Hi, I have exchange 2007 running under server 2008 enterprise configured as a domain controller. My server uses yahoo bizmail to route email to the outside (send connector). When i try to add outlook client to exchange in the first phase i get SSL certificate error for autodiscover.yahoo.com.The problem is that i have changed all the domain.local to domain.tld inside my exchange configuration (so users will be able to send mails without causing the smtp relay to reject them) then outlook tries to seek autodiscover.domain.tld instead of autodiscover.domain.local ... Any help will be appriciated. Thank you!

Hi Tal,I got the same issue until found this blog. Here is a fix. http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/

Hi Eagle, thanks for the fast reply. i followed the instructions in the blog but... my internalURIis okay, i still have no clue why the outlook 2007 clients tries https://correlsense.com while suppose to try connect to https://earth.correlsense.local is there a chance that something fails with https://earth.correlsense.com and the autodiscover service jumps to different methods like autodiscover.correlsense.com ? here is my output Name : EARTHOutlookAnywhereEnabled : FalseAutoDiscoverServiceCN : EARTHAutoDiscoverServiceClassName : ms-Exchange-AutoDiscover-ServiceAutoDiscoverServiceInternalUri : https://earth.correlsense.local/Autodiscover/Autodiscover.xmlAutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e7a48b19596AutoDiscoverSiteScope : {Default-First-Site-Name}IsValid : TrueOriginatingServer : EARTH.correlsense.localExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=EARTH,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=correlsense,DC=localIdentity : EARTHGuid : a52efaed-7d6a-46ff-979f-83cd0a857416ObjectCategory : correlsense.local/Configuration/Schema/ms-Exch-Exchange-ServerObjectClass : {top, server, msExchExchangeServer}WhenChanged : 17/07/2008 02:20:54WhenCreated : 17/07/2008 02:11:38

Hi Tal,Can you create new dns record. 1) new host "autodiscover" pointing to ip address of EARTH.correlsense.local 2) open exchange management shell and type: "set-outlookprovider -id exch -server: CAS_Server" (replace it with your client access server FQDN). 3) turn off ssl service if you are not using it. "set-outlookprovider -id exch -sslfalse"

Hi eagle, thanks for the reply. one thing i forgot to mention is that i'm using exchange enterprise and -ssl command is disabled... this is driving me crazy, since i have no valid certificate it's all messed up... i heard that iis7 can host ssl certificates for multiple fqdn's, any idea about that ?

Hi, Please describe the error exactly so that we can provide the effective solution. Additionally, please run get-exchangecertificate |fl command in EMS, and post the information on the forum. This issue may occur if the name on the security certificates does not match the name of the url in the SCP object. Thanks Allen

Hi Allen, Thanks for the reply. i will post here all the info i can: 1. server 2008 enterprise with exchange 2007 enterprise. 2. internal domain : correlsense.local, external domain correlsense.com 3. using smtproute to send mails (to yahoo with smarthost) - the exchange server does not have MX RECORD in the DNS. 4. i have added correlsense.com to accepted domains and transport policy (correlsense.com is the reply address) 5. when a user joins the domain and create an outlook profile he see's USERNAME@correlsense.com 6. for some reason outlook clients tries to connect autodiscover.correlsense.com although i changed set-autodiscovervirtualdirectory to the internal URL 7. i am trying to configure this server to allow external access to the mails using outlook without the need to dial in (VPN) some exchange shell output: [PS] C:\Windows\System32>get-autodiscovervirtualdirectory | FL Name : Autodiscover (Default Web Site)InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}BasicAuthentication : TrueDigestAuthentication : FalseWindowsAuthentication : TrueMetabasePath : IIS://EARTH.correlsense.local/W3SVC/1/ROOT/AutodiscoverPath : C:\Program Files\Microsoft\Exchange Server\ClientAccess\AutodiscoverServer : EARTHInternalUrl : http://earth.correlsense.local/ExternalUrl : http://earth.correlsense.local/AdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=EARTH,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=correlsense,DC=localIdentity : EARTH\Autodiscover (Default Web Site)Guid : 915c38c9-28f6-4ab8-8b72-bb68a72a398cObjectCategory : correlsense.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-DirectoryObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}WhenChanged : 23/07/2008 01:15:31WhenCreated : 17/07/2008 02:17:19OriginatingServer : EARTH.correlsense.localIsValid : True [PS] C:\Windows\System32>get-webservicesvirtualdirectory | FL InternalNLBBypassUrl : https://earth.correlsense.local/ews/exchange.asmxName : EWS (Default Web Site)InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, Basic}ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, Basic}BasicAuthentication : TrueDigestAuthentication : FalseWindowsAuthentication : TrueMetabasePath : IIS://EARTH.correlsense.local/W3SVC/1/ROOT/EWSPath : C:\Program Files\Microsoft\Exchange Server\ClientAccess\exchweb\EWSServer : EARTHInternalUrl : http://earth.correlsense.local/EWS/Exchange.asmxExternalUrl : http://earth.correlsense.local/EWS/Exchange.asmxAdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=EARTH,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Adm inistrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=correlsense,DC=localIdentity : EARTH\EWS (Default Web Site)Guid : 5497e382-dc81-402c-80df-dbf0b16991bbObjectCategory : correlsense.local/Configuration/Schema/ms-Exch-Web-Services-Virtual-DirectoryObjectClass : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}WhenChanged : 23/07/2008 00:03:49WhenCreated : 17/07/2008 02:17:34OriginatingServer : EARTH.correlsense.localIsValid : True [PS] C:\Windows\System32>get-oabvirtualdirectory | FL Name : OAB (Default Web Site)PollInterval : 480OfflineAddressBooks : {Default Offline Address Book}RequireSSL : FalseMetabasePath : IIS://EARTH.correlsense.local/W3SVC/1/ROOT/OABPath : C:\Program Files\Microsoft\Exchange Server\ClientAccess\OABServer : EARTHInternalUrl : http://earth.correlsense.local/OABInternalAuthenticationMethods : {WindowsIntegrated}ExternalUrl : http://earth.correlsense.local/OABExternalAuthenticationMethods : {WindowsIntegrated}AdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=OAB (Default Web Site),CN=HTTP,CN=Protocols,CN=EARTH,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Adm inistrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=correlsense,DC=localIdentity : EARTH\OAB (Default Web Site)Guid : 6c043d16-4bce-4f0e-af3b-0df8fe216f61ObjectCategory : correlsense.local/Configuration/Schema/ms-Exch-OAB-Virtual-DirectoryObjectClass : {top, msExchVirtualDirectory, msExchOABVirtualDirectory}WhenChanged : 23/07/2008 00:02:10WhenCreated : 17/07/2008 02:17:16OriginatingServer : EARTH.correlsense.localIsValid : True [PS] C:\Windows\System32>test-outlookwebservices -id talh | FL Id : 1003Type : InformationMessage : About to test AutoDiscover with the e-mail address talh@correlsense.com. Id : 1006Type : InformationMessage : The Autodiscover service was contacted at https://earth.correlsense.local/Autodiscover/Autodiscover.xml. Id : 1016Type : SuccessMessage : [EXCH]-Successfully contacted the AS service at http://earth.correlsense.local/EWS/Exchange.asmx. The elapsed time was 299 milliseconds. Id : 1015Type : SuccessMessage : [EXCH]-Successfully contacted the OAB service at http://earth.correlsense.local/EWS/Exchange.asmx. The elapsed time was 0 milliseconds. Id : 1014Type : SuccessMessage : [EXCH]-Successfully contacted the UM service at https://earth.correlsense.local/UnifiedMessaging/Service.asmx. The elapsed time was 658 millisecon ds. Id : 1016Type : SuccessMessage : [EXPR]-Successfully contacted the AS service at http://earth.correlsense.local/EWS/Exchange.asmx. The elapsed time was 79 milliseconds. Id : 1015Type : SuccessMessage : [EXPR]-Successfully contacted the OAB service at http://earth.correlsense.local/EWS/Exchange.asmx. The elapsed time was 0 milliseconds. Id : 1014Type : InformationMessage : [EXPR]-The UM is not configured for this user. Id : 1017Type : SuccessMessage : [EXPR]-Successfully contacted the RPC/HTTP service at https://earth.correlsense.local/Rpc. The elapsed time was 105 milliseconds. Id : 1006Type : SuccessMessage : The Autodiscover service was tested successfully. and finally what you requested : [PS] C:\Windows\System32>get-exchangecertificate |fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Cr yptoKeyAccessRule}CertificateDomains : {autodiscover.correlsense.com}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=autodiscover.correlsense.comNotAfter : 29/07/2008 01:51:38NotBefore : 22/07/2008 01:51:38PublicKeySize : 1024RootCAType : NoneSerialNumber : 09AD9ACE2FEBB6A840A69A2328A71EB5Services : NoneStatus : ValidSubject : CN=autodiscover.correlsense.comThumbprint : DB3CCD745D7BADB59A9AFE4A1C7F6B7B3F0BC007 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Cr yptoKeyAccessRule}CertificateDomains : {earth.correlsense.com}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=earth.correlsense.comNotAfter : 28/07/2008 23:35:11NotBefore : 21/07/2008 23:35:11PublicKeySize : 1024RootCAType : UnknownSerialNumber : A81373F201DC78B24C82D5293F03E82FServices : NoneStatus : ValidSubject : CN=earth.correlsense.comThumbprint : 5FA4AE57BCAB8E61020DFB7C107817BB7BE7D552 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {correlsense.hopto.org}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : CN=correlsense-EARTH-CA, DC=correlsense, DC=localNotAfter : 18/07/2010 19:41:44NotBefore : 18/07/2008 19:41:44PublicKeySize : 1024RootCAType : RegistrySerialNumber : 1773E591000000000003Services : NoneStatus : ValidSubject : CN=correlsense.hopto.org, OU=correlsense, O=correlsense, L=herzliya, S=none, C=ILThumbprint : C0A5D2667632D3279E883986BFFF41B657A86AE3 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Cr yptoKeyAccessRule}CertificateDomains : {EARTH}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=EARTH, L=951338967, OU=SharePoint, O=MicrosoftNotAfter : 01/01/9999 02:00:00NotBefore : 17/07/2008 14:36:32PublicKeySize : 1024RootCAType : NoneSerialNumber : 9704A4E98682519E4B5A7DD6AA7DE0AFServices : IISStatus : ValidSubject : CN=EARTH, L=951338967, OU=SharePoint, O=MicrosoftThumbprint : 7B5B3993ED07B6FF00E4F2BD337AED3CC6625033 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Cr yptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {EARTH, EARTH.correlsense.local}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=EARTHNotAfter : 17/07/2009 02:13:19NotBefore : 17/07/2008 02:13:19PublicKeySize : 2048RootCAType : NoneSerialNumber : 43E03A0A9E6FE3AC42303E48C994FC7BServices : IMAP, POP, SMTPStatus : ValidSubject : CN=EARTHThumbprint : F354A5E62A2C3482EF106C884E3E0AC1F46302AA AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Cr yptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {EARTH, EARTH.correlsense.local}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=EARTHNotAfter : 17/07/2009 00:26:08NotBefore : 17/07/2008 00:26:08PublicKeySize : 2048RootCAType : NoneSerialNumber : 401DF4B0B5E8FE9A4A5E4D9E08213E7BServices : IMAP, POP, SMTPStatus : ValidSubject : CN=EARTHThumbprint : C602045A2C1D5B14E9DB8557A5F63E4D76D30C16 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Cr yptoKeyAccessRule}CertificateDomains : {WMSvc-EARTH}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=WMSvc-EARTHNotAfter : 14/07/2018 14:02:11NotBefore : 16/07/2008 14:02:11PublicKeySize : 2048RootCAType : RegistrySerialNumber : 167DDCBA097E539042B8813448161D63Services : NoneStatus : ValidSubject : CN=WMSvc-EARTHThumbprint : 852C5E8870219F2536D63AED37A5576A0BC28AC6 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Cr yptoKeyAccessRule}CertificateDomains : {EARTH.correlsense.local}HasPrivateKey : TrueIsSelfSigned : FalseIssuer : CN=correlsense-EARTH-CA, DC=correlsense, DC=localNotAfter : 16/07/2009 13:56:10NotBefore : 16/07/2008 13:56:10PublicKeySize : 2048RootCAType : RegistrySerialNumber : 6117A9DC000000000002Services : IMAP, POP, IIS, SMTPStatus : ValidSubject : CN=EARTH.correlsense.localThumbprint : 4B7FF65FA0152204D1D75B0FE94B83D7FB8FFB83 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}CertificateDomains : {correlsense-EARTH-CA}HasPrivateKey : TrueIsSelfSigned : TrueIssuer : CN=correlsense-EARTH-CA, DC=correlsense, DC=localNotAfter : 16/07/2013 14:02:43NotBefore : 16/07/2008 13:52:45PublicKeySize : 2048RootCAType : RegistrySerialNumber : 60415E4D478075804F55D473AC7CA053Services : NoneStatus : ValidSubject : CN=correlsense-EARTH-CA, DC=correlsense, DC=localThumbprint : 818E6741AAFE7AAA49592645C469418044BCA33E

not transport policy but email address policy

Hi Tal,Here is my thought. 1) Looking at your previous post, outlook anywhere was disabled. type this at EMS to enable outlook anywhere: Enable-OutlookAnywhere -Server:CAS_ServerName -ExternalHostname:webmail.xxx.com -ClientAuthenticationMethod:Basic -SSLOffloadingfalse notes: external-hostname must match your exchange ssl certificate. Outlook anywhere won't work if you set it to local. 2) You don't need multiple cert names at all. One is good enough. 3) check your firewall and external dns for webmail (e.g webmail.xxx.com pointing to ipaddress of your CAS_Server)4) set outlook client to match your certificate name.5) On CAS_Server, in IIS Default website properties --> Directory Security --> check ssl / required 128bit (you must do this if you want to use Outlook Anywhere). 4)

Hi Eagle, Thanks for the information. I Succeed to connect without vpn to the exchange server, but i have to type my password for that. (is there a way to pass authenticate without typing?) i still get the autodiscover error. even i typed in set-autodiscovervirtualdirectory externalURL as : https://earth.correlsense.com/autodiscover/autodiscover.xml any idea about that?

Hi Tal,I don't think you can remember password for Outlook anywhere. Perhaps, it's by design in exchange 2007. What's your webmail url? https://earth.correlsense.com/autodiscover/autodiscover.xml? This url does not exist. Here is a sample of my configuration: https://webmail.xyz.com/owa and https://webmail.xyz.com/Autodiscover/Autodiscover.xml and both are accessible. the ssl cert name is webmail.xyz.com . check your settings again.

Hi, For the external user who connects the Outlook by using Outlook Anywhere, it first contacts Autodiscover server by looking up the two predefine URL either https://domain.com/autodiscover/autodiscover.xml or https://autodiscover.domain.com/autodiscover/autodiscover.xml in DNS due to the client is unable to contact Active Directory. Thus, we need to ensure the certificate which included the autodiscover.domain.com to apply with Autodiscover service in order to keep the name of the certificate in accord with the URL that the client trying to connect. From your post, I found the name of the certificate was for Autodisover service is EARTH.correlsense.local and EARTH but not has Autodiscover.correlsense.com One method is included multiple names in one certificate, then apply with IIS. The other method is create another default website, then apply with the certificate named autodiscover.correlsense.com For more information, please view the whitepaper about Autodiscover. http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx Exchange 2007 Autodiscover and certificates http://msexchangeteam.com/archive/2007/04/30/438249.aspx Thanks Allen