Outlook 2007 Certificate Error?
When importing a new certificate into Exchange 2007/2010, you might encounter a certificate error in Outlook 2007/2010. I have included a screenshot of the error I encountered with Outlook 2007 :
When you choose the View Certificate button, it brings up another window that shows you what certificate is in error. In this case, the certificate name is “mail.shudnow.net.”
So the million dollar question? Why the error?
Well, when we install a new certificate, there are a few tasks we want to do. Obviously, we install the certificate for a purpose. This purpose is till allow us to use Exchange services securely. So how do we enable Exchange to use these services? If you are planning to do a very simple configuration and do not care about external Autodiscover access, you do not need to use a Unified Communication Certificate. You can read more about these certificates in one of my other articles here.
So let’s say we have a simple regular common certificate. A certificate with a Common Name (CN) of mail.shudnow.net We install this certificate onto our Exchange box with its’ private key. In our case we were migrating so we did not have to request a certificate via IIS. We just exported it with its’ private key and imported onto the new box. We then assigned this certificate to IIS. Now I went to the Exchange Management Shell and enabled Exchange services to use this certificate. In order to do this, you must run the following commands:
Get-ExchangeCertificate
Thumbprint Services Subject
———- ——– ——-
BCF9F2C3D245E2588AB5895C37D8D914503D162E9 SIP.W CN=mail.shudnow.net.com
What I did was go ahead and enable all new services to use every available service by using the following command:
Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP -Thumbprint BCF9F2C3D245E2588AB5895C37D8D914503D162E9
The next step would be to ensure the AutodiscoverInternalURI is pointed to the CAS that will be your primary CAS for Autodiscover servicing.
Get-ClientAccessServer -Identity CASServer | FL
AutoDiscoverServiceInternalUri : https://casnetbiosname/Autodiscover/Autodiscover.xml
See the issue here? We are not using a UC certificate that contains the names, “casnetbiosname, casnetbiosname.shudnow.net, mail.shudnow.net, and autodiscover.shudnow.net” Since the Autodiscover directory in IIS will be requring SSL encryption, the url specified in the AutoDiscoverServiceInternalURI must match what is specified in your certificate. You must also ensure there is a DNS record that allows mail.shudnow.net to resolve to your CAS. We should re-configure the AutoDiscoverServiceInternalURI by using the following command:
Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml
We now need to go configure all the InternalURLs for each web distributed service. If you are going to be utilizing the Autodiscover service from the outside or for non-domain joined clients, you may want to configure an -ExternalURL in addition to your -InternalURL.
Here is the reason why we were receiving the certificate errors. Your InternalURLs most likely are not using mail.shudnow.net. Your InternalURLs are most likely pointed to something such as https://casnetbiosname/ServiceURL which will fail since this is not the CN of your simple certificate.
You can run the following commands to fix your internalURLs so your Outlook 2007 client can successfully take advantage of your web distribution services.
Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://mail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true
Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL https://mail.shudnow.net/OAB
Note: You must ensure that you enable SSL on the OAB directory in IIS which is not on by default. The above command will only enable SSL, but will not ensure 128-bit SSL is required.
Enable-OutlookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False
Note: The above Enable-OutlookAnywhere command works on SP1. For RTM, substitute -ClientAuthenticationMethod with -ExternalAuthenticationMethod.
Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync (Default Web Site)” -ExternalURL https://mail.shudnow.net/Microsoft-Server-Activesync
Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)” -InternalURL https://mail.shudnow.net/UnifiedMessaging/Service.asmx -BasicAuthentication:$true
Note: The above Set-UMVirtualDirectory command is not needed in Exchange 2010. Exchange 2010 no longer contains a UnifiedMessaging virtual directory and instead uses the Web Services Virtual Directory.
Elan Shudnow :: Aug.10.2007 :: Exchange, Exchange 2010, Office ::
U saved my job…tnx a lot
Red.
P.S. There is a lot of confusing documentation over the net regarding Exchange 2007 certificates (ad ISA Publishing..)
You document is really clear and usefull
Thanks for the positive comments! I’m glad the article was of help to you.
You are awesome. Thanx for the fix.
HI
I have this problem and I had all the Certificate CN are correct and match for the FQDN
what can I do
THanks alootttt
I replied to your question on msexchange.org forums. Go there and read my reply.
I had the same problem with Farist, and i find your reply at msexchange.org forum, but i can not find your post, pls send me link ok post your reply again,
Thank u very much
Sorry
I found your reply at:
http://forums.msexchange.org/m_1800468295/mpage_1/key_/tm.htm#1800468447
You are awesome
Hi,
I had the same problem but solved it in a different way. Unstead of modify the Exchange InternalUrl, I have request a certificate with multiple host names, as Microsoft shown here : http://technet.microsoft.com/en-us/library/aa995942.aspx
I don’t know which solution is the best, but I think these is a little more simple.
Hope this help
petoulachi, I stated that this solution is for single-name certificates and is specifically for people who are not using UC/SAN certificates. Even if you do have a UC/SAN certificate, you still need to ensure that the Internal and External URLs are specified correctly.
I posted a more informative reply in regards to your comment at your post on msexchange.org forums. Check it out at the following URL:
http://forums.msexchange.org/m_1800468544/mpage_1/key_/tm.htm#1800468544
All Hail Elan, All Hail Elan :)
I wish i came across this months ago.. thank you sooo much!!!
only difference i had was with SP1
-ExternalAuthenticationMethod becomes> -ClientAuthenticationMethod
can i be the like the fifth person to say ‘you are awesome!!’ :)
dm.
Hi Elan Shudnow,
I think that in fact I have a problem with my InternalUrl. Actually, they are default value (CASServer.domain.local). As I have a certificate with multiple host name, my local users don’t have any problem.
But my roaming users, using Outlook Anywhere, have a sync issue :
not downloading offline address book files. A server (URL) could not be located
0x8004010f
Searching on the net I have found that it’s often related to the autodiscover InternalUrl. I was thinking that it was more related to OAB InternalUrl.
As I’m not really sure, maybe you could confirm me what should I do ?
Thanks in advance !
Vividdm -
Thank you for the comments. I will update my article later today to include the new syntax for SP1.
petoulachi –
Roaming users will not use the InternalURL. They will use the ExternalURL. The way this works, is that when a domain-joined client is on the corporate network, and they have connectivity with Active Directory, the client will be able to contact a Service Connection Point stored in Active Directory which contains all the InternalURL’s for the services on the internal network.
When a client is not domain-joined or is outside of the corporate network and does not have direct connectivity to Active Directory, the Outlook client will contact the Autodiscover Service via autodiscover.smtpdomain.com. Note that I say smtpdomain.com. This does not necessarily mean your Active Directory domain. This is mostly your Accepted Domains. You would only really need autodiscover.acceptedsmtpdomain.com for the primary smtp addresses in your e-mail address policy.
So when a client contacts the Autodiscover Service, the Autodiscover Service will reply with -ExternalURL since the client is either not domain joined or outside of the corporate network. It essentially just means, “Not Connectivity to AD? No -InternalURL for you!”
So because of this, -InternalURL could be https://CASServer/Service and work just fine since you know this client is Internal and should be able to contact the CASServer via NetBIOS. But when a client is not domain joined or outside of the corporate network, you want to make sure that you specify the -ExternalURL as a FQDN, mail.domain.com/service. You wouldn’t want it to be a NetBIOS name since you’ll be doing this connection through the Internet.
You also want to make sure you configure the AutodiscoverInternalURI correctly. This can be FQDN or NetBIOS name. Get-ClientAccessServer to see what it’s set at. Make sure it’s set to something compatible in your certificate.
After you set all this up, do an update on the OAB and do an update-filedistributionservice which takes the OAB from the OAB generation server and pushes it to the CAS for Outlook 2007 Web Distribution.
It just sound pretty clear to me.
My InternalUrl for autodiscover is correctly set. However, I have a question about the autodiscover.acceptedsmtp.com. Does this url needs to be resolved by my external users ? It’s not the case at the moment.
Sorry I have Tab/Enter unfortunatelly :p
So as this dns is not resolved it’s maybe why my roaming users can’t find the OAB ?
Anyway, the OAB (Default Web Site) didn’t have an externalUrl set, to I’ve just set it one. Regenerating the OAB seems not to resolve the problem.
Yes, you will need to have an internet resolvable forward lookup zone for every smtpdomain. You will then have to have the autodiscover host (A) record in every forward lookup zone. You will then have to make sure your certificate contains an autodiscover.domain.com FQDN for every smtp domain you have.
Okay so the problem should come from that, as this host does not exist for my public DNS.
I keep you informed, but it seems to be on good way :)
Thanks a lot !
You’re welcome. Glad I could be of help.
Well for testing purpose I have had the autodiscover.domain.com in my HOST file.
Now I have a certificated warning, OK, my certificate currently doesn’t have this FQDN. So I have to change my certificate with a new one that contains this FQDN ? so bad, I just send to activesync users the other certificate…
Anyway, after that warning there’s still the sync error. Now I really don’t know what to do.
Set the URL appropraitely for the ActiveSync service and make sure the FQDN of the URL is contained in the certificate. You really need to get your DNS set up and get all the FQDN’s you need in your certificate. None of your services will work properly until you do so.
If you need more assistance, I’ll check back later today. I need to get back to work. Hope you get this sorted.
Thanks for the great article. However, I am having a problem with one of the powershell scripts. When I execute the enable-outlookanywhere command, this is the error I receive:
enable-outlookanywhere : the virtual directory ‘rpc’ already exists under ‘CAServer.domain.local/default web site’. Parameter name: virtualdirectoryname
Any thoughts on what this means and how to properly execute the script in powershell?
You can try going into the Exchange Management Console and specifying the proper URL there.
Or you can try doing Set instead of Enable.
RTM:
Set-OulookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ExternalAuthenticationMethod “Basic”-SSLOffloading:$False
SP1:
Set-OulookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ClientAuthenticationMethod “Basic”-SSLOffloading:$False
Thanks for the reply. I inputed this command into PS:
set-outlookanywhere -identity CAServer -externalhostname “mail.domain.com” -externalauthenticationmethod “basic”-ssloffloading:$false
This is the response from PS: set-outlookanywhere : the operation could not be performed because object ‘CAServer’ could not be found on the domain controller ‘server.local’
What am I missing here? All my mail flow is working correctly so I don’t know why PS reported cannot locate my dc. Also, when I attempted to input the command into PS using the -server command instead of the -identity command, this is what returned: set-outlookanywhere :
a parameter cannot be found that matches parameter name ‘server’
I think I have been messing with this so long I am missing something obvious. Any insight would be appreciated.
It’s not saying it cannot find your DC, it’s saying it cannot find CASServer, which is your client access server, but might also be a DC if you configured it that way (not recommended). Make sure you replace the word CASServer with the server that has the RPC over HTTP Proxy component installed on it which should be a Client Access Server.
So if your Client Access Server’s name is CHIEXCCAS01 and your certificate has a name of mail.shudnow.net, you would do:
set-outlookanywhere -identity CHIEXCCAS01 -externalhostname “mail.shudnow.net” -externalauthenticationmethod “basic”-ssloffloading:$false
Make sure you replace externalauthenticationmethod with clientauthenticationmethod if you’re using SP1.
If that doesn’t work, as I said, go into the Exchange Management Console and just manually set it.
Thanks! I went into EMC and changed the setting that way. The PS script kept giving me problems.
Hi,
I can’t make autodiscover work from outside, maybe you could take a look at http://forums.msexchange.org/Another_Autodiscover_problem/m_1800470564/tm.htm if you have a solution :)
I have an article that details publishing the autodiscover service in ISA:
http://www.shudnow.net/2007/07/15/publishing-exchange-2007-autodisover-in-isa-2006/
One of the things is that ISA 2006 will only read the CN or the 1st SAN name, so you have to trick ISA to make autodiscover publishing to work. I explain how to do that.
Thanks Alot,
I’ve been trying to fix this issue for months now.
Sir, you are to be commended for your contributions. Thank you very much!
-Kingofbytes
[...] Wenn der Out of Office Assistant von Outlook 2007 die OOF Konfiguration vornehmen möchte, wird eine Verbindung zum “Exchange Web Services” (EWS) Virtual Directory hergestellt. Da Outlook den Pfad zum EWS Virtual Directory nicht kennt, muss dazu der Autodiscover Service kontaktiert werden. Dies geschieht für Domain Member mithilfe des Active Directory, oder für alle anderen mittels DNS. Probleme können also bereits entstehen, wenn der benötigte Autodiscover Service nicht gefunden, oder nicht kontaktiert werden kann. Mit dem bei Outlook 2007 integrierten Funktion “E-Mail AutoKonfiguration testen… / Test E-Mail AutoConfiguration” kann sehr einfach die Verbindung mit dem Exchange Server kontrolliert werden (Beim Outlook-Symbol im System Tray [CTRL] und “rechte Maustaste” drücken). Falsch konfigurierte URL’s können mit dem PowerShell Command “Set-WebServicesVirtualDirectory” angepasst werden. Eine gute Anleitung zur Konfiguration der Web Services gibt es bei Elan Shudnow’s Blog. [...]
Hi Elan,
This worked great! Thank you very much. One concern I am having is the following error. This seems to come up every 20 or so minutes.
An internal transport certificate will expire soon. Thumbprint:9B32B314CB5ABC963F9F0F6A03F22FCD7E832896, hours remaining: 536
The only difference from your post is when I run Get-ExchangeCertificate, I see two thumbprints… One for the NETBIOS name and then one for the certificate name. I used the thumbprint for the certificate name.
Thumbprint Services Subject
———- ——– ——-
752714FF7F34CBCCC49A3A72 ….S CN=SM5500SRV
9B32B314CB522FCD7E832896 IP.WS CN=mail.somecompany.com,…
Hi, someone just brought to my attention our certificate IS expiring in 536 hours, it is only valid until July 22nd, so this is perfectly normal I guess. One question would be then do I have to do anything with the new certificate.
Brent, one is your self-signed certificate and one is the mail.somecompany.com certificate. You really don’t have to delete your self-signed certificate because Exchange will always use a certificate signed by a trusted CA before it uses a self-signed certificate. If you are talking about an Edge Server, I would leave the self-signed certificate on there as the Edge Server will copy the self-signed certificate to Active Directory which the Hub Transport Server will use as a trusted mechanism without needing to import the self-signed certificate into the Trusted Root Certificate store on the Hub Transport Server.
Here is a guide on how to renew the self-signed certificate:
http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
For the regular certificate, you can just request a certificate the same way you originally did. If you have exported this certificate and imported it onto other servers such as ISA, make sure you update ISA with the new certificate (importing, attaching to ISA web listener, etc..)
Hi
Great post! BUT after changing this my “Out of office” wont workm anymore
This was related to:
Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri https://mail.shudnow.net/Autodiscover/Autodiscover.xml
when i change i back to “https://servername/Autodiscover/Autodiscover.xml” it works again
I have created a record in the internal DNS so this “external name” works internal as well, but i still get the same error.
Se article:
http://www.proexchange.be/modules.php?name=News&file=article&sid=686
How to fix this :-) ?
Best regards
Jesper
That means DNS doesn’t point to your CAS or the FQDN you specify doesn’t match a name on your certificate, or maybe you require SSL on the autodiscover but you didn’t specify https://.
Hi Elan
Internal the record owa.domainname.dk points to my CAS internal – i can see that i resolves just fine. But stille when i change the autodiscover to this DNS name which matches internal and external the “out of office” gets broken again.
The name on the Exchange webservice is mtaching the certificate called owa.domainname.dk – and external it works as well with the same name
Best regards
Jesper
Make sure you configured the EWS for the correct InternalURL and ExternalURL:
Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL https://owa.domainname.dk/EWS/Exchange.asmx -ExternalURL https://owa.domainname.dk/EWS/Exchange.asmx -BasicAuthentication:$true
Thanks for this post. I followed the instructions and the error went away…..for all the users inside the LAN.
Now I am being told that Outlook Anywhere users outside are getting an error because they are looking for autodiscover.mydomain.com
I thought I had the problem solved
Here’s the Autodiscover whitepaper:
http://technet.microsoft.com/en-us/library/bb332063.aspx
There’s a couple things you can do. You can use an SRV record for Autodiscover, or you can get a UC/SAN certificate from a provider such as Entrust/Digicert/Etc. that contains a Subject Alternative Name of autodiscover.domain.com. As far as I remember, the SRV record option will prompt your users for acceptance while the SAN name method will not and is the recommended method. I would read the whitepaper for more information.
I’ll preface this with the fact that I am a newbie with powershell, but I have been beating my head against the wall with this one, none of the commands you have listed are recognized. even Get-ExchangeCertificate came back saying unrecognized command or script. Hopefully I am just doing something simple wrong. any thoughts?
You need to use the Exchange Management Shell. I assume you’re opening PowerShell itself which doesn’t execute the Exchange Snap-Ins.
I must have been asleep, I retried everything this morning, and it worked. thanks.
Really useful post! I had spent a lot of time trying to solve this problem, then I find this entry and solve the problem in just a couple of minutes. *bows*
ssl certificate for…
You have got to be kidding!…
YOU ARE THE MAN
Elan,
I was able to make the security warning go away but now I can’t hit OWA external or internal, any thoughts? Thank you very much!!
What errors? You can try the Set-OWAVirtualDirectory command to set the -InternalURL and -ExternalURL.
Hi :)
Thank you for that article – it helped me ALOT ! :) This error you mentioned on the top dissapeared but another one shown up – it’s almost same with small difference: instead of my Exchange Server Name (mail2 in your case) I’ve autodiscovery.mydomain.com – Can you tell where I should look for that entry ?
regards
pragma
It should be autodiscover.mydomain.com – no “y”.
Hey, thanks for the fix. Worked for me as well!
Thank you! Your acticle helped and saved me lots of time. Much appreciated.
Cheers, that worked brilliantly, it also solved the issue i had with outlook giving an operation failed error when doing a send/receive :-)
thanks agian
cheers mate, this worked a treat it also resolved the issue i had with outlook and operation failed :-)
thank you
Thanks a bunch for the article!
Note to all: don’t forget to restart Exchange services or reboot for this to take effect, like this dummy did!
Hi Elan,
We provide exchange hosting service to our clients. Recently we migrated one client to our Exchange Hosted Environment from POP3 services like many of our clients.
Client is using Outlook 2007 and when ever ever the Outlook is started it comes with the certificate error. But the error doesn’t comes in Outlook 2003.
Even we try to use this ULR the same certificate error comes (the same error in Outlook 2007)
https://autodiscover.xyz.co.uk/
However our clients using different domains have no issue irrespective of the Outllok version.
So seems to be something to do with IIS ? We are not sure. Microsoft support is also no good!
Please advice.
Many thanks,
Vikas
Vicks, I wrote a pretty comprehensive article on the Autodiscover and what names you need on certs, dns, using ISA in the mix, etc… I’d give it a read:
http://www.shudnow.net/2008/11/18/autodiscover-dns-certificates-and-what-you-need-to-know/
Hi Elan,
I too have been helped by this so thankyou for that.
I have a questione though, what procedure should be followed to avoid having to perform this fix from the shell anyway? I’ve dealt with two examples in SBS 2008 now, both had a deafult self signed certificate installed when the OS was installed: remote.domain.com. This was assigned to pretty much everything, internal and external etc. Both clients purchased their own mail.domain.com certificates, is there a way i should have applied them that would have automatically updated all the internal and external addresses, rather then having to manually go in via the shell and change them all?
Thanks,
Dane
I’m not the person you want to be asking SBS questions to. I’ve never worked with SBS.
Your the man.
Everything was fine until I ran the lasted Office 2007 Updates on my users. Then I start to get the Cert error. I changed the NETBIOS name to Cert name no more Securtity alerts THANKS
This seems to have cleared up the same annoying problem in Entourage! Everything I could find on it would mostly send a person in the direction of SAN certificates, etc..
When is microsoft going to get thier documentation right. I understand the need to provide full documentation, but a simple outline like this is all we typically need. Thanks.
Hi Elan,
Thanks man!!
This guide was very helpfull and fixed the problem.
saved me a lot of time.
GreetZ Dorian
Thanks Dorian.
We have SBS2008. When applying your fixes above, these commands fail because the “object could not be found on the domain controller”
Set-WebServicesVirtualDirectory -Identity “SBS1\EWS (Default Web Site)” -InternalURL https://mail.ourdomain.com/EWS/Exchange.asmx -BasicAuthentication:$true
Set-OABVirtualDirectory -Identity “SBS1\OAB (Default Web Site)” -InternalURL https://mail.ourdomain.com/OAB
Am i missing something in the syntax?
Should work but I’m not familiar with any differences in SBS that would prevent this.
@ 63 .. In SBS (2008) you should use SBS1\EWS (SBS Web Applications) instead of ( default web site ) because the oab and ews are not under the default website!
I have a problem after doing all this that outlook 2007 keeps asking for a password.
Anyone know how to solve that?
regards
Perry
I’ve read numerious articles, found this one.. but I still can’t get it to work.. I’m at my witts end. First issue is when I OL 2007 gives me this error, and I click on VIEW CERTIFICATE I don’t get the name of the cert. How do I get this info? When do a get-exchangecertificate cmdlet I get the following
Thumbprint services subject
lots of numbers IP.WS CN=BMW
logs of numbers …… CN=WMSvc-BMW
so the name of my cert BMW? BMW is the name of my Exchange 2007 server. So what should be my internal an external url? I tried various mail.bmw.domainname I tried bmw.domainame using the cmdlets above to no avail. Microsoft made this autodiscover so darn complicated geez..
Also, unlike on my exchange 2003 server looks like I can’t use a self created cert anymore for OWA, activesync, outlook anywhere? No way around this? I know the drawbacks, but can I use a self created insert?
Ok by following this guide http://www.exchangeinbox.com/article.aspx?i=126 and replacing the installed cert by the exchange install, and using a new cert generated by Windows server 2008 CA, the issue is resolved. However, I have a new error, by using my own private CA cert that I generated, I know get a red x, for the first item “the security certificate is from a trusted certificate authority” which I expect since this is not from a public CA. So, when I get that error all I should have to do is view the cert and install it manually into my PC, however, it doesn’t seem to work it continoues complains about the cert even though I manually insalled which once again I expect since this is not from a public CA but my own private. Any ideas suggestions?
Worked great!!!! Thank you, thank you!
Nice!! Thank you!!
joe, if using an internal CA, you need to make sure your server contains the root certificate of your CA.
got it working.
So just to be clear, there is no way to make the certificate error go away unless you have a certificate with multiple names?
I have my SSL certificate that says “mail.domain.com” and I have an alias for “autodiscover.domain.com” pointing to “mail.domain.com”. Everything works perfectly but on startup of Outlook there is a security warning indicating the certificate name does not match for “autodiscover.domain.com”.
I just want to confirm that I need to resolve with a multi named certificate. Mine is from a trusted root provider so I would have to replace it with a more expensivecertificate if this is true.
Thanks,
James
PS – Nice article and reply string. It is very useful.
This whole article explains how to make the error go away without a UC certificate. :P You just need to have split DNS and set your InternalURLs and ExternalURLs to be the same as well as the AutodiscoverServiceInternalURI. If you had a SAN cert, you could put the Server FQDN on the certificate and then leave all the InternalURLs and AutodiscoverServiceInternalURI and then just set your ExternalURLs.
OK, but if my internal and external DNS are all “domain.com” will this approach still work?
That’s what split DNS is. So yes.
Thanks a zillion…this eliminated the problem…why is this not straight forward when installing the original certificate?
Welcome. Ya, it can be confusing for those who don’t work with Exchange much or who are new to Exchange 2007 and don’t understand Autodiscover or the services that utilize InternalURL and ExternalURL. Exchange 2010 makes it a little easier by allowing you to specify if a new CAS server is an Internet Facing CAS and automatically set your ExternalURLs. But it doesn’t let you automatically specify InternalURLs if using a regular SSL certificate. So the issue will still exist in Exchange 2010.
Elan,
I followed all your instructions and finally I have my cert running well. Error on Outlook dissapear, but I have another issue now. Each time I open Outlook it ask for credentials, even being connected to the network at the office.
Any thoughts?
Great Article!
I had a difficult time however (I’m on SBS2008) setting the OAB and WebServices internal URLs, kept getting the “object not found as outlined in *63. Tried answer from *68 and it didn’t work.
Just fixed it today by leaving out the -identity tag, which it would ask me for afterwards; doing it that way worked for me.
OAB and EWS was under the (Default Web Site) for me [in reference to post 68 above]
Thanks Elan!
Update: I didn’t tell you that I was upgrading from Ex 2003 to 2007. Knowing that, I am at the point of replicating the public folders, and I already move my mailbox to the 2007 server. I have a certificate for mail.mycompany.com (GoDaddy) working good on the 2003 exchange, so when I installed the same certificate on the new server, is when I had the issue described in your article. As I said following your instructions the certificate issue disappear, but now Outlook ask me for credentials when it opens, and this happens ONLY if DNS (or I modify the host file in my computer for testing) points “mail.mycompany.com” to the new server. So I guess has something to do with the public folders that are not moved yet. Am I right?
ChrisPogi, you’re welcome. And thanks for posting the thank you as well as your issue and what you did to work around it.
Ramiro, that shouldn’t be an issue. Are you running on Server 2008? If so, you may want to check out my following blog post here.
Yes I’m running it on a 2008 Server, and I read you other post, but I couldn’t find anything relevant since I did have Rollup 8 for Exchange 2007 SP1 installed.
What I noticed, though, is that Outlook anywhere is atoconfigured as part of the autodiscover function, so Outlook is behaving as if it is outside of the network, that’s why is asking for credentials at startup.
Well one of the things I have in there is disabling IPv6. In short, when IPv6 is enabled, the RPC/Proxy service doesn’t listen on port 6004 for IPv6 so Outlook Anywhere fails. So you need to completely disable ipv6 (not just uncheck it from the NIC.)
Also, configuring OA by Autodiscover doesn’t configure it to always connect Via OA. Only when you don’t have RPC connectivity directly to your mailbox server unless you’ve configured it otherwise.
Ok,
Today I realized that the problem was only with my mailbox. It didn’t happens with the other already moved mailboxes.
Finally I figured it out that was only a problem of a password stored on “Vista Network passwords” feature. In short, I had mail.mycompany.com stored there with who knows what, so I deleted that entry and Outlook stop bothering with asking for the password.
Thank you for the help Elan, the important thing here is that the explanation of your article totally solve my certificate issue, and this other thing had nothing to do with your instructions.
Thanks again
Your article, combined with post 65 solved the problem on my SBS2008. Works perfectly now.
Thanks a lot!
Hi Elan Shudnow
We have the same problem. The Outlook 2007 reclaim about the error certificate just internally.
From External access we don’t have this problem. We use an external certificate (Unicert) to webmail.ourcompany.com.
I’m thinking to follow your procedure step-by-step but the CAS and HUB roles are in two servers in NLB.
The question is: Do you see any problem in a enviroment like this? Or better, Is not necessary another additional procedure in a CAS/HUB in NLB?
Thank you
Martins
Elan, you are amazing…your instructions worked flawlessly…THANKS!!!
I have to say!!! WOW!! I spent 2 months on this, everyone said different things, I found your article and had it working before lunch!!!
Thank you SO MUCH m8, you saved my bacon!!
.
. .
I too have followed this amazing post and it resolved all but one issue that is driving me insane.
I have 2 sites connected via Site-to-Site VPN tunnel. The Exchange 2007 server is at Site 1 and clients are at Site 1 and Site 2. All of the users in Site 1 are working fine however, all the users in Site 2 still get the certificate popup when they open Outlook 2007.
Background:
1 Domain “domain.local” internal Windows 2003 AD with Domain Controllers in each location with updated DNS entries to match my certificate “mail.domain.com” pointing to the INTERNAL IP of the Exchange 2007 server. Again, everything is fine from Site 1.
Site 2 is fully replicated with the DC’s and they are also GC’s (not that it would matter). They can perform NSLOOKUP and resolve mail.domain.com to the internal IP address just fine, so I am not sure why I am still getting this error message.
I have re-pasted CLI’s and restarted the POOL and the server so many times that the power button is wearing out (just kidding).
Please if you can offer any more assistance on this it would save my hide!!
Rob
Hi,
Excelent article, you can only add as last step to recycle the MSExchangeAutodiscoverAppPool pool on IIS.
Thanks,
Eduardo
Thanks very much, I was spending a lot time in internet to find the anwser…
I am not Exchange admin, so, this guide help a lot.
Thanks
THis really sorted me out. Thanks alot
Elan,
Great article. Thanks.
My one big question, though, is how will these changes affect Outlook 2007 clients that are currently pointing to the netbios name? Will they automatically adjust or will each Outlook client have to be touched? While the cert pop-up is annoying, it's not nearly as bad as a few hundred people without Outlook access would be.
Thanks,
Gabe
It really shouldn't matter. As long as DNS/NetBIOS can hit the server and the certificate that is on the Exchange Server has that name, it should be transparent to the user.
Great post and i think i understand more now about certificates. I have been battling for days a scenario where i have a thawte certificate that is purchased for webmail access. I ordered one where i only added webmail.data.com as servername while server internally is EXCBACK and EXCBACK.domain.local. So i created a self signed certificate that i wanted to use for Outlook users but for some reason its only the thawte certificate they "pull" when connection. I did run the Enable-exchangecertificate -services IMAP, POP, SMTP on the selfsigned and Enable-exchangecertificate -services IIS on the Thawte. But still, Outlook connects and throw warning saying thawte certificate is not having the EXCBACK name listed in it. Only webmail.data.com. What is it i am missing here?
You need to update your InternalURLs and possibly ExternalURLs as well as AutodiscoverServiceInternalURI so they don't have the EXCBACK. That way they connect to Exchange using the webmail.data.com name which the certificate will have.
You saved me many, many headaches with this article. Thanks a ton!
[...] [...]
Thank's. It's a bit of a pain. Whichever way you do it you get certificate errors until you lots of stuff Microsoft don't tell you in training.
I would like to thank you for the easy to follow fix for this certificate error!
I have a problem that has started since I did this fix. To give you some information, the certificate request was generated using IIS and was imported into IIS. We currently only use OWA externally. We were able to access https://mail.mydomain.com/OWA from the inside or outside of our network with no issues and with no certificate errors at this point, but we were getting the certificate error in Outlook 2007. I followed your guide and have verified the settings, but now when I go to https://mail.mydomain.com/OWA from inside or outside I get a certificate error and I am redirected to https://server.mydomain.com/owa/auth/logon.aspx?r... and since there isn't an external DNS entry for server.mydomain.com I can't get to my OWA. I am unable to figure out what would have changed this from the commands above but I am not getting anywhere. My certificate is for mail.mydomain.com.
Thanks for all your help!
You'll probably want to use the Set-OWAVirtualDirectory command and use the InternalURL and/or ExternalURL to ensure that it has a name that is on your certificate. For example, Set-OWAVirtualDirectory -Identity "Owa (Default Web Site)" -InternalURL https://mail.mydomain.com/owa -ExternalURL https://mail.mydomain.com/owa.
[...] http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/ [...]
[...] to disable autodiscover or change the autodiscover address to the local name and have it work. See Outlook 2007 Certificate Error? | Elan Shudnow's Blog or Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a [...]
all I understand the Docement and follow the steps but everything I get to (Default Web Site)” i get an error what am doing wrong. I am going isane
Can you provide the error you're getting?
Worked Like a Charm!!!!
Hi,
I have a exchange 2010 and trying to get the Activesync to work for push e-mails
testing using https://www.testexchangeconnectivity.com gives me an error with the certificate
"Host name <domian name> does not match any name found on the server certificate CN=<computer name>"
How do i add the domain name to the certificate?
thanks
T.C., you can use the new certificate wizard to request a new certificate. Check out this video for more information:
http://www.msexchange.org/articles_tutorials/vide...
You're a life saver mate.
Everything works now for domainA. If i add domainB, will autodiscover work for owa and outlook anywhere? Can i still use single cert?
Thanks for your help.
Super! Great instructions!!!!
Thanks buddy! This was the easiest fix to the issue that I was able to find. Keep up the awesome work!
[...] by Ksalameh on Jan.05, 2010, under Exchange 2007, Exchange 2010 Outlook 2007 & 2010 Certificate Error? [...]
Hi guys,
i have very similar problem, but only with internal access of my outlook clients.
Everythings from outside network (internet) working fine, outlook anywhere, activesync to mobile devices, outlook web access … nothing have problem.
But when my outlook clients trying to connect from local area network to the CAS server, i have the warning with certificate error.
The same i have warning with certificate, if i am trying to access outlook web access.
I have set all ways, directories etc in fight way. External things are to server.domain.com, internal things points to server.domain.local.
SSL certificate is signed by STARTSSL CA, which is trusted CA from public and it points to server.domain.com name.
So i can understand, why outlook clients have problems, if they trying to connect from local area network, because SSL certificate is pointing to another name of server? But why they are using SSL for connection, i have them inside company network, i dont need to use RPC over HTTPS for them. Maybe the problem is, my server have only one IP address, have all exchange roles together on one machine …?
Thank you for any kind of tips
With regards, Radek
Because Outlook 2007+ uses web services not just for OWA or Outlook Anywhere. It uses it for OOF, Free/Busy, OAB, Autodiscover, etc… The entire article already explains this and why you need to set the InternalURLs properly. Basically, I have already answered your question in my article as to why the InternalURLs need to match the name of the certificate.
i'm having this same issue, but i was never on an exchange server.
I’m using UC but still getting 8004010f error in outlook 2007. Send/receive works well but its annoying. Any hint?
Thanks.
Hi,
I'm using UC and having issue with 8004010f error in outlook 2007. Send/Receive works well but its annoying.
Any hints?
Thanks.
Try Best Practices Analyzer to see if it flags something that can possibly be fixed and thus possibly making your error code go away. Other than that, start Googling/Binging the error code and do things articles tell you till it's gone.
I wish I found your blog last week :)
Big Thankyou
Hi Mr elan,
I having issue on my exchange enviroment.
Status : 3 exchange servers
exchange-01 – role -> hub, client access, mailbox
exchange-02 – role -> client access
exchange-03 – role -> mailbox
I have just import new sing name certificate with name "mail2.domain.com " at the exchange-02 and faced the problem you post on blog and solved it with your solution.
but new problem ans shows up where user who using outlook 2007 unable to download offline address book and i tried to run test autoconfigure, found user who suing outlook 2007 are connected to exchange-01/OAB but not exchange-02.
kindly need your help
Hello,
I have an Exchange 2010 server with this issue. I did multiple searches and found basically this info (Not as cleanly laid out though). I followed the instructions down to the last command
(Set-UMVirtualDirectory -Identity “CASServerUnifiedMessaging (Default Web Site)” -InternalURL https://mail.shudnow.net/UnifiedMessaging/Service... -BasicAuthentication:$true)
At that point I get the following:
The term 'set-umvirtualdirectory' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
I went ahead and created a new SRV record pointing mail.companyname.org to the ip and now if I ping mail.companyname.org it resolves ot the IP address of the casserver.
Any assitance is appreciated.
Thank you,
Frank
Frank, you do not have to do this in Exchange 2010 as there is no more Unified Messaging virtual directory. In Exchange 2010, Exchange Web Services (EWS) is now used for Unified Messaging functionality. I will make a note in the article about this.
What about when it happens to the remote site and not at the corporate office? I would think the same certificate would be used in both places, but the remote site is having the problem and corporate claims it never sees the error message. I would think that it would show up for both sites if a problem exists.
It depends on your setup. I would check out the following article to understand how proxying and redirection works: http://technet.microsoft.com/en-us/library/bb3107...
Either way, you need to make sure that the sites trust each other's certificates and the AutodiscoverServiceInternalURL, InternalURLs, and ExternalURLs are all on the certificate. The same goes for autodiscover.domain.com if you want to support autodiscover for outside clients and internal non-domain joined clients.
I still use this as a list of all places to make changes to URLs in Exchange; it's useful when changing internal OR external values. Thanks for putting the effort in!
Only had to change the Thumbprint and the AutoDiscover internally…. thanks so much!!
This really helped!
Dont know what I did.
Tried everything in this post. But still getting the error "The name on the security certificate is invalid or does not match the name of the site."
I'm on Exchange 2010 though. So leaveing the command Set-UMVirtualDirectory out.
AD is on 2008 R2. Exchange is installed on one of the AD's. The GC of the 2.
Hey, Thanks! This resolved a few things for me, but I'm still getting a Certificate Error in outlook with the title of "sites", before the Certificate Error had a different title.
Can you help me?
One thing you may want to add is that it may be necessary to reboot the system for the changes to take effect. I was going crazy trying to think of which service must still be directing to the internal server name and finally gave up for the night. The next day the error message had stopped appearing.
On SBS 2008 the commands need to include (SBS Web Applications) not default web site. Default website doesnt include those sites anymore.
YOU ARE A LIFE SAVER!!!!! THANK YOU SO MUCH!!!!
Claudio
YOU ARE A LIFE SAVER!!!!! THANK YOU SO MUCH!!!!
Hi Elan,
Does this also apply to a Exchange environment that has multiple Exchange CAS(Geographically) Servers on the same domain (WAN)?
I have noticed that all my CAS Servers have thier own Autodiscover URI. Would I need to configure each CAS Server individually? I only use one primary CAS Server for External OWA access. This CAS then routes Disrtict users to the District CAS/Mailbox server that hosts thier mail.
We do not use Secure email (HTTPS) due to limitations on our WAN (Government Dept sitting on a Centrally supplied and managed WAN for ALL Dept).
I hope I am not to confusing.
Regards,
Christo
wow!! this actually worked!! it is depressing that microsoft cannot create a simple article like this. this worked like a charm!! i hope people would actually find this article. thank you so much for putting this together!!!
They actually do have a KB on this. But I created this article before that KB existed. :)
+1 to People Helped, thanks.
Me too…. :-(
Just found the solution:
Make a fake zone with the autodiscover."yourdomainname" and point it with a CNAME to your the external name resolving to you're internal mailserver IP. It must be a CNAME and not an A record.
Go to your DNS management, Administrative tools->DNS. First in the Foward Lookup Zone (FLZ) for domain.com, RC the domain.com and select 'New Host (A)', enter: mail ,for the name and input the Internal IP of your CAS. Next RC the FLZ under your server and select 'New Zone', click 'Next' at the wizard introduction, leave the zone type as Primary and ActiveDirectory integrated, click 'Next', leave the zone replication on the default, which is to all domain dns servers, click 'Next', For the name enter: autodiscover.domain.com , click 'Next', for the dynamic updates change the setting to 'Allow both unsecure and secure dynamic updates, click 'next then click 'Finish'. Now RC the new autodiscover.domain.com and select 'New Alias (CNAME)', leave the name field blank and just click on the Browse button, In the new browse window, double-click (DC) the server name, DC the FLZ folder, DC domain.com and then select the mail entry, click 'ok' to complete. You can now close DNS.