It looks like the certificate that you are using for the web server (CAS) does not contain the vmexc01 name nor the autodiscover name. You really need a certificate that has all of the names for exchange referenced in it and apply it to all services required with those names. You can use Get-ExchangeCertificate to see what certs are installed and what services they apply to, then review the certs installed to make sure they have the appropriate names in them.

It looks like the certificate that you are using for the web server (CAS) does not contain the vmexc01 name nor the autodiscover name. You really need a certificate that has all of the names for exchange referenced in it and apply it to all services required with those names. You can use Get-ExchangeCertificate to see what certs are installed and what services they apply to, then review the certs installed to make sure they have the appropriate names in them.

Hi, Im by no means a Exchange 2010 expert so please bear with me. I am experiencing some frustration with the client certificate requirements for Exchange 2010 SP1 (no rollups installed). All my clients use Outlook 2010. Ive recently completed a transition from Exchange 2003, all mailboxes are now located on the Exc2010 server. Exc2003 still exists in the organisation, not sure how relevant this is - but there you go. During UAT I never saw this happen but now many of my clients are seeing certificate prompts. Some are also being prompted for login credentials. Initially I worked around the login prompt issue by deleting or renaming the c:\users\USERNAME\AppData\Roaming\Microsoft\Protect\<GUID> folder and changing the logon network security setting in Outlook from "Negotiate Authentication" to "Password Authentication NTLM". This seemed to work but users are reporting a week or 10 days later that this is happening again. As mentioned, im also seeing various certificate security alerts, 3 in fact, although all three certificate alerts seem to be for the same certificate: IIS configuration is all default. Get-WebServicesVirtualDirectory returns the following: CertificateAuthentication : InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity} ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity} LiveIdSpNegoAuthentication : False WSSecurityAuthentication : True LiveIdBasicAuthentication : False BasicAuthentication : False DigestAuthentication : False WindowsAuthentication : True Get-RpcClientAccess returns the following: RunspaceId : f130bbc8-e421-473a-bcca-569fe5ea770d Server : VMEXC01 MaximumConnections : 65536 EncryptionRequired : False BlockedClientVersions : Responsibility : Mailboxes, PublicFolders AdminDisplayName : ExchangeVersion : 0.1 (8.0.535.0) Name : RpcClientAccess DistinguishedName : CN=RpcClientAccess,CN=Protocols,CN=VMEXC01,CN=Servers,CN=Exchange Administrative Group (FYDIBOH F23SPDLT),CN=Administrative Groups,CN=contoso plc,CN=Microsoft Exchange,CN=Services,CN=Config uration,DC=contoso,DC=com Identity : RpcClientAccess Guid : 26399e86-7352-412b-b194-2a175451b1ad ObjectCategory : contoso.com/Configuration/Schema/ms-Exch-Protocol-Cfg-Exchange-RPC-Service ObjectClass : {top, msExchProtocolCfgExchangeRPCService} WhenChanged : 18/03/2012 10:42:17 WhenCreated : 18/03/2012 10:42:17 WhenChangedUTC : 18/03/2012 10:42:17 WhenCreatedUTC : 18/03/2012 10:42:17 OrganizationId : OriginatingServer : VMDC1.contoso.com IsValid : True Im guessing that there is a DNS issue somewhere and im slowly starting to accept that I would have to deploy a Trusted Publisher policy via GPO to get rid of the prompts. Can someone point me in the right direction to get this rolled out? Also, im out of ideas as to what is causing the password prompts, but im guessing its got somethign to do with the untrusted certificate publisher? Thanks for your time! Chris

It looks like the certificate that you are using for the web server (CAS) does not contain the vmexc01 name nor the autodiscover name. You really need a certificate that has all of the names for exchange referenced in it and apply it to all services required with those names. You can use Get-ExchangeCertificate to see what certs are installed and what services they apply to, then review the certs installed to make sure they have the appropriate names in them.

Thanks Russ, the certificate contains both FQDN and NETBIOS names for the CAS (VMECX01): AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessR ule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAcc essRule} CertificateDomains : {VMEXC01, VMEXC01.contoso.com} HasPrivateKey : True IsSelfSigned : True Issuer : CN=VMEXC01 NotAfter : 18/03/2017 10:39:41 NotBefore : 18/03/2012 10:39:41 PublicKeySize : 2048 RootCAType : None SerialNumber : 1E7F4C803442B6AE4C83DEC80FA3406A Services : IMAP, POP, IIS, SMTP Status : Valid Subject : CN=VMEXC01 Thumbprint : 379CB084ED6620960CF49F5E91B574D25CC79CFB

This is a self-signed certificate, so it will need to be imported to the client machine(s). Here is a blog article about this: http://blogs.technet.com/b/asiasupp/archive/2007/05/29/self-signed-certificate-issue-when-connecting-to-the-exchange-server.aspx But you also need to include autodiscover, so I would generate a new self signed certificate and include autodiscover and assign it to the server New-ExchangeCertificate -IncludeAutoDiscover