I Need To Make A Change With My IT Support! Call (225) 706-8414

Fixing Internal Vs. External Hostname Certificate Errors in Outlook for Exchange 2010

You’ve deployed Exchange 2010 and installed a CA-signed certificate so that your ActiveSync users won’t get errors when they connect.  That got fixed but now your internal Outlook users are getting certificate errors! Thankfully, it’s pretty easy to fix.

Struggling with a difficult Exchange 2010 or Exchange 2013 migration?
learned the hard lessons so you don’t have to!
Contact us to get your Exchange 
upgraded and online

Let’s assume your Exchange server is known as “exch-1.domain.local” internally but as “mail.domain.com” externally.


  1. If you haven’t already, you need to add your public zone (“domain.com” in this example) to your internal IP and setup a record to point “mail.domain.com” to the same IP as “exch-1.domain.local”. I like using CNAMEs for this so you don’t have to update 2 records should it ever become necessary.
  2. Like a lot of Exchange 2010 howtos, this one uses the Exchange Management Shell on your Exchange 2010 server.
  3. I’m a big fan of backing up settings before changing them so run a few “get” commands first:
    > Get-WebServicesVirtualDirectory | Select InternalUrl,BasicAuthenticationExternalUrl,Identity | Format-List
    InternalUrl                     : https://exch-1.domain.local/EWS/Exchange.asmx
    BasicAuthentication             : False
    ExternalUrl                     : https://mail.domain.com/ews/exchange.asmx
    Identity                        : EXCH-1EWS (Default Web Site)
    > Get-OabVirtualDirectory | Select InternalURL,ExternalURL,Identity | FL
    InternalUrl                     : http://exch-1.domain.local/OAB
    ExternalUrl                     : https://mail.domain.com/OAB
    Identity                        : EXCH-1OAB (Default Web Site)
    > Get-ActiveSyncVirtualDirectory | Select InternalUrl,ExternalUrl,Identity | fl
    InternalUrl                                : https://exch-1.domain.local/Microsoft-Server-ActiveSync
    ExternalUrl                                : https://mail.domain.com/Microsoft-Server-ActiveSync
    Identity                                   : EXCH-1Microsoft-Server-ActiveSync (Default Web Site)
  4. Once you have all that info backed up somewhere safe (just copy it to Notepad and save the file), you can start fixing things:
    > Set-WebServicesVirtualDirectory -Identity "EXCH-1EWS (Default Web Site)" -InternalURL https://mail.domain.com/EWS/Exchange.asmx -BasicAuthentication:$true
    > Set-OabVirtualDirectory -Identity "EXCH-1OAB (Default Web Site)" -InternalUrl https://mail.domain.com/OAB
    > set-ActiveSyncVirtualDirectory -Identity "EXCH-1Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"

    The main thing to notice here is that your setting the internal URLs to be the same as the external URLs.

  5. You’ll also want to make sure that Outlook Anyhwere is configured correctly:
    > Enable-OutlookAnywhere -Server EXCH-1 -ExternalHostname mail.domain.com -ClientAuthenticationMethod Basic -SSLOffloading:$false
    WARNING: Outlook Anywhere will be enabled on your Client Access server after a configuration period of approximately fifteen minutes. To verify that Outlook Anywhere has been enabled, check the application event log on server EXCH-1.

Thanks to Jonathan at BinaryRoyale the info: Certificate Errors whenn opening Outlook 2010 – Exchange 2010

Concerned About Cyber Attacks?


Want to Migrate to the Cloud?

Office 365

Ready to Experience Microsoft Office 365?

Want the latest IT news directly in your inbox? Subscribe now!