RSS Subscription 122 Posts and 1,275 Comments

Outlook 2007 Certificate Error?

When importing a new certificate into Exchange 2007/2010, you might encounter a certificate error in Outlook 2007/2010. I have included a screenshot of the error I encountered with Outlook 2007 :

When you choose the View Certificate button, it brings up another window that shows you what certificate is in error. In this case, the certificate name is “mail.shudnow.net.”

So the million dollar question? Why the error?

Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here.

So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) of mail.shudnow.net We install this certificate onto our Exchange box with its’ private key. In our case we were migrating so we did not have to request a certificate via IIS. We just exported it with its’ private key and imported onto the new box. We then assigned this certificate to IIS. Now I went to the Exchange Management Shell and enabled Exchange services to use this certificate. In order to do this, you must run the following commands:

Get-ExchangeCertificate

Thumbprint Services Subject
———- ——– ——-
BCF9F2C3D245E2588AB5895C37D8D914503D162E9 SIP.W CN=mail.shudnow.net.com

What I did was go ahead and enable all new services to use every available service by using the following command:

Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP -Thumbprint BCF9F2C3D245E2588AB5895C37D8D914503D162E9

The next step would be to ensure the AutodiscoverInternalURI is pointed to the CAS that will be your primary CAS for Autodiscover servicing.

Get-ClientAccessServer -Identity CASServer | FL

AutoDiscoverServiceInternalUri : https://casnetbiosname/Autodiscover/Autodiscover.xml

See the issue here? We are not using a UC certificate that contains the names, “casnetbiosname, casnetbiosname.shudnow.net, mail.shudnow.net, and autodiscover.shudnow.net” Since the Autodiscover directory in IIS will be requring SSL encryption, the url specified in the AutoDiscoverServiceInternalURI must match what is specified in your certificate. You must also ensure there is a DNS record that allows mail.shudnow.net to resolve to your CAS. We should re-configure the AutoDiscoverServiceInternalURI by using the following command:

Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml

We now need to go configure all the InternalURLs for each web distributed service.  If you are going to be utilizing the Autodiscover service from the outside or for non-domain joined clients, you may want to configure an -ExternalURL in addition to your -InternalURL.

Here is the reason why we were receiving the certificate errors. Your InternalURLs most likely are not using mail.shudnow.net. Your InternalURLs are most likely pointed to something such as https://casnetbiosname/ServiceURL which will fail since this is not the CN of your simple certificate.

You can run the following commands to fix your internalURLs so your Outlook 2007 client can successfully take advantage of your web distribution services.

Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://mail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true

Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://mail.shudnow.net/OAB

Note: You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The above command will only enable SSL, but will not ensure 128-bit SSL is required.

Enable-OutlookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False

Note: The above Enable-OutlookAnywhere command works on SP1. For RTM, substitute -ClientAuthenticationMethod with -ExternalAuthenticationMethod.

Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://mail.shudnow.net/Microsoft-Server-Activesync

Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” -InternalURL https://mail.shudnow.net/UnifiedMessaging/Service.asmx -BasicAuthentication:$true

Note: The above Set-UMVirtualDirectory command is not needed in Exchange 2010.  Exchange 2010 no longer contains a UnifiedMessaging virtual directory and instead uses the Web Services Virtual Directory.

  • Share/Bookmark

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

140 Responses to “Outlook 2007 Certificate Error?”

  1. on 22 Feb 2008 at 10:24 amred-erik

    U saved my job…tnx a lot

    Red.

    P.S. There is a lot of confusing documentation over the net regarding Exchange 2007 certificates (ad ISA Publishing..)
    You document is really clear and usefull

  2. on 22 Feb 2008 at 5:03 pmElan Shudnow

    Thanks for the positive comments! I’m glad the article was of help to you.

  3. on 06 Mar 2008 at 3:58 pmtibby812

    You are awesome. Thanx for the fix.

  4. on 08 Mar 2008 at 2:41 pmfarisnt

    HI
    I have this problem and I had all the Certificate CN are correct and match for the FQDN
    what can I do
    THanks alootttt

  5. on 08 Mar 2008 at 5:01 pmElan Shudnow

    I replied to your question on msexchange.org forums. Go there and read my reply.

  6. on 11 Mar 2008 at 9:01 pmmotsis666

    I had the same problem with Farist, and i find your reply at msexchange.org forum, but i can not find your post, pls send me link ok post your reply again,
    Thank u very much

  7. on 11 Mar 2008 at 9:07 pmmotsis666

    Sorry
    I found your reply at:
    http://forums.msexchange.org/m_1800468295/mpage_1/key_/tm.htm#1800468447

    You are awesome

  8. on 12 Mar 2008 at 11:29 ampetoulachi

    Hi,

    I had the same problem but solved it in a different way. Unstead of modify the Exchange InternalUrl, I have request a certificate with multiple host names, as Microsoft shown here : http://technet.microsoft.com/en-us/library/aa995942.aspx

    I don’t know which solution is the best, but I think these is a little more simple.

    Hope this help

  9. on 12 Mar 2008 at 1:15 pmElan Shudnow

    petoulachi, I stated that this solution is for single-name certificates and is specifically for people who are not using UC/SAN certificates. Even if you do have a UC/SAN certificate, you still need to ensure that the Internal and External URLs are specified correctly.

    I posted a more informative reply in regards to your comment at your post on msexchange.org forums. Check it out at the following URL:
    http://forums.msexchange.org/m_1800468544/mpage_1/key_/tm.htm#1800468544

  10. on 18 Mar 2008 at 11:28 pmvividdm

    All Hail Elan, All Hail Elan :)

    I wish i came across this months ago.. thank you sooo much!!!

    only difference i had was with SP1
    -ExternalAuthenticationMethod becomes> -ClientAuthenticationMethod

    can i be the like the fifth person to say ‘you are awesome!!’ :)

    dm.

  11. on 19 Mar 2008 at 3:13 ampetoulachi

    Hi Elan Shudnow,

    I think that in fact I have a problem with my InternalUrl. Actually, they are default value (CASServer.domain.local). As I have a certificate with multiple host name, my local users don’t have any problem.

    But my roaming users, using Outlook Anywhere, have a sync issue :
    not downloading offline address book files. A server (URL) could not be located
    0x8004010f

    Searching on the net I have found that it’s often related to the autodiscover InternalUrl. I was thinking that it was more related to OAB InternalUrl.
    As I’m not really sure, maybe you could confirm me what should I do ?

    Thanks in advance !

  12. on 19 Mar 2008 at 8:49 amElan Shudnow

    Vividdm -
    Thank you for the comments. I will update my article later today to include the new syntax for SP1.

    petoulachi –
    Roaming users will not use the InternalURL. They will use the ExternalURL. The way this works, is that when a domain-joined client is on the corporate network, and they have connectivity with Active Directory, the client will be able to contact a Service Connection Point stored in Active Directory which contains all the InternalURL’s for the services on the internal network.

    When a client is not domain-joined or is outside of the corporate network and does not have direct connectivity to Active Directory, the Outlook client will contact the Autodiscover Service via autodiscover.smtpdomain.com. Note that I say smtpdomain.com. This does not necessarily mean your Active Directory domain. This is mostly your Accepted Domains. You would only really need autodiscover.acceptedsmtpdomain.com for the primary smtp addresses in your e-mail address policy.

    So when a client contacts the Autodiscover Service, the Autodiscover Service will reply with -ExternalURL since the client is either not domain joined or outside of the corporate network. It essentially just means, “Not Connectivity to AD? No -InternalURL for you!”

    So because of this, -InternalURL could be https://CASServer/Service and work just fine since you know this client is Internal and should be able to contact the CASServer via NetBIOS. But when a client is not domain joined or outside of the corporate network, you want to make sure that you specify the -ExternalURL as a FQDN, mail.domain.com/service. You wouldn’t want it to be a NetBIOS name since you’ll be doing this connection through the Internet.

    You also want to make sure you configure the AutodiscoverInternalURI correctly. This can be FQDN or NetBIOS name. Get-ClientAccessServer to see what it’s set at. Make sure it’s set to something compatible in your certificate.

    After you set all this up, do an update on the OAB and do an update-filedistributionservice which takes the OAB from the OAB generation server and pushes it to the CAS for Outlook 2007 Web Distribution.

  13. on 19 Mar 2008 at 9:16 ampetoulachi

    It just sound pretty clear to me.

    My InternalUrl for autodiscover is correctly set. However, I have a question about the autodiscover.acceptedsmtp.com. Does this url needs to be resolved by my external users ? It’s not the case at the moment.

  14. on 19 Mar 2008 at 9:18 ampetoulachi

    Sorry I have Tab/Enter unfortunatelly :p

    So as this dns is not resolved it’s maybe why my roaming users can’t find the OAB ?

    Anyway, the OAB (Default Web Site) didn’t have an externalUrl set, to I’ve just set it one. Regenerating the OAB seems not to resolve the problem.

  15. on 19 Mar 2008 at 9:21 amElan Shudnow

    Yes, you will need to have an internet resolvable forward lookup zone for every smtpdomain. You will then have to have the autodiscover host (A) record in every forward lookup zone. You will then have to make sure your certificate contains an autodiscover.domain.com FQDN for every smtp domain you have.

  16. on 19 Mar 2008 at 9:23 ampetoulachi

    Okay so the problem should come from that, as this host does not exist for my public DNS.

    I keep you informed, but it seems to be on good way :)

    Thanks a lot !

  17. on 19 Mar 2008 at 9:26 amElan Shudnow

    You’re welcome. Glad I could be of help.

  18. on 19 Mar 2008 at 9:34 ampetoulachi

    Well for testing purpose I have had the autodiscover.domain.com in my HOST file.

    Now I have a certificated warning, OK, my certificate currently doesn’t have this FQDN. So I have to change my certificate with a new one that contains this FQDN ? so bad, I just send to activesync users the other certificate…

    Anyway, after that warning there’s still the sync error. Now I really don’t know what to do.

  19. on 19 Mar 2008 at 9:37 amElan Shudnow

    Set the URL appropraitely for the ActiveSync service and make sure the FQDN of the URL is contained in the certificate. You really need to get your DNS set up and get all the FQDN’s you need in your certificate. None of your services will work properly until you do so.

    If you need more assistance, I’ll check back later today. I need to get back to work. Hope you get this sorted.

  20. on 20 Mar 2008 at 3:59 pmnjaggers

    Thanks for the great article. However, I am having a problem with one of the powershell scripts. When I execute the enable-outlookanywhere command, this is the error I receive:

    enable-outlookanywhere : the virtual directory ‘rpc’ already exists under ‘CAServer.domain.local/default web site’. Parameter name: virtualdirectoryname

    Any thoughts on what this means and how to properly execute the script in powershell?

  21. on 20 Mar 2008 at 4:08 pmElan Shudnow

    You can try going into the Exchange Management Console and specifying the proper URL there.

    Or you can try doing Set instead of Enable.

    RTM:
    Set-OulookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ExternalAuthenticationMethod “Basic”-SSLOffloading:$False

    SP1:
    Set-OulookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False

  22. on 21 Mar 2008 at 9:27 pmnjaggers

    Thanks for the reply. I inputed this command into PS:

    set-outlookanywhere -identity CAServer -externalhostname “mail.domain.com” -externalauthenticationmethod “basic”-ssloffloading:$false

    This is the response from PS: set-outlookanywhere : the operation could not be performed because object ‘CAServer’ could not be found on the domain controller ‘server.local’

    What am I missing here? All my mail flow is working correctly so I don’t know why PS reported cannot locate my dc. Also, when I attempted to input the command into PS using the -server command instead of the -identity command, this is what returned: set-outlookanywhere :

    a parameter cannot be found that matches parameter name ‘server’

    I think I have been messing with this so long I am missing something obvious. Any insight would be appreciated.

  23. on 22 Mar 2008 at 10:06 amElan Shudnow

    It’s not saying it cannot find your DC, it’s saying it cannot find CASServer, which is your client access server, but might also be a DC if you configured it that way (not recommended). Make sure you replace the word CASServer with the server that has the RPC over HTTP Proxy component installed on it which should be a Client Access Server.

    So if your Client Access Server’s name is CHIEXCCAS01 and your certificate has a name of mail.shudnow.net, you would do:

    set-outlookanywhere -identity CHIEXCCAS01 -externalhostname “mail.shudnow.net” -externalauthenticationmethod “basic”-ssloffloading:$false

    Make sure you replace externalauthenticationmethod with clientauthenticationmethod if you’re using SP1.

    If that doesn’t work, as I said, go into the Exchange Management Console and just manually set it.

  24. on 23 Mar 2008 at 4:40 pmnjaggers

    Thanks! I went into EMC and changed the setting that way. The PS script kept giving me problems.

  25. on 01 Apr 2008 at 3:57 ampetoulachi

    Hi,

    I can’t make autodiscover work from outside, maybe you could take a look at http://forums.msexchange.org/Another_Autodiscover_problem/m_1800470564/tm.htm if you have a solution :)

  26. on 01 Apr 2008 at 5:13 amElan Shudnow

    I have an article that details publishing the autodiscover service in ISA:
    http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/

    One of the things is that ISA 2006 will only read the CN or the 1st SAN name, so you have to trick ISA to make autodiscover publishing to work. I explain how to do that.

  27. on 17 Apr 2008 at 2:03 amketrasap

    Thanks Alot,

    I’ve been trying to fix this issue for months now.

  28. on 05 May 2008 at 4:53 pmkingofbytes

    Sir, you are to be commended for your contributions. Thank you very much!
    -Kingofbytes

  29. [...] Wenn der Out of Office Assistant von Outlook 2007 die OOF Konfiguration vornehmen möchte, wird eine Verbindung zum “Exchange Web Services” (EWS) Virtual Directory hergestellt. Da Outlook den Pfad zum EWS Virtual Directory nicht kennt, muss dazu der Autodiscover Service kontaktiert werden. Dies geschieht für Domain Member mithilfe des Active Directory, oder für alle anderen mittels DNS. Probleme können also bereits entstehen, wenn der benötigte Autodiscover Service nicht gefunden, oder nicht kontaktiert werden kann. Mit dem bei Outlook 2007 integrierten Funktion “E-Mail AutoKonfiguration testen… / Test E-Mail AutoConfiguration” kann sehr einfach die Verbindung mit dem Exchange Server kontrolliert werden (Beim Outlook-Symbol im System Tray [CTRL] und “rechte Maustaste” drücken). Falsch konfigurierte URL’s können mit dem PowerShell Command “Set-WebServicesVirtualDirectory” angepasst werden. Eine gute Anleitung zur Konfiguration der Web Services gibt es bei Elan Shudnow’s Blog. [...]

  30. on 30 Jun 2008 at 6:34 ambrentvw

    Hi Elan,

    This worked great! Thank you very much. One concern I am having is the following error. This seems to come up every 20 or so minutes.

    An internal transport certificate will expire soon. Thumbprint:9B32B314CB5ABC963F9F0F6A03F22FCD7E832896, hours remaining: 536

    The only difference from your post is when I run Get-ExchangeCertificate, I see two thumbprints… One for the NETBIOS name and then one for the certificate name. I used the thumbprint for the certificate name.

    Thumbprint Services Subject
    ———- ——– ——-
    752714FF7F34CBCCC49A3A72 ….S CN=SM5500SRV
    9B32B314CB522FCD7E832896 IP.WS CN=mail.somecompany.com,…

  31. on 30 Jun 2008 at 6:36 ambrentvw

    Hi, someone just brought to my attention our certificate IS expiring in 536 hours, it is only valid until July 22nd, so this is perfectly normal I guess. One question would be then do I have to do anything with the new certificate.

  32. on 30 Jun 2008 at 3:47 pmElan Shudnow

    Brent, one is your self-signed certificate and one is the mail.somecompany.com certificate. You really don’t have to delete your self-signed certificate because Exchange will always use a certificate signed by a trusted CA before it uses a self-signed certificate. If you are talking about an Edge Server, I would leave the self-signed certificate on there as the Edge Server will copy the self-signed certificate to Active Directory which the Hub Transport Server will use as a trusted mechanism without needing to import the self-signed certificate into the Trusted Root Certificate store on the Hub Transport Server.

    Here is a guide on how to renew the self-signed certificate:
    http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html

    For the regular certificate, you can just request a certificate the same way you originally did. If you have exported this certificate and imported it onto other servers such as ISA, make sure you update ISA with the new certificate (importing, attaching to ISA web listener, etc..)

  33. on 24 Jul 2008 at 8:36 amvedholm

    Hi

    Great post! BUT after changing this my “Out of office” wont workm anymore

    This was related to:
    Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml

    when i change i back to “https://servername/Autodiscover/Autodiscover.xml” it works again

    I have created a record in the internal DNS so this “external name” works internal as well, but i still get the same error.

    Se article:
    http://www.proexchange.be/modules.php?name=News&file=article&sid=686

    How to fix this :-) ?

    Best regards
    Jesper

  34. on 25 Jul 2008 at 6:01 pmElan Shudnow

    That means DNS doesn’t point to your CAS or the FQDN you specify doesn’t match a name on your certificate, or maybe you require SSL on the autodiscover but you didn’t specify https://.

  35. on 26 Jul 2008 at 2:14 amvedholm

    Hi Elan

    Internal the record owa.domainname.dk points to my CAS internal – i can see that i resolves just fine. But stille when i change the autodiscover to this DNS name which matches internal and external the “out of office” gets broken again.

    The name on the Exchange webservice is mtaching the certificate called owa.domainname.dk – and external it works as well with the same name

    Best regards
    Jesper

  36. on 29 Jul 2008 at 3:30 pmElan Shudnow

    Make sure you configured the EWS for the correct InternalURL and ExternalURL:
    Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://owa.domainname.dk/EWS/Exchange.asmx -ExternalURL https://owa.domainname.dk/EWS/Exchange.asmx -BasicAuthentication:$true

  37. on 27 Aug 2008 at 10:54 pmlotusbob

    Thanks for this post. I followed the instructions and the error went away…..for all the users inside the LAN.

    Now I am being told that Outlook Anywhere users outside are getting an error because they are looking for autodiscover.mydomain.com

    I thought I had the problem solved

  38. on 29 Aug 2008 at 7:28 amElan Shudnow

    Here’s the Autodiscover whitepaper:
    http://technet.microsoft.com/en-us/library/bb332063.aspx

    There’s a couple things you can do. You can use an SRV record for Autodiscover, or you can get a UC/SAN certificate from a provider such as Entrust/Digicert/Etc. that contains a Subject Alternative Name of autodiscover.domain.com. As far as I remember, the SRV record option will prompt your users for acceptance while the SAN name method will not and is the recommended method. I would read the whitepaper for more information.

  39. on 14 Oct 2008 at 6:53 pmdtstanton

    I’ll preface this with the fact that I am a newbie with powershell, but I have been beating my head against the wall with this one, none of the commands you have listed are recognized. even Get-ExchangeCertificate came back saying unrecognized command or script. Hopefully I am just doing something simple wrong. any thoughts?

  40. on 14 Oct 2008 at 7:09 pmElan Shudnow

    You need to use the Exchange Management Shell. I assume you’re opening PowerShell itself which doesn’t execute the Exchange Snap-Ins.

  41. on 15 Oct 2008 at 8:18 amdtstanton

    I must have been asleep, I retried everything this morning, and it worked. thanks.

  42. on 22 Oct 2008 at 11:22 ammegatherion

    Really useful post! I had spent a lot of time trying to solve this problem, then I find this entry and solve the problem in just a couple of minutes. *bows*

  43. on 15 Dec 2008 at 4:58 amJosh

    ssl certificate for…

    You have got to be kidding!…

  44. on 18 Dec 2008 at 10:21 pmPemB

    YOU ARE THE MAN

  45. on 31 Dec 2008 at 12:24 pmJason

    Elan,

    I was able to make the security warning go away but now I can’t hit OWA external or internal, any thoughts? Thank you very much!!

  46. on 01 Jan 2009 at 4:03 pmElan Shudnow

    What errors? You can try the Set-OWAVirtualDirectory command to set the -InternalURL and -ExternalURL.

  47. on 27 Jan 2009 at 9:32 ampragma

    Hi :)

    Thank you for that article – it helped me ALOT ! :) This error you mentioned on the top dissapeared but another one shown up – it’s almost same with small difference: instead of my Exchange Server Name (mail2 in your case) I’ve autodiscovery.mydomain.com – Can you tell where I should look for that entry ?

    regards

    pragma

  48. on 04 Feb 2009 at 7:38 pmSidewinder

    It should be autodiscover.mydomain.com – no “y”.

  49. on 06 Feb 2009 at 11:56 amKevin Decor

    Hey, thanks for the fix. Worked for me as well!

  50. on 12 Feb 2009 at 10:45 amCam

    Thank you! Your acticle helped and saved me lots of time. Much appreciated.

  51. on 17 Feb 2009 at 6:35 amwaz

    Cheers, that worked brilliantly, it also solved the issue i had with outlook giving an operation failed error when doing a send/receive :-)

    thanks agian

  52. on 17 Feb 2009 at 6:36 amwaz

    cheers mate, this worked a treat it also resolved the issue i had with outlook and operation failed :-)

    thank you

  53. on 06 Mar 2009 at 12:49 pmMike

    Thanks a bunch for the article!

    Note to all: don’t forget to restart Exchange services or reboot for this to take effect, like this dummy did!

  54. on 19 Mar 2009 at 12:44 pmVicks

    Hi Elan,

    We provide exchange hosting service to our clients. Recently we migrated one client to our Exchange Hosted Environment from POP3 services like many of our clients.

    Client is using Outlook 2007 and when ever ever the Outlook is started it comes with the certificate error. But the error doesn’t comes in Outlook 2003.

    Even we try to use this ULR the same certificate error comes (the same error in Outlook 2007)
    https://autodiscover.xyz.co.uk/

    However our clients using different domains have no issue irrespective of the Outllok version.
    So seems to be something to do with IIS ? We are not sure. Microsoft support is also no good!
    Please advice.

    Many thanks,

    Vikas

  55. on 20 Mar 2009 at 11:53 amElan Shudnow

    Vicks, I wrote a pretty comprehensive article on the Autodiscover and what names you need on certs, dns, using ISA in the mix, etc… I’d give it a read:
    http://www.shudnow.net/2008/11/18/autodiscover-dns-certificates-and-what-you-need-to-know/

  56. on 31 Mar 2009 at 7:40 amDane

    Hi Elan,

    I too have been helped by this so thankyou for that.

    I have a questione though, what procedure should be followed to avoid having to perform this fix from the shell anyway? I’ve dealt with two examples in SBS 2008 now, both had a deafult self signed certificate installed when the OS was installed: remote.domain.com. This was assigned to pretty much everything, internal and external etc. Both clients purchased their own mail.domain.com certificates, is there a way i should have applied them that would have automatically updated all the internal and external addresses, rather then having to manually go in via the shell and change them all?

    Thanks,
    Dane

  57. on 03 Apr 2009 at 2:41 pmElan Shudnow

    I’m not the person you want to be asking SBS questions to. I’ve never worked with SBS.

  58. on 16 Apr 2009 at 5:17 pmfuji

    Your the man.
    Everything was fine until I ran the lasted Office 2007 Updates on my users. Then I start to get the Cert error. I changed the NETBIOS name to Cert name no more Securtity alerts THANKS

  59. on 02 May 2009 at 8:59 pmMike Connor

    This seems to have cleared up the same annoying problem in Entourage! Everything I could find on it would mostly send a person in the direction of SAN certificates, etc..

  60. on 07 May 2009 at 9:31 amAC

    When is microsoft going to get thier documentation right. I understand the need to provide full documentation, but a simple outline like this is all we typically need. Thanks.

  61. on 14 May 2009 at 2:22 pmDorian Groenewegen

    Hi Elan,

    Thanks man!!
    This guide was very helpfull and fixed the problem.
    saved me a lot of time.

    GreetZ Dorian

  62. on 15 May 2009 at 9:38 amElan Shudnow

    Thanks Dorian.

  63. on 29 May 2009 at 10:10 amDavid Nicholas

    We have SBS2008. When applying your fixes above, these commands fail because the “object could not be found on the domain controller”

    Set-WebServicesVirtualDirectory -Identity “SBS1\EWS (Default Web Site)” -InternalURL https://mail.ourdomain.com/EWS/Exchange.asmx -BasicAuthentication:$true

    Set-OABVirtualDirectory -Identity “SBS1\OAB (Default Web Site)” -InternalURL https://mail.ourdomain.com/OAB

    Am i missing something in the syntax?

  64. on 29 May 2009 at 1:45 pmElan Shudnow

    Should work but I’m not familiar with any differences in SBS that would prevent this.

  65. on 07 Jun 2009 at 8:07 amPerry

    @ 63 .. In SBS (2008) you should use SBS1\EWS (SBS Web Applications) instead of ( default web site ) because the oab and ews are not under the default website!

    I have a problem after doing all this that outlook 2007 keeps asking for a password.
    Anyone know how to solve that?

    regards
    Perry

  66. on 17 Jun 2009 at 7:45 pmjoe

    I’ve read numerious articles, found this one.. but I still can’t get it to work.. I’m at my witts end. First issue is when I OL 2007 gives me this error, and I click on VIEW CERTIFICATE I don’t get the name of the cert. How do I get this info? When do a get-exchangecertificate cmdlet I get the following

    Thumbprint services subject
    lots of numbers IP.WS CN=BMW
    logs of numbers …… CN=WMSvc-BMW

    so the name of my cert BMW? BMW is the name of my Exchange 2007 server. So what should be my internal an external url? I tried various mail.bmw.domainname I tried bmw.domainame using the cmdlets above to no avail. Microsoft made this autodiscover so darn complicated geez..

    Also, unlike on my exchange 2003 server looks like I can’t use a self created cert anymore for OWA, activesync, outlook anywhere? No way around this? I know the drawbacks, but can I use a self created insert?

  67. on 17 Jun 2009 at 10:35 pmjoe

    Ok by following this guide http://www.exchangeinbox.com/article.aspx?i=126 and replacing the installed cert by the exchange install, and using a new cert generated by Windows server 2008 CA, the issue is resolved. However, I have a new error, by using my own private CA cert that I generated, I know get a red x, for the first item “the security certificate is from a trusted certificate authority” which I expect since this is not from a public CA. So, when I get that error all I should have to do is view the cert and install it manually into my PC, however, it doesn’t seem to work it continoues complains about the cert even though I manually insalled which once again I expect since this is not from a public CA but my own private. Any ideas suggestions?

  68. on 18 Jun 2009 at 1:42 pmDawn

    Worked great!!!! Thank you, thank you!

  69. on 19 Jun 2009 at 7:08 amJannes Labaere

    Nice!! Thank you!!

  70. on 22 Jun 2009 at 6:26 pmElan Shudnow

    joe, if using an internal CA, you need to make sure your server contains the root certificate of your CA.

  71. on 24 Jun 2009 at 7:52 pmjoe

    got it working.

  72. on 25 Jun 2009 at 9:08 amJames

    So just to be clear, there is no way to make the certificate error go away unless you have a certificate with multiple names?

    I have my SSL certificate that says “mail.domain.com” and I have an alias for “autodiscover.domain.com” pointing to “mail.domain.com”. Everything works perfectly but on startup of Outlook there is a security warning indicating the certificate name does not match for “autodiscover.domain.com”.

    I just want to confirm that I need to resolve with a multi named certificate. Mine is from a trusted root provider so I would have to replace it with a more expensivecertificate if this is true.

    Thanks,
    James

    PS – Nice article and reply string. It is very useful.

  73. on 25 Jun 2009 at 10:02 amElan Shudnow

    This whole article explains how to make the error go away without a UC certificate. :P You just need to have split DNS and set your InternalURLs and ExternalURLs to be the same as well as the AutodiscoverServiceInternalURI. If you had a SAN cert, you could put the Server FQDN on the certificate and then leave all the InternalURLs and AutodiscoverServiceInternalURI and then just set your ExternalURLs.

  74. on 25 Jun 2009 at 1:15 pmJames

    OK, but if my internal and external DNS are all “domain.com” will this approach still work?

  75. on 25 Jun 2009 at 1:55 pmElan Shudnow

    That’s what split DNS is. So yes.

  76. on 29 Jun 2009 at 9:46 pmLarry

    Thanks a zillion…this eliminated the problem…why is this not straight forward when installing the original certificate?

  77. on 29 Jun 2009 at 11:10 pmElan Shudnow

    Welcome. Ya, it can be confusing for those who don’t work with Exchange much or who are new to Exchange 2007 and don’t understand Autodiscover or the services that utilize InternalURL and ExternalURL. Exchange 2010 makes it a little easier by allowing you to specify if a new CAS server is an Internet Facing CAS and automatically set your ExternalURLs. But it doesn’t let you automatically specify InternalURLs if using a regular SSL certificate. So the issue will still exist in Exchange 2010.

  78. on 30 Jun 2009 at 6:39 pmRamiro

    Elan,
    I followed all your instructions and finally I have my cert running well. Error on Outlook dissapear, but I have another issue now. Each time I open Outlook it ask for credentials, even being connected to the network at the office.

    Any thoughts?

  79. on 01 Jul 2009 at 7:24 amChrisPogi

    Great Article!

    I had a difficult time however (I’m on SBS2008) setting the OAB and WebServices internal URLs, kept getting the “object not found as outlined in *63. Tried answer from *68 and it didn’t work.

    Just fixed it today by leaving out the -identity tag, which it would ask me for afterwards; doing it that way worked for me.

    OAB and EWS was under the (Default Web Site) for me [in reference to post 68 above]

    Thanks Elan!

  80. on 01 Jul 2009 at 8:59 amRamiro

    Update: I didn’t tell you that I was upgrading from Ex 2003 to 2007. Knowing that, I am at the point of replicating the public folders, and I already move my mailbox to the 2007 server. I have a certificate for mail.mycompany.com (GoDaddy) working good on the 2003 exchange, so when I installed the same certificate on the new server, is when I had the issue described in your article. As I said following your instructions the certificate issue disappear, but now Outlook ask me for credentials when it opens, and this happens ONLY if DNS (or I modify the host file in my computer for testing) points “mail.mycompany.com” to the new server. So I guess has something to do with the public folders that are not moved yet. Am I right?

  81. on 01 Jul 2009 at 11:14 pmElan Shudnow

    ChrisPogi, you’re welcome. And thanks for posting the thank you as well as your issue and what you did to work around it.

  82. on 01 Jul 2009 at 11:17 pmElan Shudnow

    Ramiro, that shouldn’t be an issue. Are you running on Server 2008? If so, you may want to check out my following blog post here.

  83. on 02 Jul 2009 at 1:53 pmRamiro

    Yes I’m running it on a 2008 Server, and I read you other post, but I couldn’t find anything relevant since I did have Rollup 8 for Exchange 2007 SP1 installed.
    What I noticed, though, is that Outlook anywhere is atoconfigured as part of the autodiscover function, so Outlook is behaving as if it is outside of the network, that’s why is asking for credentials at startup.

  84. on 02 Jul 2009 at 2:46 pmElan Shudnow

    Well one of the things I have in there is disabling IPv6. In short, when IPv6 is enabled, the RPC/Proxy service doesn’t listen on port 6004 for IPv6 so Outlook Anywhere fails. So you need to completely disable ipv6 (not just uncheck it from the NIC.)

    Also, configuring OA by Autodiscover doesn’t configure it to always connect Via OA. Only when you don’t have RPC connectivity directly to your mailbox server unless you’ve configured it otherwise.

  85. on 06 Jul 2009 at 3:17 pmRamiro

    Ok,
    Today I realized that the problem was only with my mailbox. It didn’t happens with the other already moved mailboxes.
    Finally I figured it out that was only a problem of a password stored on “Vista Network passwords” feature. In short, I had mail.mycompany.com stored there with who knows what, so I deleted that entry and Outlook stop bothering with asking for the password.

    Thank you for the help Elan, the important thing here is that the explanation of your article totally solve my certificate issue, and this other thing had nothing to do with your instructions.

    Thanks again

  86. on 07 Jul 2009 at 12:34 amNilson

    Your article, combined with post 65 solved the problem on my SBS2008. Works perfectly now.

    Thanks a lot!

  87. on 21 Jul 2009 at 1:35 pmMartins

    Hi Elan Shudnow

    We have the same problem. The Outlook 2007 reclaim about the error certificate just internally.
    From External access we don’t have this problem. We use an external certificate (Unicert) to webmail.ourcompany.com.

    I’m thinking to follow your procedure step-by-step but the CAS and HUB roles are in two servers in NLB.

    The question is: Do you see any problem in a enviroment like this? Or better, Is not necessary another additional procedure in a CAS/HUB in NLB?

    Thank you

    Martins

  88. on 30 Jul 2009 at 11:49 amTodd

    Elan, you are amazing…your instructions worked flawlessly…THANKS!!!

  89. on 30 Jul 2009 at 3:21 pmwow-Impressed

    I have to say!!! WOW!! I spent 2 months on this, everyone said different things, I found your article and had it working before lunch!!!

    Thank you SO MUCH m8, you saved my bacon!!

    .
    . .

  90. on 12 Aug 2009 at 9:13 amRTessanne

    I too have followed this amazing post and it resolved all but one issue that is driving me insane.

    I have 2 sites connected via Site-to-Site VPN tunnel. The Exchange 2007 server is at Site 1 and clients are at Site 1 and Site 2. All of the users in Site 1 are working fine however, all the users in Site 2 still get the certificate popup when they open Outlook 2007.

    Background:
    1 Domain “domain.local” internal Windows 2003 AD with Domain Controllers in each location with updated DNS entries to match my certificate “mail.domain.com” pointing to the INTERNAL IP of the Exchange 2007 server. Again, everything is fine from Site 1.

    Site 2 is fully replicated with the DC’s and they are also GC’s (not that it would matter). They can perform NSLOOKUP and resolve mail.domain.com to the internal IP address just fine, so I am not sure why I am still getting this error message.

    I have re-pasted CLI’s and restarted the POOL and the server so many times that the power button is wearing out (just kidding).

    Please if you can offer any more assistance on this it would save my hide!!

    Rob

  91. on 21 Aug 2009 at 10:00 amEduardo Almeida

    Hi,

    Excelent article, you can only add as last step to recycle the MSExchangeAutodiscoverAppPool pool on IIS.

    Thanks,

    Eduardo

  92. on 10 Sep 2009 at 11:29 pmDaniel

    Thanks very much, I was spending a lot time in internet to find the anwser…

    I am not Exchange admin, so, this guide help a lot.

    Thanks

  93. on 16 Sep 2009 at 5:04 amPMD

    THis really sorted me out. Thanks alot

  94. on 21 Sep 2009 at 6:09 pmGabe

    Elan,

    Great article. Thanks.

    My one big question, though, is how will these changes affect Outlook 2007 clients that are currently pointing to the netbios name? Will they automatically adjust or will each Outlook client have to be touched? While the cert pop-up is annoying, it's not nearly as bad as a few hundred people without Outlook access would be.

    Thanks,
    Gabe

  95. on 22 Sep 2009 at 8:25 pmElan Shudnow

    It really shouldn't matter. As long as DNS/NetBIOS can hit the server and the certificate that is on the Exchange Server has that name, it should be transparent to the user.

  96. on 23 Sep 2009 at 5:33 pmMAXhYpe

    Great post and i think i understand more now about certificates. I have been battling for days a scenario where i have a thawte certificate that is purchased for webmail access. I ordered one where i only added webmail.data.com as servername while server internally is EXCBACK and EXCBACK.domain.local. So i created a self signed certificate that i wanted to use for Outlook users but for some reason its only the thawte certificate they "pull" when connection. I did run the Enable-exchangecertificate -services IMAP, POP, SMTP on the selfsigned and Enable-exchangecertificate -services IIS on the Thawte. But still, Outlook connects and throw warning saying thawte certificate is not having the EXCBACK name listed in it. Only webmail.data.com. What is it i am missing here?

  97. on 24 Sep 2009 at 3:27 ameshudnow

    You need to update your InternalURLs and possibly ExternalURLs as well as AutodiscoverServiceInternalURI so they don't have the EXCBACK. That way they connect to Exchange using the webmail.data.com name which the certificate will have.

  98. on 28 Sep 2009 at 9:28 pmJeremyP

    You saved me many, many headaches with this article. Thanks a ton!

  99. [...] [...]

  100. on 12 Oct 2009 at 2:24 pmMichael Butterworth

    Thank's. It's a bit of a pain. Whichever way you do it you get certificate errors until you lots of stuff Microsoft don't tell you in training.

  101. on 13 Oct 2009 at 7:48 pmchad

    I would like to thank you for the easy to follow fix for this certificate error!

    I have a problem that has started since I did this fix. To give you some information, the certificate request was generated using IIS and was imported into IIS. We currently only use OWA externally. We were able to access https://mail.mydomain.com/OWA from the inside or outside of our network with no issues and with no certificate errors at this point, but we were getting the certificate error in Outlook 2007. I followed your guide and have verified the settings, but now when I go to https://mail.mydomain.com/OWA from inside or outside I get a certificate error and I am redirected to https://server.mydomain.com/owa/auth/logon.aspx?r... and since there isn't an external DNS entry for server.mydomain.com I can't get to my OWA. I am unable to figure out what would have changed this from the commands above but I am not getting anywhere. My certificate is for mail.mydomain.com.

    Thanks for all your help!

  102. on 13 Oct 2009 at 9:38 pmElan Shudnow

    You'll probably want to use the Set-OWAVirtualDirectory command and use the InternalURL and/or ExternalURL to ensure that it has a name that is on your certificate. For example, Set-OWAVirtualDirectory -Identity "Owa (Default Web Site)" -InternalURL https://mail.mydomain.com/owa -ExternalURL https://mail.mydomain.com/owa.

  103. on 23 Oct 2009 at 11:23 amExchange 2007 certificate error

    [...] http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/ [...]

  104. on 28 Oct 2009 at 8:47 amExchange 2007 & SSL hell!

    [...] to disable autodiscover or change the autodiscover address to the local name and have it work. See Outlook 2007 Certificate Error? | Elan Shudnow's Blog or Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a [...]

  105. on 05 Nov 2009 at 9:25 pmTommy

    all I understand the Docement and follow the steps but everything I get to (Default Web Site)” i get an error what am doing wrong. I am going isane

  106. on 05 Nov 2009 at 10:32 pmElan Shudnow

    Can you provide the error you're getting?

  107. on 20 Nov 2009 at 7:21 pmJ.P.

    Worked Like a Charm!!!!

  108. on 24 Nov 2009 at 1:31 pmT.C

    Hi,
    I have a exchange 2010 and trying to get the Activesync to work for push e-mails

    testing using https://www.testexchangeconnectivity.com gives me an error with the certificate

    "Host name <domian name> does not match any name found on the server certificate CN=<computer name>"

    How do i add the domain name to the certificate?

    thanks

  109. on 24 Nov 2009 at 2:21 pmElan Shudnow

    T.C., you can use the new certificate wizard to request a new certificate. Check out this video for more information:
    http://www.msexchange.org/articles_tutorials/vide...

  110. on 25 Nov 2009 at 2:37 pmVXR Dave

    You're a life saver mate.

  111. on 25 Nov 2009 at 6:12 pmRBEX2007

    Everything works now for domainA. If i add domainB, will autodiscover work for owa and outlook anywhere? Can i still use single cert?

    Thanks for your help.

  112. on 09 Dec 2009 at 5:21 pmDarrell

    Super! Great instructions!!!!

  113. on 16 Dec 2009 at 5:51 pmGCamacho

    Thanks buddy! This was the easiest fix to the issue that I was able to find. Keep up the awesome work!

  114. on 05 Jan 2010 at 7:59 am- The IT Tech-Archive

    [...] by Ksalameh on Jan.05, 2010, under Exchange 2007, Exchange 2010 Outlook 2007 & 2010 Certificate Error? [...]

  115. on 07 Jan 2010 at 1:18 pmRadek

    Hi guys,
    i have very similar problem, but only with internal access of my outlook clients.
    Everythings from outside network (internet) working fine, outlook anywhere, activesync to mobile devices, outlook web access … nothing have problem.

    But when my outlook clients trying to connect from local area network to the CAS server, i have the warning with certificate error.
    The same i have warning with certificate, if i am trying to access outlook web access.

    I have set all ways, directories etc in fight way. External things are to server.domain.com, internal things points to server.domain.local.
    SSL certificate is signed by STARTSSL CA, which is trusted CA from public and it points to server.domain.com name.

    So i can understand, why outlook clients have problems, if they trying to connect from local area network, because SSL certificate is pointing to another name of server? But why they are using SSL for connection, i have them inside company network, i dont need to use RPC over HTTPS for them. Maybe the problem is, my server have only one IP address, have all exchange roles together on one machine …?

    Thank you for any kind of tips

    With regards, Radek

  116. on 08 Jan 2010 at 6:14 amElan Shudnow

    Because Outlook 2007+ uses web services not just for OWA or Outlook Anywhere. It uses it for OOF, Free/Busy, OAB, Autodiscover, etc… The entire article already explains this and why you need to set the InternalURLs properly. Basically, I have already answered your question in my article as to why the InternalURLs need to match the name of the certificate.

  117. on 27 Jan 2010 at 10:56 pmannalynn

    i'm having this same issue, but i was never on an exchange server.

  118. on 01 Feb 2010 at 2:09 amsaint

    I’m using UC but still getting 8004010f error in outlook 2007. Send/receive works well but its annoying. Any hint?

    Thanks.

  119. on 01 Feb 2010 at 7:22 amsaint

    Hi,

    I'm using UC and having issue with 8004010f error in outlook 2007. Send/Receive works well but its annoying.
    Any hints?

    Thanks.

  120. on 04 Feb 2010 at 6:37 pmElan Shudnow

    Try Best Practices Analyzer to see if it flags something that can possibly be fixed and thus possibly making your error code go away. Other than that, start Googling/Binging the error code and do things articles tell you till it's gone.

  121. on 08 Feb 2010 at 6:30 amEve

    I wish I found your blog last week :)
    Big Thankyou

  122. on 25 Mar 2010 at 2:41 amNG GEE SING

    Hi Mr elan,

    I having issue on my exchange enviroment.

    Status : 3 exchange servers
    exchange-01 – role -> hub, client access, mailbox
    exchange-02 – role -> client access
    exchange-03 – role -> mailbox

    I have just import new sing name certificate with name "mail2.domain.com " at the exchange-02 and faced the problem you post on blog and solved it with your solution.

    but new problem ans shows up where user who using outlook 2007 unable to download offline address book and i tried to run test autoconfigure, found user who suing outlook 2007 are connected to exchange-01/OAB but not exchange-02.

    kindly need your help

  123. on 01 Apr 2010 at 2:43 pmFrank Cone

    Hello,

    I have an Exchange 2010 server with this issue. I did multiple searches and found basically this info (Not as cleanly laid out though). I followed the instructions down to the last command

    (Set-UMVirtualDirectory -Identity “CASServerUnifiedMessaging (Default Web Site)” -InternalURL https://mail.shudnow.net/UnifiedMessaging/Service... -BasicAuthentication:$true)

    At that point I get the following:

    The term 'set-umvirtualdirectory' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

    I went ahead and created a new SRV record pointing mail.companyname.org to the ip and now if I ping mail.companyname.org it resolves ot the IP address of the casserver.

    Any assitance is appreciated.

    Thank you,
    Frank

  124. on 02 Apr 2010 at 1:21 pmeshudnow

    Frank, you do not have to do this in Exchange 2010 as there is no more Unified Messaging virtual directory. In Exchange 2010, Exchange Web Services (EWS) is now used for Unified Messaging functionality. I will make a note in the article about this.

  125. on 19 Apr 2010 at 3:48 pmNSJ

    What about when it happens to the remote site and not at the corporate office? I would think the same certificate would be used in both places, but the remote site is having the problem and corporate claims it never sees the error message. I would think that it would show up for both sites if a problem exists.

  126. on 20 Apr 2010 at 11:55 ameshudnow

    It depends on your setup. I would check out the following article to understand how proxying and redirection works: http://technet.microsoft.com/en-us/library/bb3107...

    Either way, you need to make sure that the sites trust each other's certificates and the AutodiscoverServiceInternalURL, InternalURLs, and ExternalURLs are all on the certificate. The same goes for autodiscover.domain.com if you want to support autodiscover for outside clients and internal non-domain joined clients.

  127. on 26 Apr 2010 at 4:43 amchris

    I still use this as a list of all places to make changes to URLs in Exchange; it's useful when changing internal OR external values. Thanks for putting the effort in!

  128. on 12 May 2010 at 7:56 pmMatt

    Only had to change the Thumbprint and the AutoDiscover internally…. thanks so much!!
    This really helped!

  129. on 17 May 2010 at 3:17 pmCillie

    Dont know what I did.
    Tried everything in this post. But still getting the error "The name on the security certificate is invalid or does not match the name of the site."

    I'm on Exchange 2010 though. So leaveing the command Set-UMVirtualDirectory out.
    AD is on 2008 R2. Exchange is installed on one of the AD's. The GC of the 2.

  130. on 17 May 2010 at 6:47 pmJason

    Hey, Thanks! This resolved a few things for me, but I'm still getting a Certificate Error in outlook with the title of "sites", before the Certificate Error had a different title.

    Can you help me?

  131. on 09 Jun 2010 at 5:01 pmDagan Henderson

    One thing you may want to add is that it may be necessary to reboot the system for the changes to take effect. I was going crazy trying to think of which service must still be directing to the internal server name and finally gave up for the night. The next day the error message had stopped appearing.

  132. on 23 Jun 2010 at 10:39 pmyan

    On SBS 2008 the commands need to include (SBS Web Applications) not default web site. Default website doesnt include those sites anymore.

  133. on 12 Jul 2010 at 9:27 pmClaudio

    YOU ARE A LIFE SAVER!!!!! THANK YOU SO MUCH!!!!

    Claudio

  134. on 12 Jul 2010 at 9:31 pmClaudio

    YOU ARE A LIFE SAVER!!!!! THANK YOU SO MUCH!!!!

  135. on 15 Jul 2010 at 2:33 amChristo

    Hi Elan,

    Does this also apply to a Exchange environment that has multiple Exchange CAS(Geographically) Servers on the same domain (WAN)?

    I have noticed that all my CAS Servers have thier own Autodiscover URI. Would I need to configure each CAS Server individually? I only use one primary CAS Server for External OWA access. This CAS then routes Disrtict users to the District CAS/Mailbox server that hosts thier mail.

    We do not use Secure email (HTTPS) due to limitations on our WAN (Government Dept sitting on a Centrally supplied and managed WAN for ALL Dept).

    I hope I am not to confusing.

    Regards,
    Christo

  136. on 19 Jul 2010 at 5:09 pmjeff

    wow!! this actually worked!! it is depressing that microsoft cannot create a simple article like this. this worked like a charm!! i hope people would actually find this article. thank you so much for putting this together!!!

  137. on 19 Jul 2010 at 5:42 pmElan Shudnow

    They actually do have a KB on this. But I created this article before that KB existed. :)

  138. on 21 Jul 2010 at 7:26 pmpaypwip

    +1 to People Helped, thanks.

  139. on 26 Jul 2010 at 3:45 pmNasatech

    Me too…. :-(

  140. on 26 Jul 2010 at 4:11 pmNasatech

    Just found the solution:

    Make a fake zone with the autodiscover."yourdomainname" and point it with a CNAME to your the external name resolving to you're internal mailserver IP. It must be a CNAME and not an A record.

    Go to your DNS management, Administrative tools->DNS. First in the Foward Lookup Zone (FLZ) for domain.com, RC the domain.com and select 'New Host (A)', enter: mail ,for the name and input the Internal IP of your CAS. Next RC the FLZ under your server and select 'New Zone', click 'Next' at the wizard introduction, leave the zone type as Primary and ActiveDirectory integrated, click 'Next', leave the zone replication on the default, which is to all domain dns servers, click 'Next', For the name enter: autodiscover.domain.com , click 'Next', for the dynamic updates change the setting to 'Allow both unsecure and secure dynamic updates, click 'next then click 'Finish'. Now RC the new autodiscover.domain.com and select 'New Alias (CNAME)', leave the name field blank and just click on the Browse button, In the new browse window, double-click (DC) the server name, DC the FLZ folder, DC domain.com and then select the mail entry, click 'ok' to complete. You can now close DNS.

Trackback this post | Feed on Comments to this post

Leave a Reply