Exchange 2013 SSL Errors

I have installed a new certificate for which is the URL for owa. I am trying to avoid using internal names on the SSL certificate and have created the appropriate DNS settings. It seems as though everything is setup correctly. There is conflicting services with the certificates. I do not want to have any services associated with the self signed certs. They keep getting a certificate error internally that keeps prompting with an internal server name. The virtual directories etc are all setup with the which should allow them to connect. Is there a way to take the services off the SSL certificates. I have also checked the SSL bindings and it seems to be good but they still get issues.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
You can't avoid the use of self signed SSL certificates, because of the way Exchange 2013 moves the internal data.
Therefore if you have changed the bindings in IIS manager then you may have broken some functionality. As long as you have set the bindings correctly in ECP and have adjusted the URLs within Exchange to match, then you should be fine.
Don't try to eliminate the self signed certificates, because you can't.

JMRSoftwareAuthor Commented:
Thanks for your response,

Alright, I have installed the certificate and everything is working correctly externally. I can even browse internally to the correct URL and it is using SSL. For some reason even though I made sure all of the VirtualSettings were setup correctly to use the same as external it still does not work. I have setup split DNS as well and it works correctly but still gives me a certificate error on the outlook client as if it is trying to connect via the internal name.
You'll want to run the following powershell commands - after replacing the "CAS-Server-Name" and of course your "" url with the public URL.
Enable-OutlookAnywhere -Server "CAS-Server-Name" -ExternalHostname '' -DefaultAuthenticationMethod 'Basic' -SSLOffloading $false
Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web site)' -ExternalURL '' -InternalURL '' -BasicAuthentication $true
Set-OABVirtualDirectory -Identity "CAS-Server-Name\OAB (Default Web Site)" -ExternalUrl "" -BasicAuthentication $true -RequireSSL $true 
Set-OABVirtualDirectory -Identity "CAS-Server-Name\OAB (Default Web Site)" -InternalUrl "" -BasicAuthentication $true -RequireSSL $true
Set-WebServicesVirtualDirectory -Identity "CAS-Server-Name\EWS (Default Web Site)" -BasicAuthentication $true -ExternalUrl 
Set-WebServicesVirtualDirectory -Identity "CAS-Server-Name\EWS (Default Web Site)" -BasicAuthentication $true -InternalUrl
Set-ClientAccessServer -Identity "CAS-Server-Name" -AutodiscoverServiceInternalUri

Open in new window

Now, if you still have internal autodiscover issues after that, then I'd need to know the actual error message.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Simon Butler (Sembee)ConsultantCommented:
This line is wrong:

Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web site)' -ExternalURL '' -InternalURL '' -BasicAuthentication $true

The Autodiscover virtual directory should not have a URL value set on it. It isn't used by Exchange and can actually cause problems. The default values (null) should be left.

Simon: Why is that? Can you provide examples of what problems it causes? You have quite a presence here on EE, and I respect your opinion and input.

I've built these scripts on the many dozens of implementations I've done, and have also used them repeatedly to resolve autodiscover issues on dozens more.
Simon Butler (Sembee)ConsultantCommented:
Setting that value would have done nothing to resolve Autodiscover issues.
The one that resolves the Autodiscover problems is the set-clientaccessserver -AutodiscoverServiceInternalURI line because that is what the client use internally. Externally the clients use hard coded addresses, which you cannot change.

The reason that changing the Autodiscover virtual directory causes problems is usually because people change other things. The Autodiscover virtual directory should be left in its default state - if it has been changed then it should be reset. Trying to "correct" its configuration causes more problems which are usually resolved elsewhere, and even after resolving them elsewhere they continue to be a problem because of the modifications made to Autodiscover VD (cycle of problems).

JMRSoftwareAuthor Commented:

Thanks for all the responses. It seems after checking through power shell that what was setup for the virtual directories did not match what was being used by exchange. I set everything up as needed and now have an authentication issue. It seems as though it wants to set the clients to anonymous and is prompting for passwords from the users who are connecting internally. I have setup a name and included on the SSL cert the (Internal Reference) and the will be the external reference. saw an article saying to turn the authentication to NTLM because there was a previously known issue with this.
Do you have a certificate that has all the names you are trying to use in there?
If not, take my advice and use the external URL for both internal and external auth.
Run the commands I provided for you. If you still have issues after running them, let me know what the actual error message is, then we can help.

If you don't share what the actual error message is, we cannot help you.
JMRSoftwareAuthor Commented:
Thanks for the responses.

I have a cert with all the names I am currently using on it yes. They get no cert issues now. The issue was I setup for internal ref and for external access. I walked through all of the powershell commands to check the settings. Everything was correct. When the outlook client would connect it would get a prompt for a username/password (using The proxy settings had negotiate for authentication. I then manually switched to and kept the rest of the settings and it never asked for a password.

I took the recommendation above to just use the external name with split dns as it had the best results testing. so I went through and changed all internal references to I have restarted IIS and rebooted the server. I have checked all the settings via powershell. For some reason the outlook clients are still getting the old and it is still asking for a PW. If I go and change it to remote again and restart outlook it connects. Is there a reason the autodiscover settings are not populating the correct settings ? I am going to go through again and check.
JMRSoftwareAuthor Commented:
It seems as though, it is always coming under "more settings" > "Security" as Anonymous Athentication with encryption un-checked..... I go down and put it to negotiate it works after restarting outlook. Still with After a bit it disconnected restart outlook and it goes back to anonymous.

owa authentication through the servername/ecp is set to negotiate with the box check for SSL offloading.
Simon Butler (Sembee)ConsultantCommented:
Do an Autodiscover test.

See what URLs are being returned by Autodiscover - you may have missed one.
The common one is this:

get-clientaccessserver | select identity, autodiscoverserviceinternaluri


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JMRSoftwareAuthor Commented:

That was the last thing that needed to be done. It was set to

Restarted IIS

Everything is working correctly. I am assuming that I could have also kept in the way I had before if that was changed to instead of

Thanks for your help.
Simon Butler (Sembee)ConsultantCommented:
You can put any host name that you like on there, as long as

a. It resolves internally to the Exchange server
b. It is on the SSL certificate

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Operations

From novice to tech pro — start learning today.