Why are my internal Outlook 2K7 clients getting certificate errors when connecting to Exch2K7?

Also see

http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

Run through and check all the URL's and change any that don't look correct to you.

http://exchangeshell.wordpress.com/2009/10/17/exchange-2007-internal-and-external-url-urls-autodiscover-availability-imap-pop3-oof-oab

Also, I don't think using 2 certificates is a supported setup for the services provided by the CAS server, such as Autodiscover. You can only have 1 certificate attached to IIS (by using Enable-ExchangeCertificate), which one are you using?

Shaun

Also, how much money can be saved? A SAN certificate valid for 5 years is £150-£200 or less nowadays.

Shaun

Right.. you definately want a UC\SAN cert.. $60 a yea from https://DomainsForExchange.net/

Thanks for all the speedy replies all. Sorry it's taken so long to get back to you. Been trying to digest the wealth of info provided.
Just to provide some additional quick info:
My memory was failing me a bit on my initial post regarding our certificates. It wasn't down to saving money on the cert that we didn't have the netbios and internal fqdn of our CAS server added to the external SAN cert; it was because the cert provider, Digicert (and, for that matter, serveral other providers that we looked at), refused to add them (well, the FQDN anyway) to the cert because our internal domain name looks very similar to our external domain name. In fact, they are only different by one character! Don't ask me why, I know it's daft but this was all done before my time. Basically, every cert provider we looked at said pretty much the same thing: our internal domain name looks too much like a public domain name and that we either needed to register our internal domain name or change it to a .local name, neither of which we (well, my boss anyway) are willing to do. So we really had no choice but to go with having two certs; the Digicert SAN certificate for external access, and the default Ex2K7 single name cert for internal access.
shauncroucher - to answer your question, we've only got the IIS service enabled on the SAN cert (our Digicert external certificate).
If we added an SRV record to our internal DNS server that resolved our external name (mail1.ourexternaldomainname.com) to the internal IP address of the CAS server, would this help at all?

Disregard my last question...was getting desperate but no it won't work.
Is there a way of disabling the autodiscover service for internal clients and is this even something we'd want to try?
Thanks,
Adam

In my experience you need to have both external and internal URL's on one certificate, and this certificate should then be used for IIS.

You may be able to fiddle with the URL's and SCP. If you set the internal DNS to use Split DNS (where you have a zone set up for your external domain URL's to resolve to internal IP's) and set all Internal URL's to the external URL in the certificate it may work but I just don't know, it is pretty far off normal design.

Shaun

After more trolling, it doesn't appear that you can disable the autodiscover service for internal clients (at least, not that I've found). Doesn't sound like a good idea anyway. Not sure the split dns option will work either but thanks for the suggestion shaun. Seems we're in quite the pickle. If you have any other idea's please do let me know. Will keep checking back.

Shauncroucher:
Going to go ahead and mark your last entry as the accepted solution. This looks very much like what we are going to be doing. Made the decision last night to contact Nominet today and discuss prices/fees. Once we can get a valid "whois" for our internal domain, we'll be able to have Digicert verify it and add the FQDN to our external cert. Seems like the only way to rectify this. Thanks all.
Adam

Shauncroucher's suggestion coincided with our own. He offered several different and very viable suggestions for a solution.