internal outlook client certificate error

I have migrated my exchange from SBS2003 to Server 2012 with Exchange 2010
My external clients (OWA) and mobiles work great with no issues BUT my outlook clients on my local LAN get a certificate error when they open up or go to set out of office.
Picture-7639979-0000.jpgit still looks like its trying to connect to SVR2012.mycompany.local but using the certificate
( strange thing is if I change the binding in IIS to use the SVR2012.mycompany.local certificate then outlook flips the error the other way round and uses the external address to connect and the internal SSL)

so far I have done the following
I have a godaddy SSL ceritifacte with installed on the server and in exchange.
I have bind the in IIS
I have set all the cas urls to for both internal and external
I have created a DNS zone on the 2012 server of and created an A record for pointing to (server address)
any suggestions would be great as I can not see why its still using the internal URL
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

etechgrimsbyAuthor Commented:
A bit more info
I have run the Test email config on the client machine

There are still a few local server urls

Protocol Exchange RPC

Availability ServiceURL: https://SVR2012.mycompany.local/EWS/Exchange.asmx
OOF URL:  https://SVR2012.mycompany.local/EWS/Exchange.asmx
OAB URL Public Folder
Unified Message ServiceURL:https://SVR2012.mycompany.local/EWS/UM2007Legacy.asmx

Where do these setting come from please
Please check this url for resolution

Get-ClientAccessServer | fl and check AutoDiscoverServiceInternalUri should be
Also check get-WebServicesVirtualDirectory | fl internalurl and externalurl should be

Set-ClientAccessServer -Identity "servername" -AutoDiscoverServiceInternalUri

Set-WebServicesVirtualDirectory -Identity "servername\EWS (Default Web Site)" -InternalUrl -ExternalUrl

configure OA url to
etechgrimsbyAuthor Commented:
I have checked these and they are ok, can I as what is OA ( sorry don't do acronyms)

This morning the client has stopped saying there is a certificate error but out of office still says unavailable. when I do a auto discovery test from the outlook client it all looks ok except the RPC server that still has the .local address is this correct.

the other thing I have noticed is if I go to I get a username and password box but it does not authenticate. The password box just keeps coming back, I presume this is incorrect.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

OA stands for outlook anywhere
etechgrimsbyAuthor Commented:
After about  5 mins of wracking my brain I realised it was that thanks and yes it was set to the
Did the issue resolved?
etechgrimsbyAuthor Commented:
No. Out of office still does not work on any  outlook clients.
Should the rpc bit in the outlook connection test still point to the .loacal address.
secondly if i put the ews url in a browser it asks for user and password constantly  but never gets past that point. Is this normal.
Please configure all the Virtual directories internal external url as
Run this
Set-ClientAccessServer -Identity "servername" -AutoDiscoverServiceInternalUri

Set-WebServicesVirtualDirectory -Identity "servername\EWS (Default Web Site)" -InternalUrl -ExternalUrl
Create a internal DNs zone with and create host A record and point it to Exchange ip.
Configure OA with
etechgrimsbyAuthor Commented:
Thanks I had already done the above but I have checked it again and it they all do point to already.

doing the above did cure the certificate error but it still did not resolve the out of office error. I do think it may be a permissions thing with the EWS folder in IIS as I can not access it via internet explorer which I would expect to be able to do.
MASEE Solution Guide - Technical Dept HeadCommented:
Please check my article and let me know if this doesn't fix your issue.
etechgrimsbyAuthor Commented:
Thanks MAS I have rechecked using your link and it has all been done as per link except our certificate was a single domain certificate should it also have autodiscovery for outlook clients to work,
today our clients still come up with certificate mismatch, it still says security alert
has a certificate mismatch, (its using the one.
out of office still says server unavailable.

could this be because at present the old SB2003 server is still on the domain and part of the exchange, even though everything has been migrated over.
I can not see why internal outlook clients still use SVR2012.mycomany.local  to connect.
do I have to remove the account and re add it in outlook now we have changed the internal URL's
etechgrimsbyAuthor Commented:
Hi should I have two certificates installed on the server with roles attached.
one is my godady ssl the other is the mydomain.local one see below

MASEE Solution Guide - Technical Dept HeadCommented:
You need only 2 certificates with these services enabled
1. Your self signed certificates     services- SMTP
2. Godaddy certificate                   Services- IIS,SMTP, (POP and IMAP u can add if u need)

It should look like this. Note:This is without POP and IMAP. If you want you can add POP and IMAP on Godaddy certificate
certificate screesnhot
etechgrimsbyAuthor Commented:
things have now got a bit worse for the outlook clients
it is now asking for a password constantly on a few of the outlook users,
I have also noticed that the outlook anywhere users are only connecting if I change the security to basic from  ntlm
MASEE Solution Guide - Technical Dept HeadCommented:
It is supposed to be Basic for Exchange2010.

For credential issues, there are many causes. Generally, it can be caused by public folder cannot be accessed or web services authentication.
etechgrimsbyAuthor Commented:
Thanks Mas
I think its because I have removed the 2003 server after transferring all the mailboxes.
For some reason I lost the OAB in the mailbox settings of ex2010
I am still getting SSL errors even after re running the csr command and getting a multi domain SSL from Godaddy. I attached it by following Godaddys guide and added both the intermediate certificate via MMC and the ssl in the pending SSL request in EMC

in outlook 2007 clients I get the certificate is invalid and not to be trusted for both and
still cant get out of office working or get rid of certificate erros
MASEE Solution Guide - Technical Dept HeadCommented:
If you follow my article your outlook certificate warnings will be cleared.

if this doesn't fix please post a screenshot of the error
etechgrimsbyAuthor Commented:
thanks all. I got this fixed eventually by doing this from the MS site

For the detailed commands, you should follow the below instructions:

1. Open Exchange Management Shell with administrative privilege

2. Set the SCP along with the internal URL:

Set-ClientAccessServer -Identity CASServerName -AutoDiscoverServiceInternalUri

3. After performing the above action, please type the following command:

    Get-ClientAccessServer | fl *internal*

Please make sure that AutoDiscoverServiceInternalUri only maps to

4. Change the InternalUrl attribute of the EWS.

To do this, type the following command, and then press Enter:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl

5. Change the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press Enter:

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl

6. Change the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press Enter:

Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default Web Site)" -InternalUrl

7. Open IIS Manager

8.  Expand the local computer, and then expand Application Pools.

9. Right-click MSExchangeAutodiscoverAppPool, and then click  Recycle.

10. Please check whether there is still certificate errors.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
etechgrimsbyAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for etechgrimsby's comment #a41026915

for the following reason:

I researched this more and found by Microsoft support the correct solution which I have now put up here for others to use
MASEE Solution Guide - Technical Dept HeadCommented:
There is a mistake regarding autodiscover internal URL.
Apart from this my article has almost everything u typed in the last post except recycle.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.