Hi everyone, I'm having a strange cert issue that is all of the sudden occurring. I have a SAN cert with my IMAP.xxxx.com, mail.xxxx.com, Autodiscover.xxxx.com, Exchange.xxxx.com, etc and that is assigned to all my Exchange services (SMTP, IMAP, IIS, POP). There is also a second self-signed cert on both CAS servers (servername.internalxxxx.com) that was already on the box and is assigned to SMTP by default (the check box is selected and grayed out in EMC). Now for whatever reason, my IMAP users are getting issued this self-signed cert for their Outgoing SMTP server connections. The clients then throw an error because its self signed. How do I force Exchange to give out the proper SAN cert for this function? The SAN cert works properly in all other cases - just not in regard to these IMAP SMTP users. Thanks!

I would remove the self cert and assign those services to the new cert. You can only have one cert assigned to services althouvh it may show both.Sukh

I would remove the self cert and assign those services to the new cert. You can only have one cert assigned to services althouvh it may show both.Sukh

I would remove the self cert and assign those services to the new cert. You can only have one cert assigned to services althouvh it may show both. Sukh Thanks Sukh. I didn't want to just delete the cert, because I didn't know if it was used in any other internal capacity in the environment.

As long as the cert is assigned to the correct services it will be fine. You can always recreate the self cert easily.Sukh

When I removed the self signed certs from both CAS servers, users started getting "Your server does not support the connection encryption type selected" when using TLS over port 587. The UCC cert in question is assigned to SMTP...I have also confirmed that the client receive connector is configured to the following settings: Network Tab - port 587/465 on all V4/v6 addresses. Authentication Tab Checked Items are: TLS, Basic Auth, Exchange Server Auth, and Integrated Windows Auth. Permission Groups Tab: Anonymous and Exchange users are checked. The above settings are the same settings we have been using for 12+ months and were working before I removed the self-signed cert. Any idea why that would affect this? Thanks!

Try to assign back to the service the original self-signed certificate. import the certificate to the client's Trusted Root. You can do this using GPO: http://technet.microsoft.com/en-us/library/cc738131%28v=ws.10%29.aspx Cheers Zvi

hi, Please first run the cmd: get-exchangecertificate | fl. Post the result here. Check the imap authentication properties, see if the third box is checked, and your san certificate name is under the x.509 certificate name. EMC->Server configuration->client access server->pop and imap hope can help you thanks, CastinLu TechNet Community Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Try to assign back to the service the original self-signed certificate. import the certificate to the client's Trusted Root. You can do this using GPO: http://technet.microsoft.com/en-us/library/cc738131%28v=ws.10%29.aspx Cheers Zvi I looked inside the event viewer, and saw this error: Microsoft Exchange could not find a certificate that contains the domain name CH1.internaldomain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Intra-Organization SMTP Send Connector with a FQDN parameter of CH1.internaldomain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key. I placed that self-cert back in to the personal store, and it started working again. But, it also re-populated within Exchange and assigned SMTP to it (my UCC cert that was still there). So, I'm back where I started...any ideas? As far as placing that cert into clients via GPO, that is not an option. The very few people who are using IMAP are only doing so on external networks with non-domain computers.

hi, If you can, can you add the CH1.internaldomain.com into your SAN certificate, delete the self signed certificate and try again. Internal user will use the internal FQDN to connect, so the FQDN should be included into certificate. >>>I placed that self-cert back in to the personal store, and it started working again. But, it also re-populated within Exchange and assigned SMTP to it (my UCC cert that was still there). So, I'm back where I started...any ideas? If you can't do above action. Could you post the whole error here? hope can help you thanks, CastinLu TechNet Community Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

hi, If you can, can you add the CH1.internaldomain.com into your SAN certificate, delete the self signed certificate and try again. hope can help you thanks, CastinLu TechNet Community Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com