I apologize in advance for what may end up being a very silly issue.
I have racked my brain and read and searched and I still can't seem to find the answer to my question.

I have an in house Exchange server that is only accessible internally. We do not have external clients (laptops/tablets/etc) and all computers stay on premises. Most of our clients use OWA to access email. Everything has been working fine up until about 2 weeks ago when everybody started getting a certificate error. I have tried every thing I can find to fix this issue to no avail. It seems the thumbprint of the certificate is different each time I visit the exchange server (https://exchange/owa). So I can install the certificate which works for a few minutes and then it prompts me again. When looking at the thumb print of each instance, everything seems to be exactly the same with the exception of the thumbprint.

My first question, is do I still need to go through a CA even though this server is not accessible via external IP?
Where are my clients getting the certificate they are trying to install because they do not match the certificate that is installed on the Exchange Server.

Thank you in advance for anybody that can steer me in the right direction to getting this resolved.

I support this site remotely so any additional info can be provided but there might be a small delay.

• Edited by Fineazell1 13 hours 2 minutes ago

I apologize in advance for what may end up being a very silly issue.
I have racked my brain and read and searched and I still can't seem to find the answer to my question.

I have an in house Exchange server that is only accessible internally. We do not have external clients (laptops/tablets/etc) and all computers stay on premises. Most of our clients use OWA to access email. Everything has been working fine up until about 2 weeks ago when everybody started getting a certificate error. I have tried every thing I can find to fix this issue to no avail. It seems the thumbprint of the certificate is different each time I visit the exchange server (https://exchange/owa). So I can install the certificate which works for a few minutes and then it prompts me again. When looking at the thumb print of each instance, everything seems to be exactly the same with the exception of the thumbprint.

My first question, is do I still need to go through a CA even though this server is not accessible via external IP?
Where are my clients getting the certificate they are trying to install because they do not match the certificate that is installed on the Exchange Server.

Thank you in advance for anybody that can steer me in the right direction to getting this resolved.

I support this site remotely so any additional info can be provided but there might be a small delay.

I'm going to assume that you have some sort of PKI infrastructure with in your environment.  In that case, I would definitely create a cert request through an internal CA and apply/assign to the proper services.  

First, thank you for taking the time to respond.

"I'm going to assume that you have some sort of PKI infrastructure with in your environment."

I'm not sure I do. This project landed in my lap a few years ago. This particular client is my only client with exchange. I have limped my way though to this point but I'm afraid I'm just not clear on what it is I actually need.
We are running Exchange 2013 on a Server 2008 box. Everything worked fine up until about 2 weeks ago. I have no idea what changed.
I think my biggest problem is my lack of understanding of where the client is pulling the certificate when I access the intranet site. I don't understand why the certificate (whether valid or not) isn't matching the certificate within IIS/Exchange admin.

First, thank you for taking the time to respond.

"I'm going to assume that you have some sort of PKI infrastructure with in your environment."

I'm not sure I do. This project landed in my lap a few years ago. This particular client is my only client with exchange. I have limped my way though to this point but I'm afraid I'm just not clear on what it is I actually need.
We are running Exchange 2013 on a Server 2008 box. Everything worked fine up until about 2 weeks ago. I have no idea what changed.
I think my biggest problem is my lack of understanding of where the client is pulling the certificate when I access the intranet site. I don't understand why the certificate (whether valid or not) isn't matching the certificate within IIS/Exchange admin.

Hi,

I think you can check your certificate information and provide the information here for more help. Please run the following command in Exchange Management Shell:

Get-ExchangeCertificate | fl

Additionally, since the certificate issue occurs when accessing Exchange server from OWA, please check the OWA configuration in your Exchange:

Get-OwaVirtualDirectory | FL Identity,*Authentication*,*url*

Generally, the namespace used in the OWA URL should be included in the Exchange certificate which is assigned with IIS service.

Regards,

This is the certificate that is on the Exchange Admin

On the computers that are no longer getting the certificate error, everything matches.

But on the ones that continue to get the prompt, it changes every time.

Just wondering if you need any other information on this. Any suggestions would be much appreciated.

Thanks.

what happens if you manually export the certificate from exchange and import it directly onto these

<RESOLVED>
So it turns out the reason the certificate was changing on the client is because AVG Web Browsing Protection has an option to "Scan encrypted (TLS and SSL) network traffic".  Apparently something in that process was messing up the certificate. After disabling this option I was able to install the correct certificate on each workstation. Attached is an image of the setting within AVG CloudCare. I hope this helps somebody and keeps you from scratching your head as I have for the last 2 - 3 weeks.

• Marked as answer by Fineazell1 13 hours 4 minutes ago
• Edited by Fineazell1 13 hours 3 minutes ago