Where to start... I'm trying to wrap my head around certificates for Exchange 2007 (or in general). I have a single Exchange 2007 Server sitting behind TMG. I've purchased an SSL cert called mail.domain.com and installed it on TMG and Exchange as a 443 binding to the default website. IMAP, POP, IIS, and SMTP are assigned services. This cert DOES NOT match the name of our exchange server. OWA works fine. Since installing this, there was been a constant error of 12014 in the Application log. Lastly, I'm wanting now to create and assign a self-signed certificate for use with ActiveSync and I'm not quite sure how to go about installing it. Any assistance is greatly appreciated. jjev

Hi Jev, Follow this article http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html

Thank you for the link m.salah. Is it correct to assume that the 12014 error that I have will not disappear then as the certificate I have purchased doesn't match the name of the exchange server? Purchasing a SAN cert with the OWA and server FQDN is the only way?jev

what all thing you shoudl consider for certificate basis please read the following:- I am listing the services in Exchange Server 2007 which will require certificate 1. POP3 and IMAP4 client access to Exchange 2. Outlook Web Access 3. Outlook Anywhere 4. Exchange ActiveSync 5. Autodiscover 6. Edge Synchronization. I will take example of Contoso.com and list down the domains we need to add in the SAN of certificate: 1)Internal & external URLs used for OWA, Outlook Anywhere, POP3/IMAP4, Exchange ActiveSync. Usually, a single URL will be used for these services, but if you are using different URLs for each service, make sure you include it in the SAN. Example: Contoso.com uses mail.contoso.com for accessing OWA, Outlook Anywhere, ActiveSync, POP3 & IMAP services internally as well externally. 2)URL of Autodiscover. Considering @Contoso.com will be the email address for Contoso users; the Autodiscover URL they will need to include in the certificate SAN is: Autodiscover.contoso.com, this is beccause outlook is designed to search for autodiscover URL in predefined manner. 3)FQDN & NetBIOS names of the CAS/HT servers. 4)FQDN & NetBIOS name of the Edge server in case it will be used for TLS communication on Internet. If the edge is not used for TLS communication on Internet and self signed certificate should sufficient for edge supporting subscription process. In our example, Contoso receives secure emails on the Internet through edge server edge.contoso.com hence we need edge.contoso.com added in the certificate SAN. In short, you need following domains added to certificate SAN in above scenario: Mail.contoso.com Autodiscover.contoso.com FQDN & NetBIOS names of the HT & CAS servers (Optional) FQDN & NetBIOS names of the Edge servers (Optional). Related articles: Exchange 2007 lessons learned - generating a certificate with a 3rd party CA http://msexchangeteam.com/archive/2007/02/19/435472.aspx Exchange 2007 Autodiscover and certificates http://msexchangeteam.com/archive/2007/04/30/438249.aspx Best Rgds, Ashish | Unified Comunication | MCTS | MCITP | Please remember to select option "Propose As Answer" if solution work for you | My posts hold no assurances, no promises, and they measured no rights.

Hi Jev, A bout the error please try the following steps: PS] C:\>Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- C825AF1799092691FBBDE5D74CED00A7CE0C2DD8 IPUWS. CN=mail.domain.com, OU=MS, O=Organization, L=location, S=State... 0E0D0054620D996193621BA7BDDB32E82FCB60D9 IP..S. CN=Servername Now if you were to look at your Receive Connectors, you will see a Default Receive Connector. This connector should only have an FQDN of blank, server FQDN, or server shortname. So for example, taking a look at the Default Receive Connector, we can take a look at the FQDN: [PS] C:\>get-receiveconnector -Server servername | Where-Object {$_.Identity -like "*Default*"} | FL Identity,FQDN Identity : servername\Default servername Fqdn : servername The TLS selection process for Opportunistic TLS means that it try TLS using a certificate that is enabled for the service SMTP and matches the FQDN of the Default Receive Connector. So you'll need a certificate enabled for SMTP that matches the FQDN on that default Receive Connector. The self-signed certificate is a SAN cert that has both the servername and servername FQDN. If you created a new self-signed certificate, you'll want to make sure you enable it for SMTP. Get-ExchangeCertificate -thumbprint Thumbprint | Enable-ExchangeCertificate -services SMTP. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you both - I believe the issue I'm having is caused by using a single SSL certificate which matches my DNS entry (mail.domain.com) for OWA. The default receive connector is the FQDN of the box which this certificate does not match, hence the error. I'm purchasing a SAN certificate this afternoon that will include: autodiscover.domain.com mail.domain.com activesync.domain.com ExchangeNETbios ExchangeFQDN This should be sufficient for my use. There should be no reason I cannot use the same Web Listener for OWA/ActiveSync, right?jev

Thanks to you both for your assistance - I've now managed, using a SAN certificate from the great folks over at DigiCert, to clear the TLS error and secure OWA / ActiveSync. Just have one issue remaining which deals with ActiveSync. I have it working internally; there are mobile devices now able to retrieve messaging data from Exchange, but when I try to configure the same mobile device to use ActiveSync outside of our network, it fails. Using https://testexchangeconnectivity.com, everything now passes except for the below. I'm certain it is likely something very simple I'm overlooking. Testing HTTP Authentication Methods for URL https://mail.domain.com/Microsoft-Server-Activesync/. The HTTP authentication test failed. Additional Details An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>403 - Forbidden: Access is denied.</title> <style type="text/css"> <!-- body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;} fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF; background-color:#555555;} #content{margin:0 0 0 2%;position:relative;} .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} --> </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>403 - Forbidden: Access is denied.</h2> <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3> </fieldset></div> </div> </body> </html> jev

Try Disable the forms-based authentication for the Exchange virtual directory and authentication to “Basic” and “Integrated”. Best Rgds, Ashish | Unified Comunication | MCTS | MCITP | Please remember to select option "Propose As Answer" if solution work for you | My posts hold no assurances, no promises, and they measured no rights.