I set up a test server this weekend with SBS 2011 (exch 2010).  I created a subnet on my network behind a 2nd firewall/router.  My lan network is 192.168.0.0 and the 2nd router/firewall is 192.168.137.0  I put a laptop on the same subnet as the server and put on outlook 2007.  I told the server to use a domain name that I'm using on the internet for email, but did not expose the server to the internet.  We still use the pop3 connector to receive our mail so I configured that with a test pop account at our ISP.  It all worked just fine, could send and receive mail on the testuser.   

When I start outlook I get a certificate error.  When I inspected the certificate it appeared to be a cert from our internet based website host.  My laptop is configured to use the SBS server for DNS so I was a little surprised to see it resolving our ISP's cert for our domain.  When I unplugged the router on the testnetwork (taking away the internet), the client no longer complained about cert error.  I then thought if I put a hosts entry on the laptop pointing our domain name to the server.  That seemed to work a little better.  This time I got cert error but the cert information was from my test server.  It was just complaining about not being trusted.  I then tried to install the cert on the laptop (pointing at a specific store, not just automatically selecting) figuring that would solve the problem, but I continued to get a cert error.  before I put in the hosts entry, at the top of the cert error I was getting autodiscover.domainname.com (pointing at my isp's cert).  After I put in the hosts entry I was getting only domainname.com (pointing at the server's cert).  Sometimes I would get 2 cert error's, one for autodiscover.domainname.com (pointing at the isps's cert) and one for just domainname.com (pointing at my server's cert).  Just before I gave up for the night I started getting a userid/password dialog asking to sign in.  Didn't seem to accept the password.  That was strange as well.

Any ideas on how to solve this problem?  When I migrate my users in a real world environment, I could see this situation happening as the same scenario would exist.  I'm a little surprised that it's not happening in my SBS 2003 environment.  I run outlook 2007 on my desktop but can't remember if I had cert errors when I first started using it or not.  Everyone else runs outlook 2003 (small environment, just four workstations).  I just looked at my workstation (Outlook 2007 running against exchange 2003) certs (using certmgr) and don't see any cert for my domain at all).  Wondering why not.

Roveer

• Edited by Roveer 16 hours 17 minutes ago

The certificate that's used for Autodiscover, EWS and OAB must be trusted by the client computer.  Most use a third-party certificate whose root is trusted by client machines, but if you don't need to use mobile devices or non-company computers, you can use a certificate from an internal enterprise CA or any other CA whose root is trusted by the end user machines.  If you want to use the self-signed certificate, you can import that certificate into all client machines as a trusted root certificate.

Ed,

What you are explaining makes perfect sense.  After I got the laptop to stop looking outside the network and resolving my domain name certificate at my ISP and pointing at the private server generated one on the SBS box I thought I was almost home.  The only complaint the laptop client had is that it was not trusted.  

I've been down the installing certificates using the browse option and selected the trusted root certification authorities path and did that.  For whatever reason the client continues to produce the certificate error dialog complaining that it was not trusted.  A quick look into certmgr.msc shows the cert installed in that location.  This one has me stumpted.  Also, and this might be my problem.  When I look at the installed certificate it says "Windows does not have enough information to verify this certificate".   What do I need to do to mint a cert on my server that will eliminate this problem?  This may be causing my lingering problem.

Hrmm.  I just had a thought.  When I set up SBS (since this is just a test server), I neglected to put any information in the dialog (forget where it was), about my name, company, address etc.  Is this possibly the "missing information" that is needed by the cert?  Wouldn't put it past something silly like that.

Roveer

When it says that it doesn't have enough information to verify the certificate, it usually means that it can't get to the certificate revocation list (CRL) that's published in the certificate.  What you need depends on what you want to do.  I itemized the options in my earlier post.

• If you're going to use mobile devices and don't want to try to manage certificates in them, then get a public UCC certificate.  Go Daddy is among the cheapest one.  Ensure that webmail.company.com (or whatever you use) and autodiscover.company.com are in the certificate.
• If you have an internal certificate authority like Windows Certificate Services, you can issue a UCC certificate from there but be aware that you'll have to hand out the root certificate and users will have to import it as a trusted root or else things won't work or they'll get warnings.  If your CA is an enterprise CA, the root will be trusted by domain member computers automatically.
• The worst option is to import the self-signed certificate in Exchange in client devices as a trusted root.

You might want to post your question in the SBS forum because it's different from standard Exchange server, and may have mechanisms to help you with this stuff.

http://social.technet.microsoft.com/Forums/en/smallbusinessserver/threads

Thanks Ed, I'll ask over in SBS.  I was going to do that originally, but was thinking they'd send me here.

1. Since I don't need anything outside, no need for a 3rd party cert.

2. Have no problem installing internal cert on my 4 machines.

3. Thought that was what I was doing when I tried to "install certificate" from the error dialog and installing it to the Trusted Root Certification Authorities.  Certificate Installed correctly, but yet the cert error dialog continues.

4.  Thinking that SBS was not creating a fully formed cert since I was getting that error message about "does not have enough information".  So, almost home, just need to resolve that issue and I think my laptop will accept what the server has.  This may be a SBS question.

Thanks,

Roveer

Hi,

According to your description, I understand that the issue is related to SBS. This forum focuses on some general discussion about Exchange .

I suggest we can ask a question in SBS forum for more help:

http://social.technet.microsoft.com/Forums/en/smallbusinessserver/threads

Thank you for your understanding!

Regards,

David