A little background: I have two prd cas and one new dr cas. Let's call them prd-cas1, prd-cas2, and dr-cas1. I have a cert issued from a CA for prd-cas1 and prd-cas2. It's actually the same cert, with multiple subject alternative names that include both systems. Dr is in another AD site with healthy SCR targets for all my DBs in place. It does not yet have a cert, but I plan to add a SAN to the previously mentioned cert. All are running E2007Sp1. One of my DBs has just one user, me. I failed that DB over to dr and brought the SCR target up as the prd db. I had some issues starting Outlook, but I was able to open my mailbox via owa (ignoring the warning) on dr-cas1. I noticed some errors in the event viewer about client-access and certs regarding my mb, so as a temporary workaround, I exported the default cert from dr-cas1 and imported it into the trusted root of prd-cas1. I also imported the cert from prd-cas1 and prd-cas2 into the trusted root of dr-cas1. Probably not needed, because of the CA's signature, right? Anyway, that made those errors go away, but I'm still observing two (below). We do have a handful of mobile users with ActiveSync. I'm one of them. On dr-cas1, I enabled integrated windows authentication on the Microsoft-Server-ActiveSync virtual directory. This last step, in conjunction with importing the self-signed cert from dr-cas1, allowed my phone to access my mb (I think). Right after the cut-over, it could not. I was repeatedly prompted for a password-no longer. So I'm left with these errors below. Will getting the cert signed by a CA fix these? Any idea what's causing them? Seems to be communication issue between the two prd cas in the AD site where I'm physically located and the AD site where my MB now resides. ID=17 Source=MSExchange Web Services Type=1 Message=CAS server PRD-CAS1 attempted to proxy EWS traffic to CAS server DR-CAS1.domain.com. This failed because the registry key "HKLM/System/CurrentControlSet/Services/MSExchange OWA/AllowInternalUntrustedCerts" is set to "0", but no certificate trusted by PRD-CAS1 was available for the SSL encryption of the proxy connection. ID=11 Source=MSExchange Web Services Type=1 Message=CAS server PRD-CAS1 failed to proxy EWS to AD site CN=xx,CN=Sites,CN=Configuration,DC=domain,DC=com because none of the CAS servers in this site are responding. Please check the configuration and status of the servers in site CN=xx,CN=Sites,CN=Configuration,DC=domain,DC=com

The self-signed certificate is not supported for use with Outlook Anywhere or Exchange ActiveSync ------------Refer to <Understanding the Self-Signed Certificate in Exchange 2007> According to error event, the security certificate presented by DR-CAS1 is not trusted by PRD-CAS1 which initiates the proxy request, so PRD-CAS1 initiates the proxy request doesnt allow untrusted security certificates for proxying The proxying process doesnt allow the use of an untrusted security certificate to create a secure connection. You can create the AllowInternalUntrustedCerts registry key to change the default behavior as mentioned in the event 17. Same explanation is also mentioned in the link above Please also use Get-ExchangeCertificate to check the valid time of the certificates that associated with various services, the similar issue can also occur if expired certificates have been enabled to certain services

Thanks! Wasn't aware of the restrictions. Just figured I could trust both ends and be OK. I did have my cert re-issued with an additional SAN and all the errors went away.