Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Outlook 2007 prompts for certiifcate on exchange 2007 2 times

Posted on 2009-04-16
Medium Priority
Last Modified: 2012-05-06
I have deployed a sbs2008 server. Originally, I purchased 1 single ssl certificate so that users could access owa remotely. That worked fine. What doesn't work fine is internal outlook 2007 clients get prompted 2 times for certificates when they connect. So researching I determined that we needed a ucc certifficate due to the changes on 2007 and use of web services...ok.So I get the certificate requested ..procured and imported and still we get prompted 2 times for certifcate issue.The error in both prompts inidcates the name is not valid or does not match the name on the certifcate. So a little more research is telling me that I may need to enable and configure an SCP in AD for Autodiscover service???? When I created ucc certificate I left autodiscover.domain.com out because i did not understand it. Is this my problem? How do I solve this issue with the certificate prompts?? My code for cert req is below. Im thinking it may be wrong AND I need to configure this autodiscover business but the light bulb just isn't lit to understand why and how, and whether this is my problem. So I put this to my colleauges and thanks for feedback in advance.

In my case my I have a .local domain and a .org external FQDN
mx record points to exchange.domain.org
sbs remote workplace is remote.domain.org
both are same ip...single static available.

My client will only use OWA and internal outlook 2007.
New-ExchangeCertificate -generaterequest -subjectname "c=us,l=Mytown, s=Mystate,
 o=My Organization Name, cn=remote.domain.org" -domainname server,server.domain.local, remote.domain.org,exchange.domain.org -PrivateKeyExportable
 $true -path c:\certrequest.txt

Open in new window

Question by:smartsystemsinc
  • 5
  • 2

Accepted Solution

Raghuv earned 1000 total points
ID: 24165976
Hi, Since you changed the certificate on the Exchange Server, you need to update the Internal/external URL's (SCP) for Autodiscover, OAB, EWS etc.

Check out the KB article http://support.microsoft.com/kb/940726 to fix the Certificate prompt issue.

PS: You need to modify the URL's to the name you have registered on the Certificate (remote.domain.org).

I am also modifying the certificate request command, so that it can be used to request a SAN (UCC) certificate.

New-ExchangeCertificate -generaterequest -path c:\certrequest.txt -subjectname "c=us,l=Mytown, s=Mystate, o=My Organization Name, cn=remote.domain.org" -domainname remote.domain.org, Autodiscover.domain.org, server,server.domain.local -PrivateKeyExportable

And yes, a SAN (UCC) certificate is definitely required for Autodiscover to work smoothly, however you have other options as well. Check out the Autodiscover Whitepaper (http://technet.microsoft.com/en-us/library/bb332063.aspx)

Let us know if you are still having issues...

Author Comment

ID: 24172295
Ok, Im starting to understand. I don't know why I didn't come across the ms article in my research. In any case, what about my existing certificate? Do I need to remove, and then modify per the syntax you provided with Autodiscover and then re-import? Thanks very much.

Author Comment

ID: 24172404
Per the MS article I modifed as indicted but I received syntax errors on the second and third item.

When I put in

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

AS My syntax : Set-WebServicesVirtualDirectory -Identity "server.domain.local\EWS (Default Web Site)" -InternalUrl https://remote.domain.org/ews/exchange.asmx

Set-OabVirtualDirectory : The operation could not be performed because object '
server.domain.local\oab' could not be found on domain controller 'SERVER.domain.l
At line:1 char:24
+ Set-OABVirtualDirectory  <<<< -Identity server.domain.local\oab -InternalUrl h

Is this because the site doesn't exist or is my syntax incorrect . I wasn't sure about taking or leaving the quotes.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.


Author Comment

ID: 24185464
Could I pelase get an update this post. I appreciate your time.

Author Comment

ID: 24221299
I still have a problem with certificates. I ran the second script into the shell and i recieved teh atatched code.
Any help woudl be appreciated.
Set-WebServicesVirtualDirectory : The operation could not be performed because
object 'server.domain.local\EWS (Default Web Site)' could not be found on domain
 controller 'SERVER.ngcsd.local'.

Open in new window


Author Closing Comment

ID: 31571345
I know  that the expert has the right solution but after repeated attempts to get help on the second script I didnt hear anything back. Just trying ot keep it real. I will post it as a seperaet question

Expert Comment

ID: 24222480
Oopsss..I was on vacation, so couldn't respond. Anyways the command you are using for Set-WebServicesVirtualDirectory is incorrect. You need use the NetBIOS name of the Exchange Server instead of the FQDN, so the correct command is,

Set-WebServicesVirtualDirectory -Identity "server\EWS (Default Web Site)" -InternalUrl https://remote.domain.org/ews/exchange.asmx

PS: To confirm the same, run "Get-WebServicesVirtualDirectory | fl" and look out for the parameter "-Identity"

Expert Comment

ID: 35862766
I just want to point out that the "Get-WebServicesVirtualDirectory | fl" cmdlet was very useful. Everything I had looked at previously referenced -Identity "server\EWS (Default Web Site)", but I got an error when I did that saying the object could not be found. Running the above cmdlet, I found the current identity was actually "server\EWS (SBS Web Applications)". Once I found that out, the rest of the process went smoothly. Thanks!

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Among the most obnoxious of Exchange errors is error 1216 – Attached Database Mismatch error of the Jet Database Engine. When faced with this error, users may have to suffer from mailbox inaccessibility and in worst situations, permanent data loss.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month11 days, 4 hours left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question