Two Exchange server 2007 SP1: - master server has Hub transport, Client Access, Mailbox roles - clientaccess server has client access role. I noticed in the event viewer of master server that the self-signed certificate was to expire on 07/25/2009. The process of renew is quite simple, I did it last year without problems ..... BUT this year it gave me some problems. I renewed it by Get-ExchangeCertificate -thumbprint <thumbprint> | New-ExchangeCertificate and removed the old one by Remove-ExchangeCertificate -thumbprint <thumbprint> All seems fine until I open Outlook 2007 and I get the infamous security alert (http://img99.imageshack.us/img99/5333/22085525.gif ). The alert seems to come from client access server, placed in a dmz network. If I respond "Yes" to the alert, it comes again identical and if I press "Yes" again all works fine. I tried to: 1) restart client machine 2) restart main exchange server 3) restart client access exchange server no luck. The security warning is still there. I enabled Outlook 2007 Logging and I can see the following: Thread Tick Count Date/Time Description 3044 5619998 07/23/09 16:42:45 Attempting URL https://master.local/Autodiscover/Autodiscover.xml found through SCP 3044 5619998 07/23/09 16:42:45 Autodiscover to https://master.local/Autodiscover/Autodiscover.xml starting 3044 5620014 07/23/09 16:42:45 Autodiscover to https://master.local/Autodiscover/Autodiscover.xml FAILED (0x800C8203) 3044 5620014 07/23/09 16:42:45 Attempting URL https://clientaccess.local/Autodiscover/Autodiscover.xml found through SCP 3044 5620014 07/23/09 16:42:45 Autodiscover to https://clientaccess.local/Autodiscover/Autodiscover.xml starting 3044 5624974 07/23/09 16:42:50 Autodiscover XML Received I have NO idea why, after a simple renew of a certificate, the autodiscover service is broken!!! Please help. I don't remember this kind of problem last year ... probably an update or something like that can cause the issue ? Thanks.

The alert seems to come from client access server, placed in a dmz network. Client Access server in DMZ, not recommended and supportedscenario...!!! BTW, what Get-ExchangeServer | FL shows on DMZ CAS server? Does it have correct server name?Amit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

Hi and thanks for help, I didn't mention that CAS server is in the same domain, so a separated network but with all correct ports open and it is up and running from more than 1 year. Using get-exchangeserver | fl shows the correct server name (and lots of other info of course) if with "correct server name" you mean the one with all roles installed. I don't know if can help, but when I try to view the certificate doing: 1) open iis on master server 1) directory security tab of autodiscover virtual directory 2) click on "View certificate" nothing happens. Same behavior under "default web site". It seems that "View certificate" is somewhat broken. Doing the same work under client access server correctly shows the certificate. Can be that the certificate renew process went wrong and the certificate is not correctly installed on IIS ? So, the autodiscover rely on clientaccess machine that uses another certificate ? Please help.

Sorry, Isupposedto ask about Get-ExchangeCertificate | FL on CAS DMZ server...Amit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

No problem Amit, I obtain these lines: [PS] C:\>get-exchangecertificate | fl AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {owa.external.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=Internal CA, DC=our ca, DC=net NotAfter : 5/10/2012 1:18:42 PM NotBefore : 3/27/2008 11:41:39 PM PublicKeySize : 1024 RootCAType : Unknown SerialNumber : 68FD46C3000200000015 Services : IIS Status : Invalid Subject : CN=owa.external.ch, OU=one ou, O=company, L=city, S=state, C=country Thumbprint : 461A868067CB152AABF873E9A30BD87A18DBxxxx AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {clientaccess, clientaccess.domain.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=clientaccess NotAfter : 3/20/2009 12:49:22 PM NotBefore : 3/20/2008 12:49:22 PM PublicKeySize : 2048 RootCAType : Unknown SerialNumber : C274BBF2F38FCDB74CC8F59EC482xxxx Services : IMAP, POP Status : Invalid Subject : CN=clientaccess Thumbprint : 8C6528EE9053950DD97C716E2394382FC630xxxx It seems like the certificate on CAS server is expired ... but there are many colleagues that are using it through Windows Mobile Devices without problems ...

Yes, self signed is expired but other one looks fine until 2012. But why the status show Invalid, something wrong with that cert....Amit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

Please can you tell me why we are investigating on CAS server ? I think the problem can be that Autodiscover on master server is broken and because of this, Outlook tries to configure itself to CAS, showing certificates issues. Am i wrong ? How can I debug situation deeper ? I put here the output of get-exchangecertificate | fl executed on master server: AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.Crypt oKeyAccessRule} CertificateDomains : {master, master.domain.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=master NotAfter : 7/23/2010 2:51:45 PM NotBefore : 7/23/2009 2:51:45 PM PublicKeySize : 2048 RootCAType : None SerialNumber : 43C01F77A2D39996497E77F753B6xxxx Services : IMAP, POP, SMTP Status : Valid Subject : CN=master Thumbprint : B2E4B94F6C68B6144F736AD03DCF6B32B2C6xxxx this is the one I renewed today.

That's because I think something wrong with certificates also at client-access.domain.local server as per screenshot... Ok, about autodiscover, we can test it with methods explain in below article to get more clues... How to Diagnose Availability Service Issues http://technet.microsoft.com/en-us/library/bb124805.aspxAmit Tank | MVP Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

Hi Did you follow the procedure mentioned in the below URLhttp://blog.flaphead.dns2go.com/archive/2009/01/17/exchange-2007-self-signed-certificate.aspxCheersAbu

HIif u need to create a new SSl use this URL to create a new CSR file https://www.digicert.com/easy-csr/exchange2007.htmand the generate a SSL using ur CA server...Then reimport to your IIS....Then enable exchange services to the certificate....CheersAbu

Abuthaheer genius, I solved the problem. Shortly, renewing the certificate would want to enable it in IIS too. According to me, this behavior is changed in the last year and this caused the problem. just executing the cmdlet: "Enable-ExchangeCertificate -Thumbprint <thumbprint> -Services IIS" found in Abuthaheer link solved the problem. The security warning popped out because the master server autodiscover URL was not working (caused by certificate not enabled in IIS), so Outlook tried to autodiscover from clientaccess url but this server had another certificate with different common name (because it is accessible from the outside) and this caused the security warning (this really helped me to diagnose the problem). Thanks everyone for help.