I have an Exchange 2007 setup on Windows server 2003 servers. two Windows NLB Client Access Servers that listen on load balanced address mail.company.com. I used to have two Windows NLB Exchange 2003 Front End Servers that listened on load balanced address oldmail.company.com Activesync and web services are working properly, but test-ActivesyncConnectivity and test-webservicesConnectivity fail with the error: [System.Net.WebException]: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Inner error [System.Security.Authentication.AuthenticationException]: The remote certificate is invalid according to the validation procedure. I am certain the SSL certificate is correct, because, as I said, my users are able to use these services, (except for the occasional Windows Mobile Activesync user will not be able to connect, getting an invalid certificate warning on the device). troubleshooting further, If I run "Test-ActivesyncConnectivity -URL https://mail.company.com/Microsoft-Server-ActiveSync" all tests succeed If I run "Test-ActiveSyncConnectivity -UseAutodiscoverForClientAccessServer" I get the following output (I left out a few columns so it would fit here) CAS SERVER Error ------------- --------- Autodiscover [System.Net.WebException ]: The remote name could not be resolved: 'autodiscover.oldmail.company.com' Autodiscover [System.Net.WebException]: The remote server returned an error: (401) Unauthorized oldmail [System.Net.WebException]: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. Inner error [System.Security.Authentication.AuthenticationException]: The remote certificate is invalid according tothe validation procedure. I get the same result for test-webservicesConnectivity. Here's the issue I see right away. oldmail.company.com no longer points to any front end servers. it was decommissioned when we decommissioned the old front end servers. Also, Nowhere is this output do I see an entry for mail.company.com, which is the correct address. I'm wondering if the autodiscover service has some bad information somewhere and needs to be changed or updated. if so, how do I go about doing that? Any thoughts or advice? Thanks Christiaan Christiaan Zaluzec

Autodiscover uses Service Connection Points to find the servers to use. Open up ADSIEdit and go to the following location: Configuration\CN=SErvices\CN=your ORG name\CN=Microsoft Exchange\CN=Exchange Administrative Group\CN=Server Name\CN=Protocols\CN=Autodiscover\CN=Server Name look for the ObjectCategory value, it should look something like: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=company,DC=comTBrennan

I did as you instructed, and I found the Service Connection Point object in ADSIEDIT, but nowhere in that object do I see any attributes that reference mail.company.com, oldmail.company.com, or anything related to autodiscover. Is there an attribute I should be looking for?Christiaan Zaluzec

Hello, Firstly, the ability to use the Autodiscover service depends on the mobile phone operating system that you're using. Not all mobile phone operating systems that support synchronization with Exchange support Autodiscover. Regarding the issue you report, it seems there are issues with the activesnc Autodiscover. Generally, Mobiles will use the suffix of the user’s address to resolve the autodiscover service. For example, if you have user with email address user@contoso.com, it will resolve the autodiscover with “autodiscover.contoso.com”. This feature is hard coded. If you do not have a DNS record for “autodiscover.contoso.com”, then it cannot be resolved. Furthermore, you need to add the domain name “autodiscover.contoso.com” to the certificate because the autodiscover requires SSL. However, please be assured that the autodiscover is an advanced feature for activesync. We can manually confugre the profiles for the mobiles without autodiscover service and the autodiscover issue will not affect the email syncing between the mobile and Exchange. If you have further questions, please let us know Thanks, Simon

The servicebindinginformation attribute should have the URL for the autodiscovery service: ie https://servername.company.com/Autodiscover/Autodiscover.xml. The serviceclassname should be ms-Exchange-AutoDiscover-Service.TBrennan