Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, September 3, 2019 2:37 AM
Hi All,
Appreciate some help on the following.
- How to remove 'IIS' service from my Exchange 2016 CU13 certificate 'WMSVC-SHA2". I have just did a fresh installation of Exchange 2016 CU13. From my understanding this certificate should not be assigned to any services. I am unable to uncheck 'IIS' when attempting to do so via EAC -> Server -> Certificate -> [Edit] WMSVC-SHA2.
2) I am not sure is it related to the above. When I launch my outlook client, the Exchange Certification prompt appeared, asking whether to proceed. When I click on 'View Certificate', instead of the Exchange Server personal self-signed cert showing, it shows the WMSVC-SHA2-Myserver1 cerificate.
Thanks in advance if anyone able to shed some light on my issues above.
All replies (10)
Tuesday, September 3, 2019 10:18 AM
Hello,
Assumed that, your other Exchange servers in production were installed with the Third party SAN certificate.
If the newly installed box is your production Exchange server, then i would recommend you to install the Third party SAN certificate for your Exchange services.
You can export the Third party SAN Certificate from one of your working Exchange server and then import the certificate to this newly installed Exchange server. Finally you can assign the Third party SAN certificate for the Exchange services as you wish.
Thanks & Regards S.Nithyanandham
Tuesday, September 3, 2019 11:18 AM
Hi, Appreciate your kind reply. This is a newly setup testing environment. May I know is there any other way to remove the service?
Tuesday, September 3, 2019 11:30 AM
Hello ,
You have to overwrite the existing certificate by using the thumbprint of the Other certificate that you would like to assign for your IIS services in exchange.
Use the below mentioned command .
Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services IIS
Note : If it is a testing environment, Rather than using the default self signed certificates , you can install a internal CA to generate and create the certificate for your Exchange services.
Thanks & Regards S.Nithyanandham
Wednesday, September 4, 2019 1:34 AM
Hi Hi
I tried to assign a self-sign certificate and checked on 'IIS' but no luck. It still show as 'WMSVC-SHA2-Myserver1 cerificate' when I launch my Outlook.
Wednesday, September 4, 2019 6:46 AM
Hi,
We cannot remove services from old certificate, we should use a new certificate it replace it.
I would suggest you use command below to double check it from EMS:
Get-ExchangeCertificate | fl CertificateDomains,Subject,Services
About the real certificate that used for "IIS", we can check/rebind from IIS directly:
After changing certificate for IIS, remember to run "IISResset" command in CMD with administrator privileges.
Regards,
Kyle Xu
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, September 4, 2019 7:00 AM
Hi,
Yes, these are the steps I have preformed but still in vain. =(
1) Go to EAC -> Server -> Certificate -> Add a new self-sign certificate. Set Services 'IMAP, POP, IIS, SMTP'.
Result shown when I executed the command, Get-Exchangecertificate -Server MyServer1 | fl CertificateDomains, Subject, Services.
CertificateDomains: {Myserver1, Mserver1.test.com}
Subject: CN=Myserver1.test.com
Services: IMAP, POP. IIS, SMTP
CertificateDomains: {WMSVC-SHA2-Myserver1}
Subject: CN=WMSVC-SHA2-Myserver1
Services: IIS
2) I have ensured IIS (https) is using Myserver1 cert. I reboot the server (not just IIS) but whenever I launch outlook, the certificate within the certificate prompt displays "WMSVC-SHA2-Myserver1" cert.
Monday, September 9, 2019 8:56 AM
Hi,
Based on my testing, if you assign IIS service to WMSVC before, although you assign it back to other certificate, it will show both on this certificate and WMSVC:
The real one which take effect is the certificate that you bind in IIS.
Did you check both "Default Web Site" and "Exchange Back End"?
Did you check it on all your Exchange servers?
Try to run "IISreset" in cmd, it is different from restart computer.
Regards,
Kyle Xu
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, September 12, 2019 7:55 AM
Hi,
I am writing here to confirm with you how thing going now?
If the above suggestion helps, please be free to mark it as an answer for helping more people.
Regards,
Kyle Xu
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, September 13, 2019 1:07 AM
Hi Kyle,
I am still not able to resolve my issue with the solution you have provided. Thanks.
Monday, September 16, 2019 1:24 AM
Hi Kyle,
I am still not able to resolve my issue with the solution you have provided. Thanks.
How many Exchange servers on your organization?
Does this exist any intermediate device between your Exchange server and clients.
Regards,
Kyle Xu
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].