We have an exchangeserver called "Exchange" joined to the domain "example.com". We also have our public domain called "example.com". We have a certificate (used for smtp, imap, IIS and pop) for "mail.example.com". Everything works great from the outside. However, when on the inside, when a user starts exchange for the first time, outlook uses "exchange.example.com" which results in a mismatch to the certificate. I have followed the instructions on http://support.microsoft.com/kb/940726 to change autodiscovery to match the certificate. However, when running Outlook 2007 it still attemppts the internal server name which of course does not match the server certificate and results in an error. Running the command Test-OutlookWebServices | FL results in: Id : 1104 Type : Error Message : The certificate for the URL https://exchange.example.com/autodiscover/autodiscover.xml is incorrect. F or SSL to work, the certificate needs to have a subject of exchange.example.com, instead the subject f ound is mail.example.com. Consider correcting service discovery, or installing a correct SSL certifi cate. Is there any additional actions needed to remove exchange.example.com from autodiscovery (internally)? Regards, Jonas

Looks like you didnt run the last part of the doc. Set-ClientAccessServer AutodiscoverServiceInternalUri https://<var>mail</var>.contoso.com/autodiscover/autodiscover.xml James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Ah, that is correct thank you! However after running that command (with "exchange" as -Identity), Outlook tells me "The connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action". I also don't exactly understands this part of the KB: "The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following: https://ServerName.contoso.com/ews/exchange.asmx" What should i do to confirm this? I have added a host record in the internal dns for mail.exmpale.com pointing to the ip of the server "exchange". Are there any additional DNS changes I have to make? Regards, Jonas

You have something else going on if you're getting the "The connection to the Microsoft Exchange Server is unavailable" that has nothing to do with webservices or certs. Are you sure all exchange services are running? Can you log into webmail?James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

It appeared to be a temporary connection issue. However, I am not sure, but the outlook error message might have changed, now it is "there is a problem with the proxy server's security certificate". The outlook configuration guide goes well until all three steps have got the green check mark. Then a logon prompt appears. I enter my domain credentials, and just after that the error message appears. After I click OK outlook just tries to "Trying to connect to Microsoft Exchange" and nothing more happens. Are there any more settings that needs to be correct? How can I verify those? Thank you. Jonas

A cert mismatch won't stop you from connecting unless it's trying to connect over outlook anywhere. Can you look at the outlook anywhere config and see what URL you're using, make sure it's using the mail.company.comJames Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Well Outlook anywhere is not enabled at the moment and I would prefer to not have any certificate issue at all, neither internal or external (OWA is working as exptected). Everytime I start outlokk the login prompt appears. After which the cert error appears. Afther that outlooks tries to connect without success. What would be the next steps to configure or verify? The service connection point in the AD seems to be correct. Thank you. Jonas

If possible can you perform an iisreset /noforce ? Also test OLK autoconfig and see what urls olk is using? Sukh

Hi Jonas, Please verify that you can modifed the internalURLs and *URI on the CAS Server correctly. Get-WebServicesVirtualDirectory | fl Identity,internalurl,externalurlGet-OabVirtualDirectory | fl Identity,internalurl,externalurlGet-ClientAccessServer | fl Identity,*uri* Post the output here if you need help with this.Martina Miskovic

Thank you Martina. Below is the output. From what I can see, it looks correct: [PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl Identity, internalurl,externalurl Identity : EXCHANGE\EWS (Default Web Site) InternalUrl : https://mail.example.com/ews/exchange.asmx ExternalUrl : https://EXCHANGE.example.com/ews/exchange.asmx [PS] C:\Windows\system32>Get-OabVirtualDirectory | fl identity,internalurl,externalurl Identity : EXCHANGE\OAB (Default Web Site) InternalUrl : https://mail.example.com/oab ExternalUrl : https://EXCHANGE.example.com/OAB [PS] C:\Windows\system32>Get-ClientAccessServer | fl Identity, *uri* Identity : EXCHANGE AutoDiscoverServiceInternalUri : https://mail.example.com/autodiscover/autodiscover.xml I also ran the following command but am not sure if it is relevant: [PS] C:\Windows\system32>Get-Autodiscovervirtualdirectory | Fl identity,internalurl,externalurl Identity : EXCHANGE\Autodiscover (Default Web Site) InternalUrl : ExternalUrl : Thank you, Jonas Haglund

Thank you Sukh, I have run iisreset /noforce but it times out. Instead i used service manager to manuall stop (takes almost a minute) and start the w3svc service. I have also restarted the server. What is OLK autoconfig? Regards, Jonas

With the above settings, Im suprised that your wrote "Everything works great from the outside" All your ExternalURLs is wrong and you really should change them BEFORE you enable Outlook Anywhere. Do you have a trusted certificate from a public Issuer installed, or? Can you run Get-Exchangecertificate | fl and post the output? Please also run Test-ServiceHealth and check that all required services is running. Nothing wrong with the URLs for the AutodiscoverVirtualdirectory. They are not used.Martina Miskovic

Thank you. I will look inte the externalurls before outlook anywhere! A clarification: the OWA works without certificate issues. Cert info (two default self-issued and one from USERTRUST): [PS] C:\Windows\system32>Get-Exchangecertificate | fl AccessRules : CertificateDomains : {example.com, autodiscover.example.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=example.com NotAfter : 2017-07-13 10:40:43 NotBefore : 2012-07-13 10:40:43 PublicKeySize : 2048 RootCAType : None SerialNumber : 22F0DAC54170F19D40B3E5DD06E8FB5F Services : SMTP Status : Valid Subject : CN=example.com Thumbprint : B1AE97449D72878C4F74669850F07918975F882F AccessRules : CertificateDomains : {EXCHANGE, EXCHANGE.example.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=EXCHANGE NotAfter : 2017-07-12 12:15:35 NotBefore : 2012-07-12 12:15:35 PublicKeySize : 2048 RootCAType : None SerialNumber : 1B7D6EC8B3DC3B9D400EFD34797A774F Services : SMTP Status : Valid Subject : CN=EXCHANGE Thumbprint : 98C4E2AA12F8170301D7ABB69C23018A85A8B1F8 AccessRules : CertificateDomains : {mail.example.com, app1.example.com, app2.example.com, app3.example.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=USERTrust Legacy Secure Server CA, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US NotAfter : 2014-09-08 01:59:59 NotBefore : 2012-01-12 01:00:00 PublicKeySize : 2048 RootCAType : ThirdParty SerialNumber : 652E7D2F2F04B640D436B6901D8579FD Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=mail.example.com, OU=TRUSTZONE UC SSL, OU=Provided by TRUSTZONE, OU=Example, O=Example STREET=N/A, L=City, S=CITY, PostalCode=xxxx, C=COM Thumbprint : 45A9BA9BE77A6739B14F99A64ADBF9C696805888 Thank you. Jonas

1.Press and hold the CTRL key and then right-click the Outlook icon in the system tray. 2.Click Test e-mail Auto Configuration. 3.In the E-mail Address box, type the alias of the affected user. 4.In the Password box, type the users password. 5.Click to select the Use Autodiscover check box, and then click Test. Untick both of the Guest... It should show you the URL's OLK is using. What you want to see is the mail.xxxx.x... and not the exchange server FQDN.Sukh

Thank you. I successfully removed the certificate with the command you suggested. This is a single server installation of Exchange 2010 on 2008 R2. I created the SRV record in our internal DNS (on the DC) for the the example.com zone (under Forward lookup zones) with the following data: Service: _autodiscover Protocol: _tcp Port Number: 443 Host: mail.example.com Now Outlook doesn't complain at all on the certificate, not on autoconfigure nor on normal use. However, when I open up the account settings, it says "Microsoft Exchange-server: EXCHANGE.example.com". Maybe that is expected? The important thing is that the connection is secure and the users are not confronted with certificate issues (unless there actually is a problem!). I would say that the issue is resolved as for the internal clients. Do you agree?

Thank you. I successfully removed the certificate with the command you suggested. This is a single server installation of Exchange 2010 on 2008 R2. I created the SRV record in our internal DNS (on the DC) for the the example.com zone (under Forward lookup zones) with the following data: Service: _autodiscover Protocol: _tcp Port Number: 443 Host: mail.example.com Now Outlook doesn't complain at all on the certificate, not on autoconfigure nor on normal use. However, when I open up the account settings, it says "Microsoft Exchange-server: EXCHANGE.example.com". Maybe that is expected? The important thing is that the connection is secure and the users are not confronted with certificate issues (unless there actually is a problem!). I would say that the issue is resolved as for the internal clients. Do you agree? Yes I agree, and I'm glad to hear that the problem is solved. You should see the server name in the account setting, or the name of the CAS Array if you had created one, and not the name used for webservices.Martina Miskovic

Hi, One think that can affect OWA is if the URLs for ECP and EWS is not correct and you did change the EWS, right? Run the below commands and post the output: Get-OwaVirtualDirectory | ft Identity,internalurl,externalurl,*auth* Get-EcpVirtualDirectory | fl Identity,internalurl,externalurl,*auth* Get-WebServicesVirtualDirectory | fl Identity,internalurl,externalurl,*auth* Creating a SRV-Record does not affect OWA. How is the post Iphone AcvtiveSync related? (I haven't read that thread)Martina Miskovic

Ah, sorry! Now I finally now what "fl" does :-) [PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl Identity,internalurl,externalurl,*auth* Identity : EXCHANGE\owa (Default Web Site) InternalUrl : https://exchange.example.com/owa ExternalUrl : https://exchange.example.com/owa ClientAuthCleanupLevel : High InternalAuthenticationMethods : {Basic, Fba} BasicAuthentication : True WindowsAuthentication : False DigestAuthentication : False FormsAuthentication : True LiveIdAuthentication : False ExternalAuthenticationMethods : {Fba}

Unfortunately the problem remains unchanged. (don't know if it is neccessary but i also did a iisreset /noforce) Here is the updated output: [PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl Identity,internalurl,externalurl,*auth* Identity : exchange\owa (Default Web Site) InternalUrl : https://mail.example.com/owa ExternalUrl : https://mail.example.com/owa ClientAuthCleanupLevel : High InternalAuthenticationMethods : {Basic, Fba} BasicAuthentication : True WindowsAuthentication : False DigestAuthentication : False FormsAuthentication : True LiveIdAuthentication : False ExternalAuthenticationMethods : {Fba} [PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl Identity,internalurl,externalurl,*auth* Identity : exchange\ecp (Default Web Site) InternalUrl : https://mail.example.com/ecp ExternalUrl : https://mail.example.com/ecp InternalAuthenticationMethods : {Basic, Fba} BasicAuthentication : True WindowsAuthentication : False DigestAuthentication : False FormsAuthentication : True LiveIdAuthentication : False ExternalAuthenticationMethods : {Fba} [PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl Identity,internalurl,externalurl,*auth* Identity : exchange\EWS (Default Web Site) InternalUrl : https://mail.example.com/ews/exchange.asmx ExternalUrl : https://mail.example.com/ews/exchange.asmx CertificateAuthentication : InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity} ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity} LiveIdSpNegoAuthentication : False WSSecurityAuthentication : True LiveIdBasicAuthentication : False BasicAuthentication : False DigestAuthentication : False WindowsAuthentication : True

Wish I didn't have to tell you this, but yes I did and didn't think of it until now. However I did at that time follow the instructions on the link you provided but for some reason interpreted the different sections in the article as alternatives, not "steps". Now I followed all of the steps and it works as it should! Worth mentioning is that the step "Modify permissions on the Offline Address Book web.config file" must be done after (not before) "Use IIS Manager to remove redirection from a virtual directory" otherwise the web.config file won't exist. More info here: http://blogs.msexchange.org/walther/2010/03/22/oab-issues-after-simplifying-the-owa-2010-url/ Thank you. Your help has been invaluable in this matter. Jonas

Good summary there Jonas! Seems to me that you are super ready to enable Outlook Anywhere now :) Martina Miskovic