Exchange 2010, password prompt and or Certificate prompt

Posted on February 20, 2012 by Mitch Roberson

Since this is one of the most common complaints I see I thought I would take some time to explain how I trouble shoot this. I will attempt to explain the trouble shooting methodology that I use and why it is affective as well.

First in order to trouble shoot we must understand where and when these errors or prompts can occur. This is not as complex as one might think but there are many variables that can come to play. Lets begin by explaining where certificates are used with in exchange 2010.

We will start by going discussing certificate errors.

If you pay attention when you assign certificates to Exchange 2010 CAS servers you will find there are only a couple of places that they are involved.

  • IIS
  • SMTP
  • POP3
  • IMAP
  • Unified Messaging services

1 thing to note. Certificates do not play a role in RPC encryption this means that the CAS Array name is not required on the certificate. RPC uses it’s own encryption methodology. Now there is an RPC directory in IIS but that is for outlook anywhere (RPC over HTTPS). Once you know the above it is easy to start a process of elimination. First of all SMTP, POP3, UM and IMAP will not give you a certificate pop up on the screen they will simply fail and an error will be indicated. So we can eliminate these as the culprit rather quickly. So really that leaves IIS as the culprit for Certificate Pop ups. So then you might ask what services would cause this. I will list them in the order they are actually queried. Not now all of them will be queried on start up of the client.

NOTE: this is for both outlook 2007 and outlook 2010, The auto discovery query will happen even if the mailbox is on 2003, So the minute you put a 2007 or 2010 CAS in  your environment. the clients will start this process (actually they do it even with out the CAS server in place however they just never receive an answer and go back to the configuration you have defined). All other query’s may happen at different times.

  1. Autodiscover (queried on startup and every 4 hours)
    1. Starts by trying to find an SCP Point
    2. then trys https://domain.com/autodiscover/autodiscover.xml
    3. then tries https://autodiscover.domain.com/autodiscover/autodiscover.xml
  2. Exchange Web services sometimes referred to webservicesvirtualdirectory
    1. OAB directory
    2. Out of office (OOF)
    3. Availability services

Those are the directory’s that can and most often cause the Certificate Popup. Often times this is caused by the certificate not matching the name that is being queried. What I see happen the most is people simply add the name to the certificate so the problem is fixed however this is really not the best idea. It can mean more expense and it can also make managing certificates and trouble shooting much harder to do.

Unknown's avatar

About Mitch Roberson

Having worked as a consultant at multiple VAR’s as well as Microsoft. Mitch has had the experience of Seeing a multitude of environments. As well as working with both Network, Systems and Security teams. This has allowed him to broaden his knowledge in many areas of IT. Because of this broad experience it has driven him to an almost fanatical desire to have visibility in his environments so he can understand what is happening with in an environment. He still is responsible for day to day operations of Active Directory, Exchange, and much more. But his passion is to learn how applications communicate so he can decrease mean time to resolution.
This entry was posted in Exchange and tagged , , , , . Bookmark the permalink.

Leave a comment