• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 616
  • Last Modified:

exchange 2007

After installing exchange and IIS 7 I created a certificate for owa ssl.  Now Outlook 2007 reports a certificate error for mail.xxxxxxxxx.local does not match the name on the certifacte.  I have tried to enable all exchange services i.e. pop3, SMTP, imap4 using Exchage Management Shell and get the following error:

>Enable-ExchangeCertificate -Thumbprint 314C0B3DEE7A9AD9EECF99DAD116DBCC1927091E -Services "IMAP, POP, IIS, SMTP"

An unexpected error occurred while the forms-based authentication settings for path /LM/W3SVC/1 were being modified.   The error returned was 5506.  

I have tried several articles using the management console but always come up with the same error.  

1 Solution
The only way to ensure that you don't get certificate errors is to use a commercial SSL certificate with the additional names. A self signed certificate is not supported for use with Outlook Anywhere or Exchange ActiveSync.

I have instructions on how to deploy a commercial certificate here:

KAMOPowerAuthor Commented:
First, thank you for your time.

I understand the difference between a self signed and a commercial certificate.   The reasons I question the solution is the number of articles that say I can use a self signed cert.  

The other reason is that I am not trying to use outlook anywhere but rather use the same cert for both OWA and Outlook.
Alan HardistyCo-OwnerCommented:
Please have a read of the following which explains the limitations of Self-Signed certificates:
In case of link failure:
  • Expiration Date: The self-signed certificate expires 12 months after Exchange 2007 is installed. When the certificate expires, a new self-signed certificate must be manually generated by using the New-ExchangeCertificate cmdlet.
  • Outlook Anywhere: The self-signed certificate cannot be used with Outlook Anywhere. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere.
  • Exchange ActiveSync: The self-signed certificate cannot be used to encrypt communications between Microsoft Exchange ActiveSync devices and the Exchange server. We recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party for use with Exchange ActiveSync.
  • Outlook Web Access: Microsoft Outlook Web Access users will receive a prompt informing them that the certificate being used to help secure Outlook Web Access is not trusted. This error occurs because the certificate is not signed by an authority that the client trusts. Users will be able to ignore the prompt and use the self-signed certificate for Outlook Web Access. However, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party.
Outlook 2007 use Autodiscover to find and download the Offline Address Book and if your certificate does not include autodiscover.yourdomain.com in the certificate (as a Subject Alternative Name), then this too will report an error.
As Mestha has already advised you, you will be far better off installing a 3rd Party SSL SAN/UCC certificate as this will eliminate the errors and won't cost the earth.  The Self-Signed SSL certificate is only intended to be used until you obtain a 3rd party SSL certificate.
Self-Signed certs are not designed to be used in production environments.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now