Outlook 2007 prompts for certiifcate on exchange 2007 2 times

Posted on 2009-04-16
Last Modified: 2012-05-06
I have deployed a sbs2008 server. Originally, I purchased 1 single ssl certificate so that users could access owa remotely. That worked fine. What doesn't work fine is internal outlook 2007 clients get prompted 2 times for certificates when they connect. So researching I determined that we needed a ucc certifficate due to the changes on 2007 and use of web services...ok.So I get the certificate requested ..procured and imported and still we get prompted 2 times for certifcate issue.The error in both prompts inidcates the name is not valid or does not match the name on the certifcate. So a little more research is telling me that I may need to enable and configure an SCP in AD for Autodiscover service???? When I created ucc certificate I left out because i did not understand it. Is this my problem? How do I solve this issue with the certificate prompts?? My code for cert req is below. Im thinking it may be wrong AND I need to configure this autodiscover business but the light bulb just isn't lit to understand why and how, and whether this is my problem. So I put this to my colleauges and thanks for feedback in advance.

In my case my I have a .local domain and a .org external FQDN
mx record points to
sbs remote workplace is
both are same ip...single static available.

My client will only use OWA and internal outlook 2007.
New-ExchangeCertificate -generaterequest -subjectname "c=us,l=Mytown, s=Mystate,

 o=My Organization Name," -domainname server,server.domain.local,, -PrivateKeyExportable

 $true -path c:\certrequest.txt

Open in new window

Question by:smartsystemsinc
    LVL 9

    Accepted Solution

    Hi, Since you changed the certificate on the Exchange Server, you need to update the Internal/external URL's (SCP) for Autodiscover, OAB, EWS etc.

    Check out the KB article to fix the Certificate prompt issue.

    PS: You need to modify the URL's to the name you have registered on the Certificate (

    I am also modifying the certificate request command, so that it can be used to request a SAN (UCC) certificate.

    New-ExchangeCertificate -generaterequest -path c:\certrequest.txt -subjectname "c=us,l=Mytown, s=Mystate, o=My Organization Name," -domainname,, server,server.domain.local -PrivateKeyExportable

    And yes, a SAN (UCC) certificate is definitely required for Autodiscover to work smoothly, however you have other options as well. Check out the Autodiscover Whitepaper (

    Let us know if you are still having issues...

    Author Comment

    Ok, Im starting to understand. I don't know why I didn't come across the ms article in my research. In any case, what about my existing certificate? Do I need to remove, and then modify per the syntax you provided with Autodiscover and then re-import? Thanks very much.

    Author Comment

    Per the MS article I modifed as indicted but I received syntax errors on the second and third item.

    When I put in

    Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl

    AS My syntax : Set-WebServicesVirtualDirectory -Identity "server.domain.local\EWS (Default Web Site)" -InternalUrl

    I GET
    Set-OabVirtualDirectory : The operation could not be performed because object '
    server.domain.local\oab' could not be found on domain controller 'SERVER.domain.l
    At line:1 char:24
    + Set-OABVirtualDirectory  <<<< -Identity server.domain.local\oab -InternalUrl h

    Is this because the site doesn't exist or is my syntax incorrect . I wasn't sure about taking or leaving the quotes.


    Author Comment

    Could I pelase get an update this post. I appreciate your time.

    Author Comment

    I still have a problem with certificates. I ran the second script into the shell and i recieved teh atatched code.
    Any help woudl be appreciated.
    Set-WebServicesVirtualDirectory : The operation could not be performed because
    object 'server.domain.local\EWS (Default Web Site)' could not be found on domain
     controller 'SERVER.ngcsd.local'.

    Open in new window


    Author Closing Comment

    I know  that the expert has the right solution but after repeated attempts to get help on the second script I didnt hear anything back. Just trying ot keep it real. I will post it as a seperaet question
    LVL 9

    Expert Comment

    Oopsss..I was on vacation, so couldn't respond. Anyways the command you are using for Set-WebServicesVirtualDirectory is incorrect. You need use the NetBIOS name of the Exchange Server instead of the FQDN, so the correct command is,

    Set-WebServicesVirtualDirectory -Identity "server\EWS (Default Web Site)" -InternalUrl

    PS: To confirm the same, run "Get-WebServicesVirtualDirectory | fl" and look out for the parameter "-Identity"

    Expert Comment

    I just want to point out that the "Get-WebServicesVirtualDirectory | fl" cmdlet was very useful. Everything I had looked at previously referenced -Identity "server\EWS (Default Web Site)", but I got an error when I did that saying the object could not be found. Running the above cmdlet, I found the current identity was actually "server\EWS (SBS Web Applications)". Once I found that out, the rest of the process went smoothly. Thanks!

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Sometimes Outlook might have problems sending a message. There may be various causes- corrupted PST, AV scanner etc. The message, instead of going to the Sent Items folder, sits in the Outbox indefinitely. To remove it you can use a free tool cal…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
    In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now