificate, you can just request a certificate the same way you originally did. If you have exported this certificate and imported it onto other servers such as ISA, make sure you update ISA with the new certificate (importing, attaching to ISA web listener, etc..)

  33. on 24 Jul 2008 at 8:36 amvedholm


    Great post! BUT after changing this my “Out of office” wont workm anymore

    This was related to:
    Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri

    when i change i back to “https://servername/Autodiscover/Autodiscover.xml” it works again

    I have created a record in the internal DNS so this “external name” works internal as well, but i still get the same error.

    Se article:

    How to fix this :-) ?

    Best regards

  34. on 25 Jul 2008 at 6:01 pmElan Shudnow

    That means DNS doesn’t point to your CAS or the FQDN you specify doesn’t match a name on your certificate, or maybe you require SSL on the autodiscover but you didn’t specify https://.

  35. on 26 Jul 2008 at 2:14 amvedholm

    Hi Elan

    Internal the record points to my CAS internal – i can see that i resolves just fine. But stille when i change the autodiscover to this DNS name which matches internal and external the “out of office” gets broken again.

    The name on the Exchange webservice is mtaching the certificate called – and external it works as well with the same name

    Best regards

  36. on 29 Jul 2008 at 3:30 pmElan Shudnow

    Make sure you configured the EWS for the correct InternalURL and ExternalURL:
    Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL -ExternalURL -BasicAuthentication:$true

  37. on 27 Aug 2008 at 10:54 pmlotusbob

    Thanks for this post. I followed the instructions and the error went away…..for all the users inside the LAN.

    Now I am being told that Outlook Anywhere users outside are getting an error because they are looking for

    I thought I had the problem solved

  38. on 29 Aug 2008 at 7:28 amElan Shudnow

    Here’s the Autodiscover whitepaper:

    There’s a couple things you can do. You can use an SRV record for Autodiscover, or you can get a UC/SAN certificate from a provider such as Entrust/Digicert/Etc. that contains a Subject Alternative Name of As far as I remember, the SRV record option will prompt your users for acceptance while the SAN name method will not and is the recommended method. I would read the whitepaper for more information.

  39. on 14 Oct 2008 at 6:53 pmdtstanton

    I’ll preface this with the fact that I am a newbie with powershell, but I have been beating my head against the wall with this one, none of the commands you have listed are recognized. even Get-ExchangeCertificate came back saying unrecognized command or script. Hopefully I am just doing something simple wrong. any thoughts?

  40. on 14 Oct 2008 at 7:09 pmElan Shudnow

    You need to use the Exchange Management Shell. I assume you’re opening PowerShell itself which doesn’t execute the Exchange Snap-Ins.

  41. on 15 Oct 2008 at 8:18 amdtstanton

    I must have been asleep, I retried everything this morning, and it worked. thanks.

  42. on 22 Oct 2008 at 11:22 ammegatherion

    Really useful post! I had spent a lot of time trying to solve this problem, then I find this entry and solve the problem in just a couple of minutes. *bows*

  43. on 15 Dec 2008 at 4:58 amJosh

    ssl certificate for…

    You have got to be kidding!…

  44. on 18 Dec 2008 at 10:21 pmPemB


  45. on 31 Dec 2008 at 12:24 pmJason


    I was able to make the security warning go away but now I can’t hit OWA external or internal, any thoughts? Thank you very much!!

  46. on 01 Jan 2009 at 4:03 pmElan Shudnow

    What errors? You can try the Set-OWAVirtualDirectory command to set the -InternalURL and -ExternalURL.

  47. on 27 Jan 2009 at 9:32 ampragma

    Hi :)

    Thank you for that article – it helped me ALOT ! :) This error you mentioned on the top dissapeared but another one shown up – it’s almost same with small difference: instead of my Exchange Server Name (mail2 in your case) I’ve – Can you tell where I should look for that entry ?



  48. on 04 Feb 2009 at 7:38 pmSidewinder

    It should be – no “y”.

  49. on 06 Feb 2009 at 11:56 amKevin Decor

    Hey, thanks for the fix. Worked for me as well!

  50. on 12 Feb 2009 at 10:45 amCam

    Thank you! Your acticle helped and saved me lots of time. Much appreciated.

  51. on 17 Feb 2009 at 6:35 amwaz

    Cheers, that worked brilliantly, it also solved the issue i had with outlook giving an operation failed error when doing a send/receive :-)

    thanks agian

  52. on 17 Feb 2009 at 6:36 amwaz

    cheers mate, this worked a treat it also resolved the issue i had with outlook and operation failed :-)

    thank you

  53. on 06 Mar 2009 at 12:49 pmMike

    Thanks a bunch for the article!

    Note to all: don’t forget to restart Exchange services or reboot for this to take effect, like this dummy did!

  54. on 19 Mar 2009 at 12:44 pmVicks

    Hi Elan,

    We provide exchange hosting service to our clients. Recently we migrated one client to our Exchange Hosted Environment from POP3 services like many of our clients.

    Client is using Outlook 2007 and when ever ever the Outlook is started it comes with the certificate error. But the error doesn’t comes in Outlook 2003.

    Even we try to use this ULR the same certificate error comes (the same error in Outlook 2007)

    However our clients using different domains have no issue irrespective of the Outllok version.
    So seems to be something to do with IIS ? We are not sure. Microsoft support is also no good!
    Please advice.

    Many thanks,


  55. on 20 Mar 2009 at 11:53 amElan Shudnow

    Vicks, I wrote a pretty comprehensive article on the Autodiscover and what names you need on certs, dns, using ISA in the mix, etc… I’d give it a read:

  56. on 31 Mar 2009 at 7:40 amDane

    Hi Elan,

    I too have been helped by this so thankyou for that.

    I have a questione though, what procedure should be followed to avoid having to perform this fix from the shell anyway? I’ve dealt with two examples in SBS 2008 now, both had a deafult self signed certificate installed when the OS was installed: This was assigned to pretty much everything, internal and external etc. Both clients purchased their own certificates, is there a way i should have applied them that would have automatically updated all the internal and external addresses, rather then having to manually go in via the shell and change them all?


  57. on 03 Apr 2009 at 2:41 pmElan Shudnow

    I’m not the person you want to be asking SBS questions to. I’ve never worked with SBS.

  58. on 16 Apr 2009 at 5:17 pmfuji

    Your the man.
    Everything was fine until I ran the lasted Office 2007 Updates on my users. Then I start to get the Cert error. I changed the NETBIOS name to Cert name no more Securtity alerts THANKS

  59. on 02 May 2009 at 8:59 pmMike Connor

    This seems to have cleared up the same annoying problem in Entourage! Everything I could find on it would mostly send a person in the direction of SAN certificates, etc..

  60. on 07 May 2009 at 9:31 amAC

    When is microsoft going to get thier documentation right. I understand the need to provide full documentation, but a simple outline like this is all we typically need. Thanks.

  61. on 14 May 2009 at 2:22 pmDorian Groenewegen

    Hi Elan,

    Thanks man!!
    This guide was very helpfull and fixed the problem.
    saved me a lot of time.

    GreetZ Dorian

  62. on 15 May 2009 at 9:38 amElan Shudnow

    Thanks Dorian.

  63. on 29 May 2009 at 10:10 amDavid Nicholas

    We have SBS2008. When applying your fixes above, these commands fail because the “object could not be found on the domain controller”

    Set-WebServicesVirtualDirectory -Identity “SBS1\EWS (Default Web Site)” -InternalURL -BasicAuthentication:$true

    Set-OABVirtualDirectory -Identity “SBS1\OAB (Default Web Site)” -InternalURL

    Am i missing something in the syntax?

  64. on 29 May 2009 at 1:45 pmElan Shudnow

    Should work but I’m not familiar with any differences in SBS that would prevent this.

  65. on 07 Jun 2009 at 8:07 amPerry

    @ 63 .. In SBS (2008) you should use SBS1\EWS (SBS Web Applications) instead of ( default web site ) because the oab and ews are not under the default website!

    I have a problem after doing all this that outlook 2007 keeps asking for a password.
    Anyone know how to solve that?


  66. on 17 Jun 2009 at 7:45 pmjoe

    I’ve read numerious articles, found this one.. but I still can’t get it to work.. I’m at my witts end. First issue is when I OL 2007 gives me this error, and I click on VIEW CERTIFICATE I don’t get the name of the cert. How do I get this info? When do a get-exchangecertificate cmdlet I get the following

    Thumbprint services subject
    lots of numbers IP.WS CN=BMW
    logs of numbers …… CN=WMSvc-BMW

    so the name of my cert BMW? BMW is the name of my Exchange 2007 server. So what should be my internal an external url? I tried various I tried bmw.domainame using the cmdlets above to no avail. Microsoft made this autodiscover so darn complicated geez..

    Also, unlike on my exchange 2003 server looks like I can’t use a self created cert anymore for OWA, activesync, outlook anywhere? No way around this? I know the drawbacks, but can I use a self created insert?

  67. on 17 Jun 2009 at 10:35 pmjoe

    Ok by following this guide and replacing the installed cert by the exchange install, and using a new cert generated by Windows server 2008 CA, the issue is resolved. However, I have a new error, by using my own private CA cert that I generated, I know get a red x, for the first item “the security certificate is from a trusted certificate authority” which I expect since this is not from a public CA. So, when I get that error all I should have to do is view the cert and install it manually into my PC, however, it doesn’t seem to work it continoues complains about the cert even though I manually insalled which once again I expect since this is not from a public CA but my own private. Any ideas suggestions?

  68. on 18 Jun 2009 at 1:42 pmDawn

    Worked great!!!! Thank you, thank you!

  69. on 19 Jun 2009 at 7:08 amJannes Labaere

    Nice!! Thank you!!

  70. on 22 Jun 2009 at 6:26 pmElan Shudnow

    joe, if using an internal CA, you need to make sure your server contains the root certificate of your CA.

  71. on 24 Jun 2009 at 7:52 pmjoe

    got it working.

  72. on 25 Jun 2009 at 9:08 amJames

    So just to be clear, there is no way to make the certificate error go away unless you have a certificate with multiple names?

    I have my SSL certificate that says “” and I have an alias for “” pointing to “”. Everything works perfectly but on startup of Outlook there is a security warning indicating the certificate name does not match for “”.

    I just want to confirm that I need to resolve with a multi named certificate. Mine is from a trusted root provider so I would have to replace it with a more expensivecertificate if this is true.


    PS – Nice article and reply string. It is very useful.

  73. on 25 Jun 2009 at 10:02 amElan Shudnow

    This whole article explains how to make the error go away without a UC certificate. :P You just need to have split DNS and set your InternalURLs and ExternalURLs to be the same as well as the AutodiscoverServiceInternalURI. If you had a SAN cert, you could put the Server FQDN on the certificate and then leave all the InternalURLs and AutodiscoverServiceInternalURI and then just set your ExternalURLs.

  74. on 25 Jun 2009 at 1:15 pmJames

    OK, but if my internal and external DNS are all “” will this approach still work?

  75. on 25 Jun 2009 at 1:55 pmElan Shudnow

    That’s what split DNS is. So yes.

  76. on 29 Jun 2009 at 9:46 pmLarry

    Thanks a zillion…this eliminated the problem…why is this not straight forward when installing the original certificate?

  77. on 29 Jun 2009 at 11:10 pmElan Shudnow

    Welcome. Ya, it can be confusing for those who don’t work with Exchange much or who are new to Exchange 2007 and don’t understand Autodiscover or the services that utilize InternalURL and ExternalURL. Exchange 2010 makes it a little easier by allowing you to specify if a new CAS server is an Internet Facing CAS and automatically set your ExternalURLs. But it doesn’t let you automatically specify InternalURLs if using a regular SSL certificate. So the issue will still exist in Exchange 2010.

  78. on 30 Jun 2009 at 6:39 pmRamiro

    I followed all your instructions and finally I have my cert running well. Error on Outlook dissapear, but I have another issue now. Each time I open Outlook it ask for credentials, even being connected to the network at the office.

    Any thoughts?

  79. on 01 Jul 2009 at 7:24 amChrisPogi

    Great Article!

    I had a difficult time however (I’m on SBS2008) setting the OAB and WebServices internal URLs, kept getting the “object not found as outlined in *63. Tried answer from *68 and it didn’t work.

    Just fixed it today by leaving out the -identity tag, which it would ask me for afterwards; doing it that way worked for me.

    OAB and EWS was under the (Default Web Site) for me [in reference to post 68 above]

    Thanks Elan!

  80. on 01 Jul 2009 at 8:59 amRamiro

    Update: I didn’t tell you that I was upgrading from Ex 2003 to 2007. Knowing that, I am at the point of replicating the public folders, and I already move my mailbox to the 2007 server. I have a certificate for (GoDaddy) working good on the 2003 exchange, so when I installed the same certificate on the new server, is when I had the issue described in your article. As I said following your instructions the certificate issue disappear, but now Outlook ask me for credentials when it opens, and this happens ONLY if DNS (or I modify the host file in my computer for testing) points “” to the new server. So I guess has something to do with the public folders that are not moved yet. Am I right?

  81. on 01 Jul 2009 at 11:14 pmElan Shudnow

    ChrisPogi, you’re welcome. And thanks for posting the thank you as well as your issue and what you did to work around it.

  82. on 01 Jul 2009 at 11:17 pmElan Shudnow

    Ramiro, that shouldn’t be an issue. Are you running on Server 2008? If so, you may want to check out my following blog post here.

  83. on 02 Jul 2009 at 1:53 pmRamiro

    Yes I’m running it on a 2008 Server, and I read you other post, but I couldn’t find anything relevant since I did have Rollup 8 for Exchange 2007 SP1 installed.
    What I noticed, though, is that Outlook anywhere is atoconfigured as part of the autodiscover function, so Outlook is behaving as if it is outside of the network, that’s why is asking for credentials at startup.

  84. on 02 Jul 2009 at 2:46 pmElan Shudnow

    Well one of the things I have in there is disabling IPv6. In short, when IPv6 is enabled, the RPC/Proxy service doesn’t listen on port 6004 for IPv6 so Outlook Anywhere fails. So you need to completely disable ipv6 (not just uncheck it from the NIC.)

    Also, configuring OA by Autodiscover doesn’t configure it to always connect Via OA. Only when you don’t have RPC connectivity directly to your mailbox server unless you’ve configured it otherwise.

  85. on 06 Jul 2009 at 3:17 pmRamiro

    Today I realized that the problem was only with my mailbox. It didn’t happens with the other already moved mailboxes.
    Finally I figured it out that was only a problem of a password stored on “Vista Network passwords” feature. In short, I had stored there with who knows what, so I deleted that entry and Outlook stop bothering with asking for the password.

    Thank you for the help Elan, the important thing here is that the explanation of your article totally solve my certificate issue, and this other thing had nothing to do with your instructions.

    Thanks again

  86. on 07 Jul 2009 at 12:34 amNilson

    Your article, combined with post 65 solved the problem on my SBS2008. Works perfectly now.

    Thanks a lot!

  87. on 21 Jul 2009 at 1:35 pmMartins

    Hi Elan Shudnow

    We have the same problem. The Outlook 2007 reclaim about the error certificate just internally.
    From External access we don’t have this problem. We use an external certificate (Unicert) to

    I’m thinking to follow your procedure step-by-step but the CAS and HUB roles are in two servers in NLB.

    The question is: Do you see any problem in a enviroment like this? Or better, Is not necessary another additional procedure in a CAS/HUB in NLB?

    Thank you


  88. on 30 Jul 2009 at 11:49 amTodd

    Elan, you are amazing…your instructions worked flawlessly…THANKS!!!

  89. on 30 Jul 2009 at 3:21 pmwow-Impressed

    I have to say!!! WOW!! I spent 2 months on this, everyone said different things, I found your article and had it working before lunch!!!

    Thank you SO MUCH m8, you saved my bacon!!

    . .

  90. on 12 Aug 2009 at 9:13 amRTessanne

    I too have followed this amazing post and it resolved all but one issue that is driving me insane.

    I have 2 sites connected via Site-to-Site VPN tunnel. The Exchange 2007 server is at Site 1 and clients are at Site 1 and Site 2. All of the users in Site 1 are working fine however, all the users in Site 2 still get the certificate popup when they open Outlook 2007.

    1 Domain “domain.local” internal Windows 2003 AD with Domain Controllers in each location with updated DNS entries to match my certificate “” pointing to the INTERNAL IP of the Exchange 2007 server. Again, everything is fine from Site 1.

    Site 2 is fully replicated with the DC’s and they are also GC’s (not that it would matter). They can perform NSLOOKUP and resolve to the internal IP address just fine, so I am not sure why I am still getting this error message.

    I have re-pasted CLI’s and restarted the POOL and the server so many times that the power button is wearing out (just kidding).

    Please if you can offer any more assistance on this it would save my hide!!


  91. on 21 Aug 2009 at 10:00 amEduardo Almeida


    Excelent article, you can only add as last step to recycle the MSExchangeAutodiscoverAppPool pool on IIS.



  92. on 10 Sep 2009 at 11:29 pmDaniel

    Thanks very much, I was spending a lot time in internet to find the anwser…

    I am not Exchange admin, so, this guide help a lot.


  93. on 16 Sep 2009 at 5:04 amPMD

    THis really sorted me out. Thanks alot

  94. on 21 Sep 2009 at 6:09 pmGabe


    Great article. Thanks.

    My one big question, though, is how will these changes affect Outlook 2007 clients that are currently pointing to the netbios name? Will they automatically adjust or will each Outlook client have to be touched? While the cert pop-up is annoying, it's not nearly as bad as a few hundred people without Outlook access would be.


  95. on 22 Sep 2009 at 8:25 pmElan Shudnow

    It really shouldn't matter. As long as DNS/NetBIOS can hit the server and the certificate that is on the Exchange Server has that name, it should be transparent to the user.

  96. on 23 Sep 2009 at 5:33 pmMAXhYpe

    Great post and i think i understand more now about certificates. I have been battling for days a scenario where i have a thawte certificate that is purchased for webmail access. I ordered one where i only added as servername while server internally is EXCBACK and EXCBACK.domain.local. So i created a self signed certificate that i wanted to use for Outlook users but for some reason its only the thawte certificate they "pull" when connection. I did run the Enable-exchangecertificate -services IMAP, POP, SMTP on the selfsigned and Enable-exchangecertificate -services IIS on the Thawte. But still, Outlook connects and throw warning saying thawte certificate is not having the EXCBACK name listed in it. Only What is it i am missing here?

  97. on 24 Sep 2009 at 3:27 ameshudnow

    You need to update your InternalURLs and possibly ExternalURLs as well as AutodiscoverServiceInternalURI so they don't have the EXCBACK. That way they connect to Exchange using the name which the certificate will have.

  98. on 28 Sep 2009 at 9:28 pmJeremyP

    You saved me many, many headaches with this article. Thanks a ton!

  99. […] […]

  100. on 12 Oct 2009 at 2:24 pmMichael Butterworth

    Thank's. It's a bit of a pain. Whichever way you do it you get certificate errors until you lots of stuff Microsoft don't tell you in training.

  101. on 13 Oct 2009 at 7:48 pmchad

    I would like to thank you for the easy to follow fix for this certificate error!

    I have a problem that has started since I did this fix. To give you some information, the certificate request was generated using IIS and was imported into IIS. We currently only use OWA externally. We were able to access from the inside or outside of our network with no issues and with no certificate errors at this point, but we were getting the certificate error in Outlook 2007. I followed your guide and have verified the settings, but now when I go to from inside or outside I get a certificate error and I am redirected to… and since there isn't an external DNS entry for I can't get to my OWA. I am unable to figure out what would have changed this from the commands above but I am not getting anywhere. My certificate is for

    Thanks for all your help!

  102. on 13 Oct 2009 at 9:38 pmElan Shudnow

    You'll probably want to use the Set-OWAVirtualDirectory command and use the InternalURL and/or ExternalURL to ensure that it has a name that is on your certificate. For example, Set-OWAVirtualDirectory -Identity "Owa (Default Web Site)" -InternalURL -ExternalURL

  103. on 23 Oct 2009 at 11:23 amExchange 2007 certificate error

    […] […]

  104. on 28 Oct 2009 at 8:47 amExchange 2007 & SSL hell!

    […] to disable autodiscover or change the autodiscover address to the local name and have it work. See Outlook 2007 Certificate Error? | Elan Shudnow's Blog or Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a […]

  105. on 05 Nov 2009 at 9:25 pmTommy

    all I understand the Docement and follow the steps but everything I get to (Default Web Site)” i get an error what am doing wrong. I am going isane

  106. on 05 Nov 2009 at 10:32 pmElan Shudnow

    Can you provide the error you're getting?

  107. on 20 Nov 2009 at 7:21 pmJ.P.

    Worked Like a Charm!!!!

  108. on 24 Nov 2009 at 1:31 pmT.C

    I have a exchange 2010 and trying to get the Activesync to work for push e-mails

    testing using gives me an error with the certificate

    "Host name <domian name> does not match any name found on the server certificate CN=<computer name>"

    How do i add the domain name to the certificate?


  109. on 24 Nov 2009 at 2:21 pmElan Shudnow

    T.C., you can use the new certificate wizard to request a new certificate. Check out this video for more information:

  110. on 25 Nov 2009 at 2:37 pmVXR Dave

    You're a life saver mate.

  111. on 25 Nov 2009 at 6:12 pmRBEX2007

    Everything works now for domainA. If i add domainB, will autodiscover work for owa and outlook anywhere? Can i still use single cert?

    Thanks for your help.

  112. on 09 Dec 2009 at 5:21 pmDarrell

    Super! Great instructions!!!!

  113. on 16 Dec 2009 at 5:51 pmGCamacho

    Thanks buddy! This was the easiest fix to the issue that I was able to find. Keep up the awesome work!

  114. on 05 Jan 2010 at 7:59 am- The IT Tech-Archive

    […] by Ksalameh on Jan.05, 2010, under Exchange 2007, Exchange 2010 Outlook 2007 & 2010 Certificate Error? […]

  115. on 07 Jan 2010 at 1:18 pmRadek

    Hi guys,
    i have very similar problem, but only with internal access of my outlook clients.
    Everythings from outside network (internet) working fine, outlook anywhere, activesync to mobile devices, outlook web access … nothing have problem.

    But when my outlook clients trying to connect from local area network to the CAS server, i have the warning with certificate error.
    The same i have warning with certificate, if i am trying to access outlook web access.

    I have set all ways, directories etc in fight way. External things are to, internal things points to server.domain.local.
    SSL certificate is signed by STARTSSL CA, which is trusted CA from public and it points to name.

    So i can understand, why outlook clients have problems, if they trying to connect from local area network, because SSL certificate is pointing to another name of server? But why they are using SSL for connection, i have them inside company network, i dont need to use RPC over HTTPS for them. Maybe the problem is, my server have only one IP address, have all exchange roles together on one machine …?

    Thank you for any kind of tips

    With regards, Radek

  116. on 08 Jan 2010 at 6:14 amElan Shudnow

    Because Outlook 2007+ uses web services not just for OWA or Outlook Anywhere. It uses it for OOF, Free/Busy, OAB, Autodiscover, etc… The entire article already explains this and why you need to set the InternalURLs properly. Basically, I have already answered your question in my article as to why the InternalURLs need to match the name of the certificate.

  117. on 27 Jan 2010 at 10:56 pmannalynn

    i'm having this same issue, but i was never on an exchange server.

  118. on 01 Feb 2010 at 2:09 amsaint

    I’m using UC but still getting 8004010f error in outlook 2007. Send/receive works well but its annoying. Any hint?


  119. on 01 Feb 2010 at 7:22 amsaint


    I'm using UC and having issue with 8004010f error in outlook 2007. Send/Receive works well but its annoying.
    Any hints?


  120. on 04 Feb 2010 at 6:37 pmElan Shudnow

    Try Best Practices Analyzer to see if it flags something that can possibly be fixed and thus possibly making your error code go away. Other than that, start Googling/Binging the error code and do things articles tell you till it's gone.

  121. on 08 Feb 2010 at 6:30 amEve

    I wish I found your blog last week :)
    Big Thankyou

  122. on 25 Mar 2010 at 2:41 amNG GEE SING

    Hi Mr elan,

    I having issue on my exchange enviroment.

    Status : 3 exchange servers
    exchange-01 – role -> hub, client access, mailbox
    exchange-02 – role -> client access
    exchange-03 – role -> mailbox

    I have just import new sing name certificate with name " " at the exchange-02 and faced the problem you post on blog and solved it with your solution.

    but new problem ans shows up where user who using outlook 2007 unable to download offline address book and i tried to run test autoconfigure, found user who suing outlook 2007 are connected to exchange-01/OAB but not exchange-02.

    kindly need your help

  123. on 01 Apr 2010 at 2:43 pmFrank Cone


    I have an Exchange 2010 server with this issue. I did multiple searches and found basically this info (Not as cleanly laid out though). I followed the instructions down to the last command

    (Set-UMVirtualDirectory -Identity “CASServerUnifiedMessaging (Default Web Site)” -InternalURL… -BasicAuthentication:$true)

    At that point I get the following:

    The term 'set-umvirtualdirectory' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

    I went ahead and created a new SRV record pointing to the ip and now if I ping it resolves ot the IP address of the casserver.

    Any assitance is appreciated.

    Thank you,

  124. on 02 Apr 2010 at 1:21 pmeshudnow

    Frank, you do not have to do this in Exchange 2010 as there is no more Unified Messaging virtual directory. In Exchange 2010, Exchange Web Services (EWS) is now used for Unified Messaging functionality. I will make a note in the article about this.

  125. on 19 Apr 2010 at 3:48 pmNSJ

    What about when it happens to the remote site and not at the corporate office? I would think the same certificate would be used in both places, but the remote site is having the problem and corporate claims it never sees the error message. I would think that it would show up for both sites if a problem exists.

  126. on 20 Apr 2010 at 11:55 ameshudnow

    It depends on your setup. I would check out the following article to understand how proxying and redirection works:

    Either way, you need to make sure that the sites trust each other's certificates and the AutodiscoverServiceInternalURL, InternalURLs, and ExternalURLs are all on the certificate. The same goes for if you want to support autodiscover for outside clients and internal non-domain joined clients.

  127. on 26 Apr 2010 at 4:43 amchris

    I still use this as a list of all places to make changes to URLs in Exchange; it's useful when changing internal OR external values. Thanks for putting the effort in!

  128. on 12 May 2010 at 7:56 pmMatt

    Only had to change the Thumbprint and the AutoDiscover internally…. thanks so much!!
    This really helped!

  129. on 17 May 2010 at 3:17 pmCillie

    Dont know what I did.
    Tried everything in this post. But still getting the error "The name on the security certificate is invalid or does not match the name of the site."

    I'm on Exchange 2010 though. So leaveing the command Set-UMVirtualDirectory out.
    AD is on 2008 R2. Exchange is installed on one of the AD's. The GC of the 2.

  130. on 17 May 2010 at 6:47 pmJason

    Hey, Thanks! This resolved a few things for me, but I'm still getting a Certificate Error in outlook with the title of "sites", before the Certificate Error had a different title.

    Can you help me?

  131. on 09 Jun 2010 at 5:01 pmDagan Henderson

    One thing you may want to add is that it may be necessary to reboot the system for the changes to take effect. I was going crazy trying to think of which service must still be directing to the internal server name and finally gave up for the night. The next day the error message had stopped appearing.

  132. on 23 Jun 2010 at 10:39 pmyan

    On SBS 2008 the commands need to include (SBS Web Applications) not default web site. Default website doesnt include those sites anymore.

  133. on 12 Jul 2010 at 9:27 pmClaudio



  134. on 12 Jul 2010 at 9:31 pmClaudio


  135. on 15 Jul 2010 at 2:33 amChristo

    Hi Elan,

    Does this also apply to a Exchange environment that has multiple Exchange CAS(Geographically) Servers on the same domain (WAN)?

    I have noticed that all my CAS Servers have thier own Autodiscover URI. Would I need to configure each CAS Server individually? I only use one primary CAS Server for External OWA access. This CAS then routes Disrtict users to the District CAS/Mailbox server that hosts thier mail.

    We do not use Secure email (HTTPS) due to limitations on our WAN (Government Dept sitting on a Centrally supplied and managed WAN for ALL Dept).

    I hope I am not to confusing.


  136. on 19 Jul 2010 at 5:09 pmjeff

    wow!! this actually worked!! it is depressing that microsoft cannot create a simple article like this. this worked like a charm!! i hope people would actually find this article. thank you so much for putting this together!!!

  137. on 19 Jul 2010 at 5:42 pmElan Shudnow

    They actually do have a KB on this. But I created this article before that KB existed. :)

  138. on 21 Jul 2010 at 7:26 pmpaypwip

    +1 to People Helped, thanks.

  139. on 26 Jul 2010 at 3:45 pmNasatech

    Me too…. :-(

  140. on 26 Jul 2010 at 4:11 pmNasatech

    Just found the solution:

    Make a fake zone with the autodiscover."yourdomainname" and point it with a CNAME to your the external name resolving to you're internal mailserver IP. It must be a CNAME and not an A record.

    Go to your DNS management, Administrative tools->DNS. First in the Foward Lookup Zone (FLZ) for, RC the and select 'New Host (A)', enter: mail ,for the name and input the Internal IP of your CAS. Next RC the FLZ under your server and select 'New Zone', click 'Next' at the wizard introduction, leave the zone type as Primary and ActiveDirectory integrated, click 'Next', leave the zone replication on the default, which is to all domain dns servers, click 'Next', For the name enter: , click 'Next', for the dynamic updates change the setting to 'Allow both unsecure and secure dynamic updates, click 'next then click 'Finish'. Now RC the new and select 'New Alias (CNAME)', leave the name field blank and just click on the Browse button, In the new browse window, double-click (DC) the server name, DC the FLZ folder, DC and then select the mail entry, click 'ok' to complete. You can now close DNS.

  141. on 03 Aug 2010 at 3:19 pmBeefeater

    Hi Elan,

    Your article is great and seems to be the solution to my problem, but when I try to type your cmdlets -Set-WebServicesVirtualDirectory -Identity "CASServerEWS (Default Web Site)" <rest of cmdlet entry here> I get an error saying "CASServerEWS (Default Web Site)" could not be found on domain controller: <DC FQDN>

    I'm using SBS 2008 which has exchange 2007 and while most of the info I have found regarding exchange has been relevant, I have found that stuff related to websites is different. I'm just wondering if you have some different instructions for those who are using SBS 2008. I know this article is quite old but it seems to be the solution and I would like to know how to get it to work on my system.


  142. on 03 Aug 2010 at 4:09 pmBeefeater

    Just a follow up on my previous post.

    Being a newbie to exchange and powershell it didn't occur to me right away, but a lightbulb came on and I decided to use the get-webservicesvirtualdirectory cmdlet to find out what my server was calling it. Turns out rather than having "casserverews (default web site)" it is "casserverews (sbs web applications)"

    This is common for all the cmdlets stated in this article. Seems to have resolve my certificate issue, so now I'm just waiting with my fingers cross to see if it broke something else. Thanks for the article Elan, It works really well so far.

    I also failed to notice that there were 3 pages of comments so forgive me if someone had posted the answer to this on page 2 or later, i didn't read it, and for that, I apologize.



  143. on 04 Aug 2010 at 12:39 ameshudnow

    You know, I usually don't even follow what I have on my blogs. I always show how to set it against a single server. But in a single site scenario, I always just set InternalURLs to something like and point the DNS to the load balancer or to that specific server. Because of this, I just do Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL InternalUrLHere BasicAuthstuffHereIfYouWant. Even though you only have 1 CAS, this will work and is easier to do.

  144. on 04 Aug 2010 at 12:40 ameshudnow

    Just realized you posted a follow up. Basically what I suggested is what you already did so nevermind!

  145. on 08 Aug 2010 at 7:07 pmJ W

    Phew, 8 hours of Hell over… I was doing this with the microsoft stupid contoso fqdn pointing to the internal netbios.domain.local. I didn't realize I had to point to the external cert until you spelled it out. Tahnks

  146. on 10 Aug 2010 at 4:19 amwindow recovery

    Basically, the certificate is for, and the internal network name is obviously not that. I do have that domain added in DNS, and it resolves internally and externally (which works great for EVERYTHING besides Outlook 2007). Visit here for more information :: .

  147. on 11 Aug 2010 at 1:37 amLynn Smith

    Thanks for the nice article.I get very good information for Outlook 2007 Certificate Error.

  148. […] Met dank aan: […]

  149. on 20 Aug 2010 at 12:04 pmDonmeado

    Awesome document thanks very much!

  150. on 07 Sep 2010 at 3:32 pmKush

    After I applied the changes you suggested, I have a problem with the free/busy look-up via outlook 2007 client and I had to change the auto-discover URL back to https://FQDN//Autodiscover/Autodiscover.xml to make the free/busy work. Any ideas. We have 4 CAS servers in 2 sites, 2 in each site and we are using the round robin DNS alias pointing to these 4 servers. But looks like when a user is doing the free/busy lookup it is trying to fetch the free/busy info from another site instead of where the user's account is.

  151. on 12 Sep 2010 at 7:17 amElan Shudnow

    Any CAS in any site can handle the request. And what you wrote doesn't really make sense. I had you change the FQDN to https://FQDN/Autodiscover/Autodiscover.xml but you said you changed it back to https://FQDN/Autodiscover/Autodiscover.xml. Hm?

  152. on 13 Sep 2010 at 2:07 amBrandon Schmitt

    For those still having issues and using Exchange over HTTP setup for outside clients, look into using a SRV record in dns to redirect to your single SSL cert; for example, If you do this you will get a popup in 07 Outlook for the redirect but all you need to do is check "do not show again" and it will work perfectly.

    Here is a link for setup of SRV record.

  153. […] Outlook 2007 Certificate Error?. Oddaj […]

  154. on 04 Oct 2010 at 3:03 amThomas

    Excellent article….Thanks you so much !

  155. on 11 Oct 2010 at 9:10 amJay

    Thanks for the article, helped me out!

  156. on 01 Dec 2010 at 1:46 pmrGB

    You saved my a$$ :) Thanks a lot

  157. on 09 Dec 2010 at 8:49 pmcolinv

    many thanks, even though having the correct settings in internal/external urls following this article and resetting through console worked a treat. (active synch virtual directory was the culprit)

    I found that for sbs 2008, in the script commands, as well as replacing CASServer with ourservername I replaced (Default website) with (SBS Web Applications)
    eg: “CASServerMicrosoft-Server-ActiveSync (Default Web Site)” with “OurServerNameMicrosoft-Server-ActiveSync (SBS Web Applications)”

  158. on 10 Dec 2010 at 8:13 amWaleed

    I have the same issue with SBS 2008. I have a cert with IPSCA and it is installed so my phones are syncing properly and I can access OWA without fail. I still get the certificate message with Outlook 2007. It comes up with The name is invalid or does not match the name of the site. My AutoDiscoverServiceInternalUri :… ( which is what my cert is published with)
    My server name is willow.domainnamesbs.local
    Any advice please?

  159. on 01 Jan 2011 at 3:38 pmandy

    Hi, Can you help me translate

    “CASServerEWS (Default Web Site)”

    to match my environment? I have a SBS 2008 server and it's name is sbs2008.


  160. on 04 Jan 2011 at 7:12 pmElan Shudnow

    I am not familiar with SBS. I would ask on the Technet SBS forums.

  161. on 20 Jan 2011 at 11:50 amDean

    Very handy. Excellent article.

  162. on 25 Jan 2011 at 2:14 pmJim

    Much better detail in your descriptions than the Microsoft knowledge base had. Thanks for the excellent article, made much more sense!

  163. on 02 Feb 2011 at 5:23 amSamer

    realy thank u …
    ur great

  164. on 09 Feb 2011 at 8:48 pmJasGot

    I am stuck on the Cert issue regarding inside (LAN) usage and external (Internet) usage. Right now, I have installed a self signed cert and a CA cert.

    My public FQDN is
    My Internal FQD is

    Don't yell! It was this way when I took over :)

    If I assign the CA cert to IIS the connections from outside are fine, but the inside connections get a cert error. If I assign the self signed cert to IIS, the connections on the inside are ok, but the connections on the outside get a cert error.

    Is there any way to have IIS use the CA cert for outside connections and the self signed cert for inside connections?

  165. on 09 Feb 2011 at 8:49 pmJasGot

    (Had to split my comment)

    Also, if I understand correctly, you can use one cert if the first part of the domain name is the same? So a CA cert of will work on the inside too as long as the server name is 123.???.???. I think I read that Outlook 2007 only looks at ther first part of the FQDN?

    So now I am curious, if I change the name the exchange server gives to the outside clients to match what the inside clients use, ie; if I change my server to give instead of, then the same cert will make the internal outlook 2007 clients happy?

    Thanks for your feedback.

  166. on 20 Feb 2011 at 8:56 amK.M. Hahn

    Thanks for the article. It helped me solve our Outlook certificate error. Very much apprecated.

  167. on 07 Mar 2011 at 7:39 pmDewang

    Great !!!!
    After steps recommended I also did below steps for it to work.
    Open IIS Manager.
    Expand the local computer, and then expand Application Pools.
    Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

  168. on 19 Mar 2011 at 2:27 pmJIRA: Infrastructure

    [INF-2023] Exchange 2010 Migration – Migrate services and mailboxes…

    Next I tackled the certificate error in Outlook 2007 at launch. The problem stems from Outlook accessing the server using “plowking.cdrassociates.local”. The communication is secured using the * SSL certificate, resulting in a name….

  169. on 04 Apr 2011 at 10:09 pmJacob

    Just awesome! Bravo sir! Saved me from having to buy a more expensive certificate!

  170. on 05 Apr 2011 at 11:23 amTomTom

    Thank you for the GREAT information!

    This fixed my certificate problem. But I managed to create another problem in the process.

    My users typically access OWA simply by typing in, which defaults to an HTTP request. Now they get a 403 access denied error. But if they put in OWA works just fine.

    I didn't change anything besides what was outlined above. Any ideas why all of a sudden my http redirect to https isn't working?


  171. on 14 Apr 2011 at 1:48 amMahmood

    Need your help to configure Activesync for Exchange 2007. This is my first time to set it up so I am not sure if I am doing it correctly.

    We have 2 CAS Servers, Call it CAS1 and CAS2. Have purchased SSL Certificate and imported it to CAS1 Server using the Exchange Shell Command: Import-ExchangeCertificate ….successfully imported and enabled the certificate on the server.

    External Domain FQDN is

    When I connect using mobile device, synchronization does not work. I ran test at and gives me error on certificate:
    Host name doesn't match any name found on the server certificate CN=CAS2

    What can I do to resolve this?

  172. on 14 Apr 2011 at 3:25 amMahmood

    Some progress..I managed to resolve this error..found out it was the firewall which was mapping to CAS2 ( instead of CAS1) and the policy was higher in the order so was being executed before the other policy to map to CAS1..
    Running the test again on gives a second error now:
    Validating certificate trust for Windows Mobile devices.
    Certificate trust validation failed.

    The certificate chain didn't end in a trusted root

  173. on 17 Apr 2011 at 4:20 pmElan Shudnow

    Don't forget to enable the new certificate for Exchange Services. I explain how to do that in the article using Enable-exchangecertificate.

  174. on 17 Apr 2011 at 4:22 pmElan Shudnow

    Operating System and Exchange version would be helpful.

  175. on 17 Apr 2011 at 11:45 pmMahmood

    Never mind..solved

  176. on 09 May 2011 at 8:26 pmfrancisco

    Excellent post – after following your steps all works fine – except for our Public folders

    Would these changes affect the replication / access of public folders?

  177. on 09 May 2011 at 9:09 pmElan Shudnow

    None of this would affect replication / access of public folders.

  178. on 11 May 2011 at 6:44 pm@davedoeppel

    Not sure if this is monitored. I had this exact issue on Exchange 2010. I followed all of the directions here and I was still having an issue. However very specific. A user logged onto a non-domain Windows profile, on our internal LAN, would get the error. These are companies I have setup using the Autodiscoverredirect method. If they are logged into a domain profile it works perfectly. If they are off out LAN either domain or non-domain works perfectly.

  179. on 11 May 2011 at 6:48 pm@davedoeppel

    cutoff the bottom of my post.

    I had done two steps in my Exchange setup, Autodiscoverredirect for supporting our other companies, and OWA easy redirect. In IIS7 the default website had bindings set to unassigned. This seemed to be causing some kind of weird routing for the above scenario. If I change that and force it to be bound to the IP of the server, not the autodiscoverredirect, then the above SSL issue goes away. However I can no longer run EMC or EMS on the server, see

    If anyone has any ideas I would love to hear it. For now I will just run my management on my MBX boxes but I would certainly like to have it fixed..



  180. on 22 May 2011 at 4:16 amAbdul Waheed

    Hi, i have different scenario- my external domain name is different from my internal domain. so whenever users open outlook it prompts that certificates mismatch because i have certificate for external domain only-

    is there any workaround for this ?

  181. on 23 May 2011 at 11:14 pmBob

    Thank You Elan. I was wrestling with this and was at my wits end. Good Work! and greatly appreciated!

  182. on 24 May 2011 at 6:18 pmSanjay

    Your article was perfect and to the point.. i was able to resolve the problem. You da man!!

  183. on 06 Jun 2011 at 12:12 pmElan Shudnow

    Set all your internalURLs, externalURLs, and AutodiscoverServiceInternalURI to point to an FQDN that uses the external namespace. All URLs will point back to the Exchange Server.

  184. on 15 Jun 2011 at 10:37 pmmicro20100

    Sorry, I must be dumb, as I cannot figure out what I need to do. Same issue as everyone: have a cas array with 2 servers(cas,dag/transport) and load balancer. Installed Verisign certificate on both server for outside OWA access. All working good, however Outlook 2007 keeps complaining about the OWA certificate. Outlook profile is setup for Exchange with name of cas array. We are using Public folder.
    Do I have to change all my internal URL to the external one that matches my OWA certificate? The name on it is resolves by its external IP address. Do I also need to hard code the IP address of the CAS array on each server, to resolve locally?
    Thanks in advance

  185. on 23 Jun 2011 at 7:53 amThomas

    Excellent article !

  186. on 03 Jul 2011 at 10:37 amMaikel

    Great tutorial, thanks for the solution!


  187. on 07 Jul 2011 at 3:18 amFernando

    Thanks Elan for your post, but I need some more help.

    I’ll try to describe the problem. Every body at office are logged to wSBS2008 and the problem comes when we start Outlook:
    – All the user are asked to introduce their password, that are refused when connecting to
    – Then if we cancel then appears the certificate with the error that you mention.
    – When I do Get-ExchangeCertificate I got 22 certificates and I’m lost.
    And even more, our internal domain name is different than our external domain name
    So if you can help I really appreciate, because the one that began that is no localizable.

  188. […] I’m using Windows DNS service on Server 2003. I’m trying to get internal clients to resolve the mail. The problem I am getting is shown here. […]

  189. on 23 Aug 2011 at 8:35 amAlan

    Is there an easy way to simply disable ALL secure transmissions? My users are all internal in a company that has no need for any security, so I’d rather leave the whole thing clear than bother trying to fix the annoyance of having the certificate errors pop up. Is this possible?

  190. on 01 Oct 2011 at 12:09 amMichel Calle

    Hi, I have the same problem, then I found the MS Article ID: 940726 and run the same commands.When I chek the AutoDiscoverServiceInternalUri the URL is correct, but I get the same message when I run Outlook 2010. Outside work fine
    Any help?

  191. on 03 Oct 2011 at 9:43 amAllison

    It was time to renew my certificate. I didn't want to have the cert include our internal CAS name or the names of our exchange servers. So i ordered a new cert with just and auto

    I assigned the cert upon receiving it and received the message above when i launched my outlook client. I updated the internal urls to match the cn ( the cert message disappeared. YEAH!!

    BUT now outlook clients cannot get into their out of office settings. You an if you go in via OWA though.

    Error message is: Your Out of Office settings cannot be displayed, because the server is currently unavailable. Try again later.

    I removed and recreated the ews application in IIS. (Which BTW was a gong show – as it failed when I tried recreating it via Exch management shell. I recreated it (and the related Application Pool) manually.

    All is back to what it was – that being, error in OOF via Outlook client – but OOF works via OWA.

    What am I missing here? Its got to be something SIMPLE.

    Please help! Does it reference the old SSL cert somewhere internally?

  192. on 03 Oct 2011 at 8:15 pmElan Shudnow

    Single Server? If so, try Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalURL -ExternalURL

  193. on 11 Oct 2011 at 1:16 amPaulT

    Incredible.. I've spent days researching into this issue and your simple words of wisdom resolved the issue. Shame about my hair loss thou!

    Its clear that Microsoft is pushing down the larger path with UC integration (ie telephony on the desktop) but why didnt they give us poor admins the choice either at installation or at least with a simple GUI click option in the Manager….

  194. on 17 Oct 2011 at 8:20 amElan Shudnow

    Ya, it is a bit confusing for admins trying to migrate on their own to Exchange 2007 or Exchange 2010 and wanting to use the same certificate. Exchange 2010 allows you to now set your ExternalURLs during a CAS installation but that still doesn't change your InternalURLs or your AutodiscoverServiceInternalURI. So there is still some complexity involved post-install with setting up the CAS the way you want and not getting certificate errors on the client side. Glad you found the article helpful.

  195. on 17 Oct 2011 at 8:23 amElan Shudnow

    Sometimes you also have to restart the Autodiscover application pool within IIS after changing it. Give that a shot.

  196. on 18 Oct 2011 at 1:50 pmRay

    we have installed a wildcard certificate on the 2010 exchange server. so it shows up as * when you do a 'get-exchangecertificate' command. apparently I am unable to enter this as the FQDN for the Set-ClientAccessServer command. I get a 'cannont convert value' error. how can this be done with a wild card certificate?

  197. on 18 Oct 2011 at 2:53 pmElan Shudnow

    That's because * is not an FQDN. You need to enter an actual FQDN using Set-ClientAccessServer.

  198. on 04 Nov 2011 at 8:47 amPerplexed

    Elan, I have installed the SAN certificate on our exchange 2007 server and enabled it. and assigned services. I have a few different names associated with this certificate, of course.

    when I do a ‘get-exchangecertificate’ in the shell, it only shows the common name of the SAN certificate in the output? should it show all of the names that are associated with the SAN cert? there are two other subject alternative names listed on the cert.


  199. on 04 Nov 2011 at 3:27 pmElan Shudnow

    Do a Get-ExchangeCertificate | Format-List

    Or the short version:
    Get-ExchangeCertificate | FL

    In all the output, you'll see the SAN fields.

  200. on 09 Nov 2011 at 4:39 pmwthrottle

    Excellent step-by-step. Hit the nail on the head for fixing my issue. Thank you!

  201. on 13 Dec 2011 at 4:29 amDan C


    I'm having an issue running the commands on the exchange console. When I try to execute any of the commands I get the following error:

    Set-ClientAccessServer : Active Directory operation failed on [server name]. This error is not retriable. Additional information: Directory object not found.

    Anyone have any idea what could be causing this?

  202. on 13 Dec 2011 at 7:16 amDan C

    I managed to resolve this issue but users are still getting the error even after making the changes needed, is there anything else I could be missing?

  203. on 15 Dec 2011 at 10:44 amElan Shudnow

    Dan C, sometimes the changes are not picked up until you reset the IIS Application Pools. Give that a shot. The only time you'd get the certificate error is what is caused by the above. So if you are still getting the error, even after resetting the application pools, you may want to give MS Support a call.

  204. on 04 Jan 2012 at 1:09 pmLou

    Thank you!!! I have been looking for this solution all over the Internet but could not find any clear instructions – even from Microsoft. Great article!

  205. on 30 Jan 2012 at 4:43 pmmatt


    I am having this same issue but really am stumped.

    When I run the Get-ClientAccessServer -Identity "ServerName" | FL

    I get the following:

    AutoDiscoverServiceInternalUri :

    My assigned certificate includes: and and sbs08 (local server name)

    When I open outlook I get that certificate request pop up and it refers to "sites" as the certificate mismatch. I have no idea where "sites" is coming from but I do see it in the binding of IIS.

    Please advise if you can.

  206. on 31 Jan 2012 at 9:11 amElan Shudnow

    Check all the other services.
    Get-WebServicesVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
    Get-OABVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
    Get-OWAVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
    Get-ECPVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL
    Get-ActiveSyncVirtualDirectory -Identity IdentityHere | FL InternalURL,ExternalURL

  207. on 31 Jan 2012 at 9:58 ammatt

    When I run these commands I get

    [PS] C:Windowssystem32>Get-WebServicesVirtualDirectory -Identity SBS08.dcc.lo
    al | FL InternalURL,ExternalURL
    Get-WebServicesVirtualDirectory : The operation could not be performed because
    object 'SBS08.dcc.local' could not be found on domain controller 'SBS08.DCC.loc
    At line:1 char:32
    + Get-WebServicesVirtualDirectory <<<< -Identity SBS08.dcc.local | FL Internal
    + CategoryInfo : InvalidData: (:) [Get-WebServicesVirtualDirector
    y], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : B0B185CC,Microsoft.Exchange.Management.SystemCon

  208. on 31 Jan 2012 at 10:06 amElan Shudnow

    Because that's the wrong -Identity. Look at my original post and you'll see the format.

  209. on 31 Jan 2012 at 10:20 ammatt

    Ok, so when I ran that first one it was

    Get-ClientAccessServer -Identity SBS08| FL

    which gave me results, I am doing the same with the new commands, am I totally missing something

    Isnt this the same-Get-ActiveSyncVirtualDirectory -Identity SBS08 | FL

  210. on 31 Jan 2012 at 10:35 ammatt

    Go this to run:

    [PS] C:Windowssystem32>Get-WebServicesVirtualDirectory | fl SBS08, InternalUrl
    , ExternalUrl

    InternalUrl : https://sites/EWS/Exchange.asmx
    ExternalUrl :

    Now I see where that SITES is coming from, now just to change it…..

    Not sure what it needs to be.

  211. on 31 Jan 2012 at 10:38 ammatt

    [PS] C:Windowssystem32>Get-WebServicesVirtualDirectory | fl SBS08, InternalUr
    , ExternalUrl

    InternalUrl : https://sites/EWS/Exchange.asmx
    ExternalUrl :

    [PS] C:Windowssystem32>Get-OABVirtualDirectory | fl SBS08, InternalUrl, Exter

    InternalUrl : https://sbs08/OAB
    ExternalUrl :

    [PS] C:Windowssystem32>Get-OWAVirtualDirectory | fl SBS08, InternalUrl, Exter

    InternalUrl : https://sbs08/owa/
    ExternalUrl :

    InternalUrl :
    ExternalUrl :

    InternalUrl :
    ExternalUrl :

    InternalUrl :
    ExternalUrl :

    InternalUrl :
    ExternalUrl :

    [PS] C:Windowssystem32>Get-ECPVirtualDirectory | fl SBS08, InternalUrl, Exter
    The term 'Get-ECPVirtualDirectory' is not recognized as the name of a cmdlet, f
    unction, script file, or operable program. Check the spelling of the name, or i
    f a path was included, verify that the path is correct and try again.
    At line:1 char:24
    + Get-ECPVirtualDirectory <<<< | fl SBS08, InternalUrl, ExternalUrl
    + CategoryInfo : ObjectNotFound: (Get-ECPVirtualDirectory:String)
    [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    [PS] C:Windowssystem32>Get-ActiveSyncVirtualDirectory | fl SBS08, InternalUrl

    InternalUrl : https://sbs08/Microsoft-Server-ActiveSync
    ExternalUrl :

    [PS] C:Windowssystem32>

  212. […]…k-2007-certificate-error/ […]

  213. on 22 Mar 2012 at 11:28 pmBrenda

    My problem is that I was adding a network connection and was on the wrong line and accidentally erased mysecurity certificate number. I called my outlook express dial-up service and they said it was a Microsoft problem. The following message comes up every time I log on to outlook express before any e-mails come through. The server you are connected to is using a security certificate that can not be verified. The certificateds CN name does not match the pass value. Do you still want to use this server? I check yes and everything goes ok. My big problem is when I order things on line the companies do not want to deal with a security certificate that can not be verified. Please help!

  214. on 16 Apr 2012 at 5:31 amMurray

    This resolved for me too, thanks for the trouble.

  215. […] will like to thank Elan Shudnow’s Blog for the post on this because it helped me confirm the steps I had applied were correct, they just didn’t […]

  216. on 24 Jun 2012 at 7:27 amDavid

    So why *must* I enable SSL on the OAB directory? Does that form part of the solution, or is just a recommendation over and above what is required?

  217. on 24 Jun 2012 at 9:36 amElan Shudnow

    Not a requirement. The reason it's off by default is OAB download uses the BITS protocol which does not support self-signed certs. And because Exchange uses a self-signed cert by default, the OAB virtual directory is configured to use http://. But because you're replacing the self-signed cert with a CA-signed certificate, it's recommended to change http:// to https://.

  218. on 02 Jul 2012 at 9:12 pmMarcos

    Thanks, your comment help me to solve the problem i had!!

  219. […] – so thank you Elan for this. […]

  220. on 29 Aug 2012 at 3:11 pmAlex

    This article saved me a crap-ton of work. I has resigned to just doing a domain change to make things uniform with our website/ftp domain… but after looking into it and the complications brought on by having Exchange in the mix, I was relieved to find this and solve the issue in five minutes. My hat off to you sir.

  221. on 07 Nov 2012 at 7:44 pmsea ray marble falls

    This is my first time visit at here and i am really impressed to read all at one

  222. on 08 Nov 2012 at 7:03 pmBrian

    I always refer to this blog, good looking out!

  223. on 09 Dec 2012 at 8:10 pmPansy

    Very good post. I will be dealing with some of these issues as well.

  224. on 28 Dec 2012 at 3:12 amEvan

    hello there and thank you for your info – I’ve certainly picked up anything new from right here. I did however expertise several technical points using this web site, since I experienced to reload the web site lots of times previous to I could get it to load properly. I had been wondering if your web hosting is OK? Not that I am complaining, but slow loading instances times will sometimes affect your placement in google and can damage your high quality score if ads and marketing with Adwords. Anyway I’m adding this RSS to my email and can look out for much more of your respective interesting content.
    Ensure that you update this again soon.

  225. […] – so thank you Elan for this. […]

  226. on 17 Apr 2013 at 8:34 pmsregimand

    Thank you for the article. In summary this is what I did to fix my issue:
    1. Ran the command from the Exchange server powershell: Get-WebServicesVirtualDirectory | fl *url*
    The result of the command was:
    InternalNLBBypassUrl :
    InternalUrl :
    ExternalUrl :

    2. Ran this command:
    Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl ";

    3. iisreset
    4. waited for 60 second, everything is all good now
    5. Make sure there is a A or C record in DNS

  227. on 25 Feb 2014 at 2:44 amUMA GANESH

    Thank you so much…. Worked for me as well….

  228. on 10 Mar 2014 at 11:06 pmChase

    Thank you for this fix! Saved me a lot of time!

  229. on 09 May 2014 at 1:12 pmTony Davis

    YOU ARE MY HERO!!!!!!!

  230. on 28 Jul 2014 at 3:52 pmDan

    I just can't seem to make this work. I've repeated the above steps; but I'm clearly missing something…

    internal server name = server2k8.domain.local
    external URL =
    UCC Cert is in place for with alternate names of mail and (Outlook Anywhere is working properly for mobile devices)
    I also have a Cisco 501 Pix Firewall that does not allow hair pinning. (not sure if this is my issue or not)

    Outlook 2010 and Outlook 2007 continue to get the security mismatch alert message.

  231. on 15 Aug 2014 at 12:39 pmJosh

    I've run into this problem, post-2010 SP3 update. Strange thing about this is that it only effects 5 computers throughout the enterprise. I've tried adding the certificate to the individual computers trusted certs directory to no avail. Thoughts?

Trackback this post | Feed on Comments to this post

Leave a Reply