Client Access Array Problem / Outlook Certificate Error

cbitsupport used Ask the Experts™
I have a 3 site Exchange environment setup with a large DAG between them.  In Site 2 there are 2 CAS servers, one for normal traffic, one for OWA.  I have the normal one setup in a CAS Array, but because they are both in the same site so OWA server shows up in the CAS Array.  I know everything I have read online says that Outlook only connects to the NLB server, which is the normal CAS server.  But I am getting certificate errors from Outlook because it says the OWA server's cert doesn't match the server name.  The OWA cert is for the external facing name.  How can I either take this server out of the array so that Outlook will not connect to it internally, or re-configure the cert to have both names??  This is an Entrust cert, not a self-signed.
Thank you.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
here is ur answer :)

 u cant change CAS array so that one cas server gets removed from the CAS array

So u can either
u can try by changing the IP address so that NLB cant contact the one that is for OWA. so it is always forced to contact the one that is for outlook

 change the URLS by following Microsoft KB 940726.


My URLs are listed as follows for the OWA server:

Get-ClientAccessServer -Identity OWA01 -AutodiscoverServiceInternalUri

Get-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl

Get-OABVirtualDirectory -Identity "OWA01\oab (Default Web Site)" -InternalUrI http://owa01.domain.local/OAB

The cert is issued to  This is how they are currently set, how should they be set??  Thank you.


I should have mentioned in the last post that the error from Outlook says invalid cert on OWA01.domain.local
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Got it
Check this  the 2 senarios mentioned is inline with what u face..

if u have any query regarding the command refer this


I have read through that article a few times but I am not seeing exactly what I need to change, that is more about set-outlookprovider and Outlook Anywhere, which I am not using.
you will have to set the outlook provider value to match the certificate name, to avoid the cert error..

u can also check if that certificate that is enabled for IIS , has all the urls in it that is used by autodiscover, ews, oab, and mapi connectivity


This issue was not resolved sucessfully.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial