• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2789
  • Last Modified:

Exchange 2010 You do not have permission to log on

Ive just built a new lab comprising
NY-DC1-2K8 - 2008R2 Domain Controller
NY-EX2K10MB1 - Exchange 2010 MailBox Server
NY-EX2K10PRIME - Exchange 2010 Hub Transport and CAL Role
NY-PC1-W7S - Windows 7 PC Running Outlook 2010.

Whole installation went fine no issues what so ever.  In theory I should be able to send email from a user to a user as a test basic internal email flow is working correctly.

However, when ANY user, or administrator logs on to Outlook 2010 they get the error :

"Cannot Open your default e-mail folders. You do not have permission to log on"

The Users can access the OWA but when they try to send INTERNAL mail it goes straight into the drafts folder.

Exchange is up and running fine, all the pre-requisites have been done etc.  Can anyone advise why this basic setup is failing.  

In OWA when you logon or send a message you get the standard "There is a problem with this website's security certificate." message.

In Outlook 2010 when it starts for the first time autodiscover finds the correct settings when you lick Next you get a security Alert as show attached.  When you get Do you want to proceed and click Yes you get your email account is successfully configured as shown attached.  When I click finish I get the error, (attached).  Im guessing many people will have seen this issue.

Is it caused by the certificate ?  How do I get around the issue please ?

Thank you.

3 Solutions
Ilya RubinshteynCommented:
1) Make sure your certificate services are set up appropriately if you are using a private certificate. Then you need to add your certificate server as a trusted root certification authority on whatever machine you are using. http://technet.microsoft.com/en-us/magazine/hh506331.aspx
2) make sure the user has full permissions as well as send as permissions to their own mailboxes
Sushil SonawaneCommented:
Create a new certificate for the FQDN autodiscover.domain.net. Because for autodiscover purpose the host name "autodiscover" required in certificate. Microsoft outlook default find exchange server over the internet through autodiscover.domainname.net

Please make sure on the public dns the dns available "autodiscover.domain.net"

Refer below link to White Paper: Exchange 2007 Autodiscover Service. It's same for exchange 2010.


To create a self sign certificate please refer below links.




Shell command for create self sing certificate :

New-ExchangeCertificate -SubjectName "c=US, o=abc Bank, cn=mail1.abc.com" -DomainName abc.com, example.com


If you have installed internal url certificate and want to use autodiscover funcation only internaly then instead of create a autodiscover certificate you can change autodiscover url name also using following commands.

Set-ClientAccessServer -Identity "fcnts60bdc11" –AutodiscoverServiceInternalURI https://ny-ex2k10prime.willowthewisp.me/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "fcnts60bdc11\EWS (Default Web Site)" –InternalUrl  https://ny-ex2k10prime.willowthewisp.me/EWS/Exchange.asmx

Set-OABVirtualDirectory -Identity “fcnts60bdc11\OAB (Default Web Site)” -InternalURL https://ny-ex2k10prime.willowthewisp.me/oab
Simon Butler (Sembee)ConsultantCommented:
I don't think this is an SSL certificate issue.
If it was SSL then you wouldn't be able to login to OWA.

First thing I would check is whether all of the services are running on both Exchange servers. Clients connect to the CAS role, not the mailbox role, so a problem with the CAS role machine can cause problems.


Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now