We have an exchange server 2007 that has bad SSL cert information. We have a hosted web server that hosts a web application at a 3rd party host and that server has a certificate *.publicdomain.com. Our Exchange server is hosted on our local server and is not at all connected to the public hosted web server and has domain pdc.localdomain.local and has a public MX record of mail.localdomain.net. The problem is that when our Outlook clients try to connect we get a certificate mismatch warning because the cert is for autodiscover.localdomain.net and when viewing the details is issued for/by *.publicdomain.com which is our public hosted web server. Somehow the SSL cert we purchased was installed locally by the previous admin and is causing a mismatch with our Exchange server locally and publicly. How can this purchased SSL cert be removed from our local server so we can operate normally?

You need to change your webservices URL from the default autodiscover.localdomain.net to autodiscover.publicdomain.com. Security warning when you start Outlook 2007 and then connect to a mailbox that is hosted on a server that is running Exchange Server 2007 or Exchange Server 2010: "The name of the security certificate is invalid or does not match the name of the site" http://support.microsoft.com/kb/940726 Also since you're using a wildcard cert you need to do the fix afterwards. Wildcard Certificate Causes Client Connectivity Issues for Outlook Anywhere http://technet.microsoft.com/en-us/library/cc535023(EXCHG.80).aspxJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

I don't want to use the public cert, I want to use the local self signed cert. The hosting company doesn't handle our Exchange server.

Then just use the self signed cert instead of the public cert. The self signed cert should still exist unless it was deleted. You can run get-exchangecertificate |fl and see if you see the default self signed cert and if the date is still valid. If so just bind the self signed cert using enable-exchangecertificate command. Also keep in mind if you don't use a public cert your users will get cert warnings when using OWA and outlook anywhere will not work. How to renew a self signed certificate in Exchange Server 2007 http://msexchangegeek.com/2009/04/24/how-to-renew-a-self-signed-certificate-in-exchange-server-2007/ James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

How do I use the self signed instead? I have re created the self signed certificate and it is the only one that shows up when running the get exchangecertificate and only the default is listed. Somehow it keeps referring to the public cert. I am aware about the public cert not working for outlook anywhere, the problem is that that public cert is for a completely separate domain.

What does autodiscover.publicdomain.com resolve to? Is that defined?

When you do get-exchangecertificate |fl get the thumbprint of the self signed cert. Then run Enable-ExchangeCertificate – Thumbprint “E0BB201793DC74D0F94F3275E6AA53BA75907565” –Services IIS, SMTP, POP, IMAP (whatever services you need) Bounce IIS after.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

I don't want to use the public cert, I want to use the local self signed cert. The hosting company doesn't handle our Exchange server. Do you have external clients connecting to your Exchange Server? If so, using the self-signed cert is a bad idea.

I don't think you understand - think of it as 2 completely different organizations

What I don't understand is, how and/or where is that public cert located on this private domain? How can I remove it from this local private domain?

Is this win2003? Launch iismgr,start menu, run type inetmgr. Websites, Default website, properties, directory security, view certificate. James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

I've done that but it doesn't show the public certificate anywhere yet the public shows when any client tries to connect.

Is this SBS server?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

No, Windows 2003 Std, Exchange 2007

Hi, I assume that your users has a primary smtpaddress with @localdomain.net ?? I agree with AndyD that using a SelfSigned Cert is really a bad idea. If you don´t want to use a 3rd party certificate, that´s fine, but you really need a certificat the Clients will trust. Issue a certificate with the names needed from a local Certificate Authority if you have one. Can you run the following commands and post the output? Get-WebServicesVirtualDirectory | fl Name,*url* Get-ExchangeCertificate | fl Martina Miskovic

This is not a question of what kind of certificate is better, obviously using a self signed cert is not ideal. The problem is that somehow there is a cert for a domain that has nothing to do with this domain installed on and being used by this server and I can't find where to get rid of it. Think of it this way: This organization is www.abc.net yet there is a certificate for *.notmydomain.com installed here. When I run Get-ExchangeCertificate | fl, it only shows a self signed certificate for www.abc.net but somehow in the details on cert error on the Outlook client it shows that its a cert for www.abc.net issued by *.notmydomain.com therefore causing a mismatch.

Check the Certificate store MMC and see if its listed there under. Are the Outlook clients actually accessing an external Cert? Run Test E-mail AutoConfiguration http://www.addictivetips.com/microsoft-office/outlook-2010-test-email-auto-configuration/ and check the URLS Outlook is contacting. Are all of them local and valid?

On Sat, 10 Sep 2011 14:21:07 +0000, AndyD_ wrote: >Check the Certificate store MMC and see if its listed there under. And be sure to check the Local Machine's certificate store! Another place to look might be on an ISA server or load-balancer or SSL offloading device. Many of those have certificates installed on them, too. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hello, If you have to use the “*.publicdomain.com.” wild card certificate for OWA and your Outlook clients, then you need to do the following changes to avoid certificate mismatch warnings: 1. Change the autodiscover SCP to https://autodiscover.publicdomain.com/autodiscover/autodiscover.xml 2. Point the autodiscover.publicdomain.com to the CAS server. 3. Change the EWS, OAB, UM internal url to: EWS: https://autodiscover.publicdomain.com/EWS/exchange.asmx OAB: https://autodiscover.publicdomain.com/OAB UM: https://autodiscover.publicdomain.com/EWS/UMlegacy2007/asmx Set-UMVirtualDirectory http://technet.microsoft.com/en-us/library/bb124335(EXCHG.80).aspx Set-WebServicesVirtualDirectory http://technet.microsoft.com/en-us/library/aa997233(EXCHG.80).aspx Set-OABVirtualDirectory http://technet.microsoft.com/en-us/library/bb124707(EXCHG.80).aspx Thanks, Simon

Okay, I've checked and I don't get the mismatch when Outlook is used/installed on the Exchange server itself, only on the client workstations. It however doesn't matter if they are domain machines or workgroup computers that connect and get the mismatch. I setup a new clean machine that never was joined to the domain and when I connect with Outlook, I still get the mismatch message. There are no certificates on either of our servers when I searched for the public cert in the MMC for both the current user and the local computer.