I received several certificate errors when attempting to connect Outlook to Exchange 2007. This is because Outlook 2007 and Exchange 2007 encrypt all communications between themselves. The solution was to create a new certificate (using Exchange PowerShell) for the intranet. The relevent Microsoft Article can be found here:
http://technet.microsoft.com/en-us/library/aa995942.aspx
**This article says to use the same cert for IIS however, to use a third party cert (i.e. from Thawte) don’t include IIS when assigning the certficate to services. If you do (as I originally did) use the following command:
Get-ExchangeCertificate -DomainName “<Exchange-Server-Name>”
to get the thumbprint of the third party certificate and then use the command:
Enable-ExchangeCertificate -thumbprint <certificate-thumbprint> -services “IIS,SMTP”
to assign it to IIS and SMTP (see below).
I was then noticing some issues with Outlook Anywhere and found the following in the event log:
Product:
Exchange
ID:
12014
Source:
MSExchangeTransport
Version:
8.0
Symbolic Name:
CannotLoadSTARTTLSCertificateFromStore
Message:
Microsoft Exchange couldn’t find a certificate that contains the domain name %1 in the personal store on the local computer. Therefore, it is unable support the STARTTLS SMTP verb for the connector %2 with a FQDN parameter of %1 (if connector’s FQDN is not specified, the machine’s FQDN is used). Verify that connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that connector FQDN. If this certificate exists, run Enable-ExchangeCertificate –services SMTP to ensure transport service has access to its key.
Explanation
This Warning event indicates that there is a problem loading a certificate to be used for STARTTLS purposes. Generally, this problem occurs if one or both of the following conditions is true:
- The fully qualified domain name (FQDN) that is specified in the Warning event has been defined on a Receive connector or Send connector on a Microsoft Exchange Server 2007 transport server, and no certificate is installed on the same computer that contains the FQDN in the Subject or Subject Alternative Name fields.
- A third-party or custom certificate has been installed on the server and it contains a matching FQDN. However, the certificate is not enabled for the SMTP service.
To fix this, I simply ran the command referenced above (Enable-ExchangeCertificate…) to assign the Thawte cert to the SMTP service.