I messed up when installing a new ificate for Outlook Web Access. I enabled the certificate for both IIS and SMTP when I should just have enabled IIS. i.e. enable-exchangecertificate -thumbprint *** -services "IIS, SMTP" Now Outlook users are being prompted with a certificate error as the external domain name differs from the internal domain name. I have tried removing the certificate from the server and rebooting in the first instance. Outlook then worked perfectly. I then imported the certificate back in using the Exchange Shell. As soon as I imported the certificate it immediately had IIS and SMTP enabled without running the enable-exchangecertificate command. Does anyone know how to remove a service from a certificate. The enable-exchangecertificate command has a -services "none" option but this does nothing. The remove-exchangecertificate command removes the certificate but seems to leave the service settings in the system.

Hi Try to use enable-exchangecertificate -thumbprint *** -services "none" when completed then assign the appropriate service(s) enable-exchangecertificate -thumbprint *** -services "IIS"Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

Tried the commands as suggested. The Services for the certificate still show "...WS"

Run Get-Exchangecertificate | fl and post the result in hereJonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

The first certificate is the new certificate for outlook web access. I've no idea what the second certificate is. The third certificate is the self signed certificate for internal use. The fourth certificate is the expired certificate for OWA which I haven't remove yet. AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.drondickson.com} HasPrivateKey : True IsSelfSigned : False Issuer : OU=Equifax Secure Certificate Authority, O=Equifax, C=US NotAfter : 11/10/2012 03:32:50 NotBefore : 08/10/2010 22:35:37 PublicKeySize : 1024 RootCAType : ThirdParty SerialNumber : 14CDA7 Services : IIS, SMTP Status : Valid Subject : CN=mail.drondickson.com, OU=Domain Control Validated - Rap idSSL(R), OU=See www.rapidssl.com/resources/cps (c)10, OU= GT74988662, O=mail.drondickson.com, C=GB, SERIALNUMBER=ZYJ mImq-B4-IHylDn5xjJzfHvGss6l4q Thumbprint : 20C4FB8F9F297B3E6C0F07A29AD119159543A19C AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.drondickson.com, STGEXCH, STGEXCH.drondickson.local, autodiscover.drondickson.com} HasPrivateKey : True IsSelfSigned : True Issuer : C=GB, S=Stirlingshire, L=Stirling, O=Dron & Dickson Limite d, OU=Information Technology, CN=mail.drondickson.com NotAfter : 30/08/2011 17:08:33 NotBefore : 30/08/2010 16:48:33 PublicKeySize : 1024 RootCAType : None SerialNumber : 48960E89D615E8A942D2B162E047F817 Services : None Status : Valid Subject : C=GB, S=Stirlingshire, L=Stirling, O=Dron & Dickson Limite d, OU=Information Technology, CN=mail.drondickson.com Thumbprint : 16BBB82869CC0E83FDEDA7DD0F475EE8057DE2A0 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule, System.Security.Acce ssControl.CryptoKeyAccessRule} CertificateDomains : {STGEXCH, STGEXCH.drondickson.local} HasPrivateKey : True IsSelfSigned : True Issuer : CN=STGEXCH NotAfter : 06/07/2011 16:23:25 NotBefore : 06/07/2010 16:23:25 PublicKeySize : 2048 RootCAType : Registry SerialNumber : 86661D625442ADAE42E155122F202D6D Services : IMAP, POP, SMTP Status : Valid Subject : CN=STGEXCH Thumbprint : 53D2840F94491DBD6B025DACD4471FF1C4AA2115 AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System .Security.AccessControl.CryptoKeyAccessRule, System.Securi ty.AccessControl.CryptoKeyAccessRule} CertificateDomains : {mail.drondickson.com} HasPrivateKey : True IsSelfSigned : False Issuer : CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US NotAfter : 23/08/2010 08:59:52 NotBefore : 23/07/2008 08:59:52 PublicKeySize : 1024 RootCAType : ThirdParty SerialNumber : 08FE1F Services : None Status : DateInvalid Subject : CN=mail.drondickson.com, OU=Domain Control Validated - Rap idSSL(R), OU=See www.rapidssl.com/resources/cps (c)08, OU= GT74988662, O=mail.drondickson.com, C=GB Thumbprint : 33148980FFACD5419632027930AE01D068219D94Charles Noble

mask your public dns names for private reasons in your text what you can do is to create a new DNS zone internally that's called the external name, ex. domain.com then you can create the appropriate records in it like mail.domain.com -> pointing direct to the exchange server autodiscover.domain.com -> pointing direct to the exchange server but don't forget the maybe more important records in your external dns like www or ftp etc. Or else the users will complain that they can't reach it anymore :)Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

Just to get this clear in my head. If I set up the internal DNS Zone, would I have to change the internal name of the server to mail.domain.com. If not, surely Outlook would still look for the internal server name and still get a certificate error.Charles Noble

no you don't need to change the servername you have these names included in your certificate, they need to match, that's the way it work mail.externaldomain.com, STGEXCH, STGEXCH. internaldomain .local, autodiscover. externaldomain .com create a new dns zone internally called externaldomain.com and then records for it because i suppose your servername is stgexch? In that case you will be done :) Jonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

Also, check these values... by doing the following commands Get-ClientAccessServer | fl AutoDiscoverServiceInternalUri, AutodiscoverServiceExternalUri Get-WebServicesVirtualDirectory | fl InternalUrl, ExternalUrl Get-OABVirtualDirectory | fl InternalUrl, ExternalUrl You need to have these values matched with your names on the certificateJonas Andersson MCTS: Microsoft Exchange Server 2007/2010 | MCITP: EMA 2007/2010 | MCSE/MCSA Blog: http://www.testlabs.se/blog

Does anyone know how to remove a service from a certificate Hi noblec, For 3rd party certificates, it's not possible to disable the Services. Maybe you need to contact Equifax to renew the certificate.Frank Wang