Exchange 2007 Webmail certificate Renewal

Similar Messages

• How to export an exchange 2007 owa certificate from production to lab environment

  I'm setting up an Exchange 2007 Lab but I have a trouble regarding exchange's certificate
  Note: My lab environment is not conected to internet
  I've followed the next link but it doesn't work
  https://www.digicert.com/ssl-support/pfx-import-export-exchange-2007.htm
  Once I finished all the steps if I run the next powershell command get-excahangecertificate I see that my exchange certificate has the status as unknown
  I'm not sure if the problem is related with the server is not conected to internet, so exchange is not be able to check the status of the certificate.
  I've tried to turn off the Check for publisher’s certificate revocation option on the server
  To do this, follow these steps.
  Start Internet Explorer.
  On the Tools menu, click Internet Options.
  Click the Advanced tab, and then locate the Security section.
  Click to clear the Check for publisher’s certificate revocation check box, and then click OK.
  After the update rollup installation is complete, turn on the Check for publisher’s certificate revocation option.
  But it still not working
  Could anyone help me?
  Thanks in advance

  Hi Pardo,
  According to your description, I understand that the exchange certificate cannot work and display unknown status after import it.
  If I misunderstand your concern, please do not hesitate to let me know.
  Depending on the results of “Get-ExchangeCertificate | FL”, please pay attention to following points:
  1. RootCAType: Registry
  “An internal, private PKI root CA that has been manually installed in the certificate store.”
  2. Status: Unknown
  “This status generally indicates that the status of the certificate cannot be verified because the certificate revocation list (CRL) is unavailable or this server cannot connect to it.”
  The reason why it failed is that internal Exchange server cannot connect to CRL. As you mentioned, exchange can’t be able to check the status of the certificate.
  More information about Certificate Use in Exchange Server 2007, please refer to
  Certificate Fields and Configuring Access to the Certificate Revocation List
  section in below link:
  http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx
  However, we can renew a certicate from local CA:
  http://technet.microsoft.com/en-us/library/bb310781(v=exchg.80).aspx
  Best Regards,
  Allen Wang

• Exchange 2007 Autodiscover certificate mismatch

  Hello, the company that I work for is trying to switch from Exchange 2007 SP1 to Office 365.  However, when we try the cutover migration, 365 doesn't recognize our Exchange server.  After a bit of research, I discovered that there is a certificate
  mismatch that is causing the problem.  
  I've been searching for a way to solve this problem for a couple of days now and have not yet found a solution.  We'd like to keep the autodiscover location, but change the certificate that is bound to it.  We
  have a matching certificate installed, but for some reason, Autodiscover keeps pointing toward the wrong certificate (that doesn't even exist).
  Any help would be greatly appreciated

  We purchased new certs from GoDaddy and inserted them into exchange (overwriting the old certs and CAs), and this seemed to correct the certificate mismatch.  However, when I run the Remote Connectivity Analyzer, I get this:
  Connectivity Test Failed
  Test Details
  <input class=" __ecpStyleButton" id="testSelectWizard___CustomNav3_buttonStartOver" name="testSelectWizard$__CustomNav3$buttonStartOver"
  style="padding:8px 8px 8px 29px;text-align:left;border-style:none;cursor:pointer;background-image:url(https;background-background-repeat:no-repeat;" type="submit" value="Start Over" /><input class=" __ecpStyleButton"
  id="testSelectWizard___CustomNav3_buttonRunAgain" name="testSelectWizard$__CustomNav3$buttonRunAgain" style="padding:8px 8px 8px 29px;text-align:left;border-style:none none none solid;cursor:pointer;border-left-color:#cccccc;border-left-width:1px;background-image:url(https;background-background-repeat:no-repeat;"
  type="submit" value="Run Test Again" />
  <input class=" __ecpStyleButton" id="testSelectWizard_ctl12_btnExpandAll" name="testSelectWizard$ctl12$btnExpandAll" style="padding:8px 8px 8px 29px;text-align:left;border-style:none
  solid none none;cursor:pointer;border-right-color:#cccccc;border-right-width:1px;background-image:url(https;background-background-repeat:no-repeat;" type="submit" value="Expand All" /><input class="ecpStyleButtonImageOnly
  __ecpStyleButton" id="testSelectWizard_ctl12_btnSaveXml" name="testSelectWizard$ctl12$btnSaveXml" style="padding-padding-bottom:6px;padding-text-align:left;border-style:none;cursor:pointer;background-image:url(https;background-background-repeat:no-repeat;"
  title="Save as XML" type="submit" value="" /><input class="ecpStyleButtonImageOnly __ecpStyleButton" id="testSelectWizard_ctl12_btnSaveHtml" name="testSelectWizard$ctl12$btnSaveHtml" style="padding-padding-bottom:6px;padding-text-align:left;border-style:none;cursor:pointer;background-image:url(https;background-background-repeat:no-repeat;"
  title="Save as HTML" type="submit" value="" />
  The Microsoft Connectivity Analyzer is attempting to test Autodiscover for [email protected].
  Testing Autodiscover failed.
  Additional Details
  Elapsed Time: 7624 ms.
  Test Steps
  Attempting each method of contacting the Autodiscover service.
  The Autodiscover service couldn't be contacted successfully by any method.
  Additional Details
  Elapsed Time: 7624 ms.
  Test Steps
  Attempting to test potential Autodiscover URL https://paidwarranty.com:443/Autodiscover/Autodiscover.xml
  Testing of this potential Autodiscover URL failed.
  Additional Details
  Elapsed Time: 1237 ms.
  Test Steps
  Attempting to resolve the host name paidwarranty.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 12.192.135.43, 50.232.20.50
  Elapsed Time: 129 ms.
  Testing TCP port 443 on host paidwarranty.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 152 ms.
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 342 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server paidwarranty.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Remote Certificate Subject: CN=www.paidwarranty.com, OU=Domain Control Validated, Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
  Elapsed Time: 247 ms.
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  Host name paidwarranty.com was found in the Certificate Subject Alternative Name entry.
  Elapsed Time: 1 ms.
  Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=www.paidwarranty.com, OU=Domain Control Validated.
  One or more certificate chains were constructed successfully.
  Additional Details
  A total of 1 chains were built. The highest quality chain ends in root certificate CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
  Elapsed Time: 39 ms.
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 5 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 2/24/2014 3:11:57 PM, NotAfter = 2/24/2016 3:11:57 PM
  Elapsed Time: 0 ms.
  Checking the IIS configuration for client certificate authentication.
  Client certificate authentication wasn't detected.
  Additional Details
  Accept/Require Client Certificates isn't configured.
  Elapsed Time: 371 ms.
  Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
  Additional Details
  Elapsed Time: 241 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://paidwarranty.com:443/Autodiscover/Autodiscover.xml for user [email protected].
  The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
  Additional Details
  A Web exception occurred because an HTTP 404 - NotFound response was received from IIS7.
  HTTP Response Headers:
  Content-Length: 5401
  Cache-Control: private
  Content-Type: text/html; charset=utf-8
  Date: Mon, 02 Mar 2015 14:58:45 GMT
  Server: Microsoft-IIS/7.5
  X-Powered-By: ASP.NET
  Elapsed Time: 241 ms.
  Attempting to test potential Autodiscover URL https://autodiscover.paidwarranty.com:443/Autodiscover/Autodiscover.xml
  Testing of this potential Autodiscover URL failed.
  Additional Details
  Elapsed Time: 5175 ms.
  Test Steps
  Attempting to resolve the host name autodiscover.paidwarranty.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 157.56.234.137, 157.56.244.217, 157.56.236.89, 157.56.232.9
  Elapsed Time: 327 ms.
  Testing TCP port 443 on host autodiscover.paidwarranty.com to ensure it's listening and open.
  The specified port is either blocked, not listening, or not producing the expected response.
   <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl01_ctl01_tmmArrow">Tell
  me more about this issue and how to resolve it</label>
  Additional Details
  A network error occurred while communicating with the remote host.
  Elapsed Time: 4847 ms.
  Attempting to contact the Autodiscover service using the HTTP redirect method.
  The attempt to contact Autodiscover using the HTTP Redirect method failed.
  Additional Details
  Elapsed Time: 995 ms.
  Test Steps
  Attempting to resolve the host name autodiscover.paidwarranty.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 157.56.234.137, 157.56.244.217, 157.56.236.89, 157.56.232.9
  Elapsed Time: 16 ms.
  Testing TCP port 80 on host autodiscover.paidwarranty.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 111 ms.
  The Microsoft Connectivity Analyzer is checking the host autodiscover.paidwarranty.com for an HTTP redirect to the Autodiscover service.
  The redirect (HTTP 301/302) response was received successfully.
  Additional Details
  Redirect URL: https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml
  HTTP Response Headers:
  Connection: close
  Pragma: no-cache
  Cache-Control: no-cache
  Location: https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml
  Elapsed Time: 137 ms.
  Attempting to test potential Autodiscover URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml
  Testing of this potential Autodiscover URL failed.
  Additional Details
  Elapsed Time: 729 ms.
  Test Steps
  Attempting to resolve the host name autodiscover-s.outlook.com in DNS.
  The host name resolved successfully.
  Additional Details
  IP addresses returned: 132.245.64.242, 132.245.3.130, 132.245.92.226, 132.245.82.50, 132.245.81.194, 132.245.81.130, 132.245.88.194
  Elapsed Time: 17 ms.
  Testing TCP port 443 on host autodiscover-s.outlook.com to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Elapsed Time: 53 ms.
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 221 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover-s.outlook.com on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Remote Certificate Subject: CN=outlook.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US, Issuer: CN=Microsoft IT SSL SHA1, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US.
  Elapsed Time: 127 ms.
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  Host name autodiscover-s.outlook.com was found in the Certificate Subject Alternative Name entry.
  Elapsed Time: 1 ms.
  Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=outlook.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US.
  One or more certificate chains were constructed successfully.
  Additional Details
  A total of 1 chains were built. The highest quality chain ends in root certificate CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE.
  Elapsed Time: 38 ms.
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 5 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 1/21/2015 10:45:26 PM, NotAfter = 1/21/2016 10:45:26 PM
  Elapsed Time: 0 ms.
  Checking the IIS configuration for client certificate authentication.
  Client certificate authentication wasn't detected.
  Additional Details
  Accept/Require Client Certificates isn't configured.
  Elapsed Time: 158 ms.
  Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
  Additional Details
  Elapsed Time: 277 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user [email protected].
  The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
  Additional Details
  An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name
  (UPN).
  HTTP Response Headers:
  request-id: d823479c-c259-4474-8b3f-df60b4898533
  X-CasErrorCode: UnauthenticatedRequest
  X-FEServer: BY2PR12CA0033
  Content-Length: 0
  Cache-Control: private
  Date: Mon, 02 Mar 2015 14:58:53 GMT
  Set-Cookie: ClientId=GILRU7BQ40ROHZE90FEIA; expires=Tue, 01-Mar-2016 14:58:54 GMT; path=/; secure; HttpOnly
  Server: Microsoft-IIS/8.0
  WWW-Authenticate: Basic Realm=""
  X-AspNet-Version: 4.0.30319
  X-Powered-By: ASP.NET
  Elapsed Time: 276 ms.
  end
  I've enabled basic authentication on the RPC virtual directory on the Exchange CAS in IIS and then restarted IIS, as suggested in another forum (https://social.technet.microsoft.com/Forums/exchange/en-US/69d83444-0528-4e39-a5e9-eb9040501be1/remote-connectivity-analyzer-problem?forum=exchangesvr3rdpartyappslegacy)
  and am still getting the same results from the Remote Connectivity analyzer.
  On a side note, we have reviewed multiple Exchange Deployment Assistance, including the one that you referred to, and are attempting a cutover migration.

• Exchange 2007 Wildcard Certificate Supported in iPhone?

  Does the iphone support the use of a wildcard certificate?
  Our exchange infrastructure utilises a wildcard (*.companyname certificate) from godaddy. All the windows mobile 6.0 devices work fine however I know that windows mobile 5.0 did not support wildcard certificate, any help would be good.
  Thanks.

  I've manually installed the client based certificate on the iPhone (a wildcard from Network Solutions), no dice.
  Going to try using the server's cert this time...

• Legacy Namespace for Exchange 2007 to 2013 co-existence

  We are migrating from Exchange 2007 to 2013, during the co-existence phase, where is the legacy.{domain.com} namespace used? We are at the point now that we want to move all services over to the Exchange 2013 CAS servers, however... GPO settings
  are used to point outlook clients to mail.{domain.com} for Outlook Anywhere. If DNS is updated to point mail.{domain.com} to the Exchange 2013 servers, will there be an issue with connectivity for people still on the Exchange 2007 servers? Do these people
  need to point to legacy.{Domain.com} or will mail.{domain.com} proxy the connection to the legacy namespace? I would like to know if the GPO settings will interfer with the settings that Autodiscovery provide back.
  I have read a bunch or articles on the approach, but I am still fuzzy on where legacy.{domain.com} comes into play.
  Thanks in advance for your help.

  In coexistence with exchange 2013 and legacy version the request happens in 2 types.
  For Exchange 2010 –
  Exchange 2013 does a Proxy for owa and ews requests for users in exchange 2010.
  For Exchange 2007 –
  Exchange 2013 does redirection for owa and ews requests for users in Exchange 2007.
  Certificates:
  All the required SAN entries for UM,webservices and activesync should be created.
  Add external owa legacy URL to the public certificate and install it on both Exchange 2007 and
  Exchange 2013 only then owa redirection will work.
  You need to Include internal Legacy. Domain.com on Exchange 2007 Certificate for OWA co-
  Existence.
  Following change needs to be done in Firewall
  External OWA URL should be directed to exchange 2013 Internet Facing CAS.
  External EWS URL should be directed to  exchange 2013 Internet Facing CAS.
  External Autodiscover URL should should be directed to  Exchange 2013 CAS.
  External ActivesyncVirtualDirectory should be directed to Exchange 2013 CAS.
  External UMvirtualDirectory should be directed to  Exchange 2013 CAS.
  Create new NAT rule on firewall for Legacy.domain.com to Exchange 2007 CAS. You can do this as well.By doing this users will be able to log on directly using the URL https://legacy.domain.com/owa with
  a mailbox on Exchange 2007.
  External and Internal DNS settings
  Public DNS - Map all of your external public DNS records (ews,owa,activesync etc.,) to your
  exchange 2013 public IP if you have dedicated one for 2013 or FQDN of your internet facing CAS server.
  Example:
  Current external owa URL (contoso.domain.com) – point it to dedicated exchange 2013 public ip or internet facing exchange 2013 CAS FQDN.
  Current External Autodiscover – point it to dedicated exchange 2013 public ip or internet
  facing exchange 2013 CAS FQDN
  Internal DNS – Configure the Exchange 2007 to point SCP AutoDiscoverURI to Exchange 2013 Client
  Access FQDN by changing DNS entry for Autodiscover.domain.com to exchange 2013 CAS sever Ip
  address
  The internal DNS records should point to the internal host name and IP address of your Exchange
  2013 Client Access server
  Make sure that legacy.contoso.com resolves to CAS2007 in internal and external DNS.
  Authentication Settings:
  This part is little bit tricky. You need to plan according to your organization. If you have FBA configured in TMG or ISA server then you need to configure accordingly.
  Set the owa virtual directory authentication only to  Basic in exchange 2007.
  In exchange 2013 set owa virtual directory to only (Windows Authentication) or only (form-based authentication) or only (Basic, No redirection, SSL Enabled) depends according to your setup.
  Things to check:
  If you have redirection configured in IIS on the Exchange 2007 Server Make sure that the above
  Virtual Directories doesn’t have it configured.
  If you have FBA enabled on ISA or TMG then disable FBA on Exchange 2013 CAS else users will be prompted twice for authentication
  For further references you can refer my article below
  http://exchangequery.com/2014/09/24/owaews-configuration-in-exchange-20132007-coexistence/
  Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish (MVP)

• Exchange 2007 Renew Certificate via IIS Manager

  I am currently in the process of renewing the Exchange 2007 certs and have searched through forums in regards to this topic and can't seem to come across a proper answer. Is it possible to renew the Exchange 2007 cert using the IIS Manager or is Powershell
  the only way of doing so? Under the "IIS Manager > expanding server name > expand websites > default website properties > Directory Security > Server Certificate" you are presented with the option to renew the existing cert. This to
  me seems a lot easier than using shell to request a whole new cert. I am not a fan of the how Powershell can be a bit destructive when requesting a new cert and overwriting the existing one leaving your little ways of backing out if something goes wrong. Can
  someone confirm if using IIS manager is a viable way of renewing the Exchange 2007 cert. I prefer to keep the exact settings of the existing certificates.
  Thank you,
  Emmanuel
  Emmanuel Fumero Exchange Administrator

  Hi
  Yes its possible in Exchange  2010 through EMC . Not sure if this works in Exchange 2007 since i haven't tried renewing through GUI in exchange 2007 and currently do not have any customers running e2k7 to check this option. Probably you can give it
  a try in Exchange 2007 and see if these options are visible. Please check the following,
  When you right-click your Exchange Server, you can select New Exchange Certificate, which will launch the New Exchange Certificate Wizard.
  After defining a friendly name, you are ready to provide all needed information:
  After clicking Finish, you will have a certificate request that you can use ti get a certificate from your own CA, or from an external CA. The Exchange Management Console will show the request as well
  1.Start the Exchange Management Shell. Click Start > Programs > Microsoft Exchange Server 2007, and then click Exchange Management Console.
  2.Click the link to "Manage Databases", and then go to "Server configuration".
  3.Select your certificate from the menu in the center of the screen (The certificate will be listed by the Friendly Name you chose when creating the CSR), and then click the link in the Actions menu to "Complete Pending Request".
  4.Browse to the certificate file you just copied to your server, then click Open > Complete.
  URGENT!! You may receive the following error: "The source data is corrupted or not properly Base64 encoded." You can ignore this error
  5.Press F5 to refresh the certificate list. Verify that it says "False" under "Self Signed".( if its 3rd party or feom CA)
  6.To enable your certificate, return to the Exchange Management Console and click the link to "Assign Services to Certificate."
  Hope this helps
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as
  Answer” if a marked post does not actually answer your question. This can be beneficial to other
  community members reading the thread.
  Regards
  Sathish

• Ho to renew exchange 2007 certificate

  Hello,
  I am having a problem with a certificate that is expired. When I open an outlook 2007 client that is connected to exchange 2007 SP1, I get a message that the certificate is expired. I can choose yes to continue but I get the message everytime the clients restarts outlook.
  Can someone provide me with the steps to renew the certificate ?
  Best regards,
  Mark

  Refer below article to renew self signed cert in Exchange 2007...
  Exchange Server 2007: Renewing the self-signed certificate
  http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
  Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

• Renew certificate on two Exchange 2007 CAS servers

  Hi, there:
  Our environment: Exchange 2007 SP3 with two HUB/CAS servers, let's assum server name for these two CAS servers are: CAS1 and CAS2.
  Please note these two CAS servers are NOT running with NLB.
  Now the certificate(not self-signed) on these two servers are about to expired and I am planing to install new certificate on them.
  The old certificate is issued by internal CA server.
  My plan is as below:
  On CAS1:
  I am going to use "New-ExchangeCertificate" with -privatekeyexportable to generate the certificate request file then submit the request file to CA, after I get the
  .pfx file run "Import-ExchangeCertificate" to import the new certificate, after the old certificate is expired, run "enable service"
  to let exchange use the new certificate.
  On CAS2:
  repeat the above procedure.
  I did a serach on technet and found this:
  http://social.technet.microsoft.com/Forums/exchange/en-US/20adfb3d-2fa6-4ff9-b785-cb47a772ed58/3rd-part-certificate-renewal-for-exchange-2007-cas?forum=exchangesvrgenerallegacy
  the procedure mentioned in this thread is different. it export the newly created certificate from CAS1 and import it into CAS2.
  however the CAS server mentioned in that thread run with NLB.
  The two CAS servers in our environment is NOT NLB.
  Any suggestions?

  Both plans will work. You can generate a cert for each individual CAS with the correct subject names on each cert relative to the CAS that you will enable it on or create one cert with the correct subject names that cover both CAS and export and import
  the cert from one CAS to the other. Up to you.
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• Revoked Certificate on Outlook 2010/Exchange 2007/SBS 2008

  Hi All, 
  I have an issue that has been frustrating me for quite some time now. 
  Our setup is SBS 2008 with Exchange 2007. 2 Weeks ago we had to renew our certificate for remote.xxxxxxx.com. This was done through the SBS consoles > Network > Fix my Network and followed the wizard. and this worked fine. 
  I have however got one user who has a problem and he informs me that this is been an issue since before the cert was renewed. 
  He is a remote laptop user who visits the office maybe 5 times a month. When launching Outlook 2010 on his machine (Win 7 x64) it comes up with the error: Security Alert, Information you exchange with this site cannot be viewed or changed by others. However,
  there is a problem with the Site's security certificate. (Red X) The security certificate for this site has been revoked. This site should not be trusted. Then OK and View Certificate buttons. 
  I have tried to use the View Certificate to install the certificate to the correct store but no luck. Also tried exporting the cert from the server and installing manually into Trusted Root CA, via MMC Certificates Snap-In and no luck. 
  I'd like to mention that If i log into a different user, on the same domain, on the same laptop, the issue is gone. So it's local to his profile on the laptop. 
  Plus, he cannot access the OWA on his laptop either, but again a different user - same laptop can. I have verified that the OWA is still working from another machine in the business, that is using the same certificate. I cannot understand why the
  subject machine thinks the certificate has been revoked when I don't believe it has.
  Can anybody please shed some light on this situation for me - any avenues to explore would be hugely appreciated. 
  Many thanks
  Nicky

  I hope this helps
  http://www.msexchange.org/articles-tutorials/exchange-server-2007/management-administration/managing-exchange-certificates-part2.html
  Cheers,
  Gulab Prasad
  Technology Consultant
  Blog:
  http://www.exchangeranger.com    Twitter:
    LinkedIn:
     Check out CodeTwo’s tools for Exchange admins
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Certificate errors on Exchange 2007

  We have a Exchange 2007 server that is recording certificate errors in the event log (server & domain names changed for post):
  Microsoft Exchange could not find a certificate that contains the domain name contoso.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector DNS with a FQDN parameter of contoso.com.
  Microsoft Exchange could not find a certificate that contains the domain name server.contoso.com in the personal store on the local computer.
  I have checked the configuration of the send and receive connectors:
  Get-SendConnector | FL name, fqdn, objectClass
  Name : DNS
  Fqdn : contoso.com
  ObjectClass : {top, msExchConnector, mailGateway, msExchRoutingSMTPConnector}
  Name : Host IT SMTP
  Fqdn : contoso.com
  ObjectClass : {top, msExchConnector, mailGateway, msExchRoutingSMTPConnector}
  Get-ReceiveConnector | FL name, fqdn, objectClass
  Name : Default servername
  Fqdn : servername.contoso.com
  ObjectClass : {top, msExchSmtpReceiveConnector}
  Name : Client servername
  Fqdn : servername.contoso.com
  ObjectClass : {top, msExchSmtpReceiveConnector}
  There is an installed certificate:
  {mail2.contoso.com, www.mail2.contoso.com, autodiscover.contoso.com, legacy.contoso.com} - IMAP, POP, IIS, SMTP valid until 09/01/2016
  There was a expired certificate:
  {servername, servername.contoso.com} - SMTP valid until 08/12/2010
  The fact that the mail is still working despite the expired certificate, makes me wonder if I could just change the receive connectors to use mail2.contoso.com instead of servername.contoso.com
  In the same vein, could I change the send connector to mail2.contoso.com from contoso.com

  Hi,
  Don’t modify the FQDN value on the default Receive connector Default <Server Name> that's automatically created on Mailbox servers. If you have multiple Mailbox servers in your Exchange organization and you change the FQDN value on the Default
  <Server Name> Receive connector, internal mail flow between Mailbox servers fails. For more information about it, please refer to fqdn parameter in the following article:
  http://technet.microsoft.com/en-us/library/bb125140(v=exchg.80).aspx  
  I suggest we can renew the expired certificate with names: contoso.com, servername.contoso.com instead of changing the FQDN of receive connector and send connector:
  http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx  
  Thanks,
  Winnie Liang
  TechNet Community Support

• Exchange 2010: How to renew an SSL certificate?

  Hi all.  I have done some reading but it seems I can't find just a simple step-by-step on how to renew an SSL certificate issued by a 3rd party CA for Exchange 2010.  I really don't want to mess this one up by cobbling together partial answers
  from various forums and end up omitting something, then being stuck unable to figure out why I broke email while the CEO flips out. 
  This is a standard GoDaddy 5-domain UCC certificate.  There is only one Exchange server, SP3 (I don't think I have Rollup 6 on yet).  The existing certificate expires in a month or so. 
  I have some specific questions but perhaps these would be answered via what I hope will be a step by step instruction set in your reply :) Sorry to appear lazy by asking for the full instructions just that so far no single forum post nor MS TechNet article
  has addressed all my concerns, or in some cases information conflicts.  So my concerns for example are:  can you do a renewal for a certificate before the old one expires?  It is actually a renewal, or are you adding a 2nd certificate? 
  Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  Thank you. 

  -->Can you do a renewal for a certificate before the old one expires? 
  Yes. Normally 3rd party CA allows you to renew certificate before the current one expires.
  -->It is actually a renewal, or are you adding a 2nd certificate? 
  You have to renew the certificate and a new/second certificate will be added to your server certificate store. Please check below for detailed step of Godaddy renewal. http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
  -->Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  You will have to do it from MMC or EMS. No need to do anything from IIS.
  Follow the steps below to make your work easy or follow the video in this site site.http://www.netometer.com/video/tutorials/Exchange-2010-how-to-renew-SSL-certificate/
  1. Run this command from EMS to generate CSR. You can see the CSR named "newcsr.txt" in C:\CSR
  folder
  Set-Content -path "C:\CSR\newcsr.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=WA, l=Bellavue, o=Contoso, cn=commonname.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True)
  2. Renew the certificate from Godaddy (from Godaddy portal) using the new CSR (i.e. newcsr.txt). Download the certificate from Godaddy after renewal.
  3. Open Exchange MMC. Go to Server configuration. Right click on the pending request.  Click on complete pending request and browse to the newly downloaded certificate. Make sure you have internet when doing this.
  4. Assign services using the steps in the below site. Make sure you have selected the new certificate. You will see the thumbprint just before completion http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services/
  5.Delete the old one certificate from MMC.
  From EMS use this command 
  Remove-ExchangeCertificate -Thumbprint <old cert thumprint>
  You can see the the certificate thumprints using Get-ExchangeCertificate command
  MAS. Please dont forget to mark as answer if it helped.

• DPM 2012 - Protect Exchange 2007 in untrusted domain (either via Creds or Certificates)

  Hi,
  I am trying to protect an Exchange 2007 Server which is in an untrusted domain.
  I have tried using both credentials (isNonDomainServer) and via Certificates and have no joy.  Both methods work in terms of getting the agent installed and communicating with DPM.  The agent shows OK in the console and I can browse
  fine when creating a new PG.
  The problem I have is that "All Exchange Storage Groups" is not available as a selection to backup, obviously neither are any of the information stores.
  First question, is backup of Exchange supported in an untrusted domain?  This says it is:  http://technet.microsoft.com/en-us/library/hh757801.aspx  but I read conflicting advice elsewhere.
  Second question, this is the biggie - any ideas on how to get Exchange visible as a selection?
  So far I have:
  Confirmed that LCR is not configured (I am not sure if it *was* at some point though, because there is a disk on the server labled LCR)
  Checked in the DPM agent directory locally and I can see that ExchangeCmdletsWrapperCurr.errlog is created and/or updated when I expand the server name on the DPM server and the server and information stores are listed in the file.  This tells me communication
  is fine, and that the DPM agent on the exchange server can "see" exchange
  Checked the Exchange VSS writer and it is listed and in a healthy state
  Thanks!

  Upgraded to System Centre 2012 R2 and no difference.  I am assuming that its a compatability\support issue, i.e its not supported.  The documentation says otherwise, but its confusing to say the least.
  d

• Problem: Mixed Exchange 2007 / 2013 CAS Servers with wildcard certificates in Europe and non-wildcard Certficate in China

  Hi,
  we have following problem. We have a mixed multi-domain one-forest AD environment. We also have still a mixed exchange 2007 / 2013 environment. We also have different CAS Servers for 2007 SP3 (RU15) and 2013 (CU8) in europe and one 2007 SP3 (RU15) CAS Server
  in China, because of bad connection to Europe. For the Migration to 2013 in Europe we installed a wildcard-certificate *.xyz.com and used the Set-OutlookProvider EXPR -CertPrincipalName msstd:*.xyz.com, so the wildcard certificate is accepted. Everything in
  Europe works fine, inside and outside also between exchange 2007 and 2013 (both CAS Server 2013 and 2007 use the same wildcard certificate). But since the change of the Set-OutlookProvider EXPR we are facing problems with our CAS Server in China, because this
  server has a different non-wildcard certificate and a different domain name (cas-server.xyz-china.com instead xyz.com). Now we have the problem that this Chinese CAS server the Outlook Anywhere does not work anymore and prompts always for the username. As
  I see it is because of the EXPR change. Is it possible to set the the Outlook-Provider EXPR per Cas-Server ? (They also have their own Autodiscover on this front-end server). Because I see that the Outlook-Provider can only be stored forest-wide.
  If not the other solution would be to register the chinese cas server in our xyz.com domain and use the same wildcard certificate on this system right ?
  Any help would be appreciate….

  Yes setting the EXPR value is most likely the cause of your issue.  When you set this value you are telling Outlook to only accept connections from connections that have the cert with the subject name you specify here.
  Unfortunately, based on my experience I believe this is an organization wide setting and cannot be configured on a CAS by CAS basis (If I'm wrong someone please keep me honest :)).  
  So the only option would you have is to change all the URLs to be on *.xyz.com domain.  There's no need to change the domain the server actually resides on.  The other option would be to purchase a UCC Cert with all the names you need and apply
  to all your CAS servers and reset the EXPR value. 
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

• "Name on the Security Certificate is Invalid or Does not Match..." using Outlok 2007 w/ Exchange 2007

  Good afternoon!
  We just completed our Exchange 2007 implementation (migration from Exchange 2003... a fun romp of 24 straight hours for the final push) and noticed an error that only occurs on Outlook 2007 clients connecting to the Exchange 2007 server: "Name on the Security Certificate is Invalid or Does Not Match the Name on the Certificate".
  Now, I've done my reading into this and have determined that due to how Outlook 2007 clients managed their OAB, it is essentially through a web virtual directory now, no longer through Public Folders and this is essentially the base of our issue. See, our mail server has an internal FQDN of mail.ourdomain-domain.com whereas it has an external FQDN (which is what the SSL Cert is tied to) of owa.ourdomain.com.
  So, essentially what I'm seeing is our internal Outlook 2007 clients (limited to I.S. employees only right now, thankfully) are seeing this SSL error because Outlook 2007 is trying to pick up the OAB using the internal FQDN instead of the external FQDN (which would work as well, due to some internal DNS trickery we have configured).
  My question is (finally), is there a way to circumvent this internally so we never see this SSL error prompt or a way to force Outlook 2007 to use the external FQDN? I have made sure all the settings in Exchange Management Console for OAB and the like have both the internal and external FQDN set to owa.ourdomain.com (the valid SSL name), but it does not appear to have made a difference. Granted, I have not rebooted... but I do not think that is necessary in this instance.
  Any suggestions would be appreciated. Thanks!!

  Hi All,
  1) I am using Windows SBS Server 2008 with Exchange 2007 installed on it. With all the Certicate configured internally. We haven’t purchased the Certificate from any outside authority yet.
  2) Also, user were getting Error message "The name on the security certificate is invalid or does not match the name of the site" in outlook, to resolve this issue I followed the steps mention on "http://support.microsoft.com/kb/940726" &  “http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/697f79e2-ca8f-4a2e-bae5-55d3fa7f703f/?prof=required” however I was able run only first command as I was unable to find "EWS (Default Web Site)", "oab (Default Web Site)", "unifiedmessaging (Default Web Site)".
  3) After reaserching, I run following commands to get the status, location of WebServicesVirtualDirectory, OABVirtualDirectory & UMVirtualDirectory
  [PS] C:\Windows\System32>Get-WebServicesVirtualDirectory | fl
  Name                          : EWS (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl               : https://sites/EWS/Exchange.asmx
  ExternalUrl              :
  [PS] C:\Windows\System32>Get-OABVirtualDirectory | fl
  Name                          : OAB (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl               : https://sites/OAB
  ExternalUrl              :
  [PS] C:\Windows\System32>Get-UMVirtualDirectory | fl
  Name                          : UnifiedMessaging (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl               : https://sites/UnifiedMessaging/Service.asmx
  ExternalUrl               :
  4) Then after getting the correct locations of all the directory I run the following commands to change the internal url on existing Certs
  Set-ClientAccessServer -Identity PASVR01 -AutodiscoverServiceInternalUri https://pasvr01/owa/autodiscover/autodiscover.xml
  Set-WebServicesVirtualDirectory -Identity "PASVR01\EWS (SBS Web Applications)" -InternalUrl https://pasvr01/owa/ews/exchange.asmx
  Set-OABVirtualDirectory -Identity "PASVR01\OAB (SBS Web Applications)" -InternalUrl https://pasvr01/owa/oab
  Set-UMVirtualDirectory -Identity "PASVR01\UnifiedMessaging (SBS Web Applications)" -InternalUrl https://pasvr01/owa/unifiedmessaging/service.asmx
  5) However, this does'nt resolved our issue so run the following commands to change the external url on existing Certs
  Set-WebServicesVirtualDirectory -Identity "PASVR01\EWS (SBS Web Applications)" -ExternalUrl https://exchange.domain.com/owa/ews/exchange.asmx
  Set-OABVirtualDirectory -Identity "PASVR01\OAB (SBS Web Applications)" -ExternalUrl https://exchange.domain.com/owa/oab
  Set-UMVirtualDirectory -Identity "PASVR01\UnifiedMessaging (SBS Web Applications)" -ExternalUrl https://exchange.domain.com/owa/unifiedmessaging/service.asmx
  6) I also tried running "New-ExchangeCertificate -PrivateKeyExportable $True -Services “IMAP, POP, IIS, SMTP” -SubjectName “cn=PASVR01" as I have deleted one of the certicate on this server in past.
  7) Following was the status of internal and external URL.
  [PS] C:\Windows\System32>Get-WebServicesVirtualDirectory | fl
  Name                          : EWS (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl               : https://pasvr01/owa/ews/exchange.asmx
  ExternalUrl              : https://exchange. exchange.domain.com /owa/ews/exchange.asmx
  [PS] C:\Windows\System32>Get-OABVirtualDirectory | fl
  Name                          : OAB (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl               : https://pasvr01/owa/oab
  ExternalUrl              : https://exchange. exchange.domain.com/owa/oab
  [PS] C:\Windows\System32>Get-UMVirtualDirectory | fl
  Name                          : UnifiedMessaging (SBS Web Applications)
  Server                        : PASVR01
  InternalUrl                   : https://pasvr01/owa/unifiedmessaging/service.asmx
  ExternalUrl                   : https://exchange. exchange.domain.com/owa/unifiedmessaging/service.asmx
  10) Still we are facing this issue of "The name on the security certificate is invalid or does not match the name of the site" in outlook.
  PLEASE HELP ME TO RESOLVE THIS ISSUE.
  Thanks in Advance,
  Asif

• Exchange 2007 Out of Office Certificate Error

  Hello,
  I have an Exchange 2007 Server and for some odd reason this week, we have been having issues enabling Out of Office in Outlook. It is some sort of issue with the Autodiscover service, but despite reading forum post after forum post, nothing has worked for
  me. At first when we would go into Outlook and click on Out of Office, it would freeze and then say the server is unavailable. I realized that it was trying to resolve a URL so I added a manual A record in the DNS server pointing to the local IP of the server
  and it fixed the issue, kind of. Now when we click on Out of Office Assistant, we get a security certificate error and it is driving my users crazy. I have updated the SRV record and many things, still unable to get it to work. 
  Any help would be super!! 
  Thanks!

  Hi,
  1.First of all please check the name what you are using for autodiscover service is available on SAN certificate.
  2.Please check the name resolution is happening for autodiscover namespace.
  I.e if you try to resolve autodisccover.mydomain.com (or) mail.mydomain.com in your problematic PC it should have to resolved in to cas server ip address or in some scenarios it will get resolved in to LB
  3.Then please check whether you have properly set the autodiscover internal URL in all the cas servers.
  It might be like below
   https:\\autodiscover.mydomain.com\autodiscover\autodiscover.xml
  (or)  
  https:\\mail.mydomain.com\autodiscover\autodiscover.xml
  4.Then please check for the web services url in all the cas servers and that is the major thing which will make the availability services (i.e OOF,free busy lookup) to work perfectly .
  5.In the problematic please uncheck the internet proxy exceptions.
  6.You cane use test email configuration to check whether the outlook client is fetching up the proper url for autodisocver and ews .
  7.test-outlookwebservices (we can use this command to check the fuctionality of autodiscover for an problematic user account)
  8.Please check the root certificates in the problematic client to check whether it is a expired or not .Root certificates is nothing but the one which will come by default with OS .
  9.If all the above is set as perfect but still you are facing the issue.Please follow the below one and this may be not required.
  Please export the san certificate from exchnage to pfx file which should have to include the certificate key by using MMC.Then import the pfx file in to problematic client .Let us see what happens .
  Same on my side i am having few questions about your environment .
  1.Are you facing any certificate errors in OWA .Because why i am asking please check the installed SAN certificate in exchange is valid and or it is not expired ?
  2.what is the problematic client operating system veriosn?
  Please reply me if you have any issues .
  Regards
  S.Nithyanandham