Exchange 2007 SP3 Rollup 7 New Exchange server was added to a site with an existing Exchange server. Roles included on the new server are UM,MBX, and HUB. After the mailbox is moved to the new server, users get a certificate error when they attempt to use the "play on phone" feature. The certificate displayed is that of the old server where their mailbox used to live. Comparing the old self-signed server cert and the new self-signed server cert, i notice that IIS isn't included as a service in the self-signed certificate on the new server. So, i set about to creating a new self-signed certificate on the new server for services IIS, UM, and SMTP.... new-exchangecertificate -privatekeyexportable $True -services "IIS, UM, SMTP" -subjectname "cn=ServerName.CompanyName.com" I'm prompted to overwrite the existing default smtp certificate to which i respond "yes" and the command completes successfully. Next, i run get-exchangecertificate |fl I see the new certificate, but it only lists UM and SMTP for the services (no IIS.) Next i run enable-exchangecertificate -thumbrint xxxxxxxSomeLongStringxxxxxxxxxx -services "IIS, UM, SMTP" The command runs without error. Next, i again run get-exchangecertificate |fl, but it still shows only UM and SMTP! What am i doing wrong? Is this even the right way to fix the play on phone issue? Thanks in advance!

Where is the CAS (Client Access Server) role? Still on the old server? If so, that's where clients will connect for everything but the full Outlook client (with E2K7 unlike E2K10). Even if the cert for the new server had the IIS component, it would not be used, since the CAS functionality (if I follow your description correctly - UM, MB and HT but not CA on the new server - remains on the old server. Did the users get any errors before their mailboxes were moved? * Yes, I know it's E2K10 (my search terms were for "exchange 2007 cas um interaction") but the first diagram shows that mobile phone clients will go to the CAS first before interacting with the UM: http://technet.microsoft.com/en-us/library/bb125141.aspx Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Sorry, left out a key piece of information.. There's a second existing server at the site, a dedicated CAS box. The old server had the CAS role installed too, so given that there was already a dedicated CAS at the site we decided to build the new server with just UM, HUB, and MBX. So for whatever reason, clients still want to go to the old server for CAS related interactions. How do i get them to recognize the dedicated CAS instead?? No, users did not get errors before they were moved. Is it possible that once the old server is removed (gracefully) that the clients will automatically start looking to the dedicated CAS? That's not really a risk i'm willing to take without some kind of documentation to back that theory up. Thanks!

After the mailbox is moved to the new server, users get a certificate error when they attempt to use the "play on phone" feature. But everything else (OWA, for example) is OK for the users of the moved mailboxes? If so, I'd venture to guess there's something related to UM you need to adjust. Unfortunately, I do not use and am not familiar with UM configuration (just superficial knowledge of what it is and does).Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

Two part solution, although i'm at a loss to explain it. 1. On the dedicated CAS server i had to add the external url address via set-umvirtualdirectory. Essentially i just duplicated what was already in the internal url field (i.e. http://HostName.CompanyName.com/UnifiedMessaging/Service.asmx) The field was previously empty. 2. After the above change, users no longer got the certificate error, however they started getting a different error about the Exchange server not being reachable. The fix for that one was to change the Outlook Anywhere connection settings on the client so that "On fast networks, connect using HTTP first..." was checked. If neither were checked, or if only "On slow networks..." was checked, the client would get the 'not reachable' error. Weird, but now resolved. :)