If Autodiscovery is set in IIS and a single cert was present but an SSL CA cert has been added to exchange, does it need to be added in IIS as well?

Posted on 2014-07-27
Last Modified: 2014-08-07
Since installing a 3rd party cert to exchange and Intermediary cert to root, Outlook is asking for a password when trying to connect a new client to Exchange 2013. The password is set in AD and works on OWA but will not connect in Outlook. Does the cert or some other permissions need to be changed in IIS?
Question by:JRome225
LVL 16

Assisted Solution

PaciB earned 250 total points
Comment Utility

Nothing as to be changed in IIS if it was working before wiht another certificate.

For a certificate to be accepted by clients, you must meet the following requirements :

1) The certificate of the issuer of the server certificate (in you case the certificate of the intermediary certification authority) must be trusted be the clients. To do that, you must ensure that client computers have the root authority and intermediray authority certificates in their "trusted root authorities" containers in the certificates console.
2) The name of the certificate must match exactly the hostname in the URL used by Outlook to access Exchange.
3) The server certificate must be valid.

Else, outlook fails to connect and asks for a password, but as the password is not the problem you'll still have the prompt after retyping the password.

As a simple test, from client computer open a web browser and go to the OWA url using the name in the certificate. To be more clear, if the certificate is issued for the host name then go to the URL

If you have a certificate security alert then something is missing on the client computer to trust certificate.

Hope this helps.

Have a nice day.
LVL 11

Accepted Solution

NetoMeter Screencasts earned 250 total points
Comment Utility
You don't have to configure anything in IIS. Normally, the new CSR (Certificate Signing Request) is generated in Exchange Admin center. When you download the new certificate, you make sure that the intermediate certs are in place and install the certificate again in Exchange Admin Center. Of course, if you love PowerShell, you can perform this in Exchange Management Shell.

In your case, you are dealing with a single domain certificate - for example "". And let's say that the internal Exchange 2013 FQDN is "exchange13.internaldomain.local". By default, the internal Exchange server URL use the internal Exchange server FQDN - "Exchange13.internaldomain.local" and that name is included in the self-signed certificate that's generated by Exchange 2013 setup. BTW, I hope you didn't delete this self-signed certificate as this might get you in a different problem.

You need to perform the following:
1. Configure Split-Brain DNS or PinPoint DNS zone (I recommend the second) for the name that is included in the certificate - "" on the internal DNS servers. If the PinPoint DNS zone is AD integrated, it will be propagated automatically to all internal DC/DNS servers.
2. Modify the Internal Virtual Directories URL - you might prefer to do this in EAC (Exchange Admin Center).
3. Modify the Autodiscover Internal URI in Exchange Management Shell - it cannot be modified in EAC, and has only Internal URI, that is modified with the Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri "" (replace the domain name).

The internal Outlook clients are  using OutlookAnywhere as well, and they get the address from the SCP (Service Connection Point) which is stored in AD - that's how you change the SCP with Set-ClientAccessServer.

If you want to enable autodiscover for remote OutlookAnywhere clients, you need to delete the autodiscover CNAME record in the external/public DNS zone for "" and configure an autodiscover SRV record.
LVL 11

Expert Comment

Comment Utility
If you are having problems with all your users in your organization with this certificate you should check the name or names on it.

If you having this problem only with a new user on the organization, I will recommend you to start over the user profile and make sure the client is fully updated and the user information is entered in the format of DOMAIN\Username.

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now