none
Personal certificate error using Outlook 2010 and Microsoft Exchange

    Question

  • Up until recently I had all my company email accounts synced to my Windows Phone 8.1 device and PC's. We are using Outlook 2010 and Microsoft Exchange. A few days ago (last Monday to be exact) when I tried to sync my accounts I got the error message attached (error message is the same on both PC and phone).

    Does anyone know what it means? Is it something our IT team has to look at? is there a problem with the SSL certificate file being used on Exchange? I tried adding and removing the accounts and it still gives the same error and I spoke to an IT staff member but they didn't know how to solve it.

    I also tried manually adding the certificate file to my Windows Phone 8.1 device as .der, .crt and .p7c but each time my phone says this file cannot be opened.  I have not tried fixing it on my PC's.

    My work PC, which connects directly to the same Exchange server via Outlook 2013, works fine.

    How can I solve this?  Is it a certificate issue?  Is it a network issue (trying to access the Exchange server from outside the office)?. 

    The OWA site works fine from the same PC's and phone with this error, except for displaying a message saying the certificate is not trusted, but I just bypass it and get to the login screen.

    Many thanks.

    Monday, September 14, 2015 7:52 AM

Answers

  • I'm assuming when you enter the ActiveSync information you're in the "advanced" settings?  Can you access the OWA website from your phone's web browser and successfully logon? You can also go to this MS site: https://testconnectivity.microsoft.com/  Once the page loads, it should automatically default to "Exchange ActiveSync".  From that page click "next".  On the next page, choose "Manually specify server settings" and enter the web URL to your exchange server (ex. mail.xyz.com).  Enter your domain\username or UPN and your password (twice). The next two options are up to you, but you have to select the "I understand...." checkbox.  fill in the verification characters and click on "Verify".  The test will run and then show you the output of the test results.  You will see successes and possibly failures.  If you see failures, post them back to this thread so we can further assist you.

    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.

    • Marked as answer by ianwuk Saturday, September 19, 2015 2:05 PM
    Friday, September 18, 2015 7:09 PM
  • Hello.

    Thanks so much for replying.

    The issue has now been solved.  Basically, due to changes in Outlook or the Exchange server configuration, it meant that the server URL had changed.  Instead of typing https://EXHANGESERVERURL.com when setting up the account we had to type EXHANGESERVERURL.com instead and it worked fine.

    Thank you so much for replying and for all your help.

    Regards.

    Ian

    Saturday, September 19, 2015 2:07 PM

All replies

  • Hi Ianwuk,

    If the certificate is not trusted then you would see issues as this. As your IT to update the Exchange server with a valid trusted SSL certificate.

    Otherwise you can import that certificate to your Trusted Store on the device to avoid such errors.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Monday, September 14, 2015 10:44 AM
  • Hi Ianwuk,

    If the certificate is not trusted then you would see issues as this. As your IT to update the Exchange server with a valid trusted SSL certificate.

    Otherwise you can import that certificate to your Trusted Store on the device to avoid such errors.


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thanks very much for replying Satyajit.

    How would I import the certificate from the Trusted Store onto my device as you mentioned? I would like to try that first.

    Many thanks.

    Ian

    Monday, September 14, 2015 2:26 PM
  • I'm not so sure you're issue is related to IIS and SSL certs for ActiveSync.  The error clearly states "You'll need a personal certificate to connect to".  Has your IT department made changes recently to authenticating into the domain?  If your company has it's own internal CA server, you may need to request a personal certificate for the phone and import that. 

    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.

    Monday, September 14, 2015 2:51 PM
  • Thanks for replying.

    My company did make some changes (or rather they said that updates were applied) but I don't know what they were.

    What is the easiest way to solve this and get my emails back on to my phone?

    Many thanks.

    Ian

    Tuesday, September 15, 2015 4:22 AM
  • Hi lan,

    For your question, we need confirm some points:
    1. How about Outlook client works from internal and external?
    2. How about OWA works from internal and external?

    For client side, please ensure you have update the latest certificate from your CA. You can try below steps for check:
    1. Run "MMC" to open Console Root.
    2. Click "File" to "Add/Remove Snap-in...", then add Certificates.
    3. Switch to "Console Root\Certificates\Trusted Root Certification Authorities\Certificates", then check the certificate which is assigned by your CA.
    Note: we can export root certificate to phone client, then install it to troubleshoot your issue.

    If not, you can ask your IT administrator to update this certificate or login domain to achieve.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Tuesday, September 15, 2015 6:45 AM
    Moderator
  • Hello Allen.

    Outlook client:

    Works fine internally (office)

    Doesn't work externally (home).

    OWA:
    Works fine internally (office)

    Works externally but with certificate error you can ignore (home)

    Inside that location ("Console Root\Certificates\Trusted Root Certification Authorities\Certificates") I have tons of certificates. The only ones though that may be related to my company are missing a friendly name and some are classed as root certificates and some don't say anything at all.

    See the image below (mail server name crossed out).

    What can I do now?

    Many thanks.



    • Edited by ianwuk Tuesday, September 15, 2015 7:07 AM
    Tuesday, September 15, 2015 7:06 AM
  • Hi,

    Thank you for your cooperation, it seems that something wrong with your public certificate for Exchange server. I recommend contact Exchange administrator to check the health of public certificate.

    For client side, we can export internal root certificate from PC which has add to domain, then copy it to your home pc or phone, and import it for testing.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Tuesday, September 15, 2015 7:47 AM
    Moderator
  • Hello Allen.

    Which certificate(s) are at fault in the picture and what should they look like to mean that they are correct?  I just want to know what to tell the IT administrator.

    The PC I am using to type this reply right has been added to our work domain and Outlook runs the Exchange account without any problems.  How can I export the internal root certificate from this?

    When I open MMC and add the Certificates snap-in do I chose 'My user account', 'Service Account' or 'Computer Account'.  For the screenshot I provided in my last reply (from the same PC) I chose 'My user account'.

    Many thanks.

    Ian

    Tuesday, September 15, 2015 7:56 AM
  • Hi,

    First question, please refer to below link to get more details about Public certificate:
    https://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx#WhenCAWhenSelf

    Second question, Yes, you can export root certificate from PC which has been add to domain.

    Third question, select Computer Account when add certificates to MMC.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Tuesday, September 15, 2015 8:24 AM
    Moderator
  • Hello.

    Choosing 'Computer Account' the trusted certificates look like this.  Again, mail server name blacked out.  Which one, if any do I export (and which format should it be?) to import to my phone or PC's at home to see if it solves the issue?

    Thanks once again.

    Tuesday, September 15, 2015 8:45 AM
  • Does anyone know the next step?  How can I proceed with exporting the correct certificate to try on my phone and computers outside of the office?

    Thanks.

    Ian

    Thursday, September 17, 2015 1:44 PM
  • You can use this to export the certificate out: http://social.technet.microsoft.com/wiki/contents/articles/2167.how-to-use-the-certificates-console.aspx

    And then this one to import the cert onto the phone: http://download.microsoft.com/download/D/B/2/DB2D539D-7F4D-46BC-944B-A69EDA43D975/Windows%20Phone%208%20Certificates.pdf

    According to the PDF for mobile 8.1, it states the following - "

    The certificate installer supports .cer, .p7b, .pem, and .pfx files."  So when you export the certificate from the cert store, choose any of those cert types and you should be ok.


    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.

    Thursday, September 17, 2015 2:43 PM
  • Forgot to mention, if you're not sure what certificate to export, open OWA and left click on the lock in the address bar.  A window will open, click on "View Certificates".  When the cert window opens, look at the "Issue to:" field; that's the cert you want to export and then import into your phone.

    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.

    Thursday, September 17, 2015 2:51 PM
  • Hello.

    I followed all the steps, downloaded the certificate from OWA, installed it onto my phone and then re-added my Exchange account but I get the same issue. 

    If it helps, when I add my Exchange account details to my phone and click Sync for the first time I get a message saying that the certificate is untrusted.  I can choose to ignore it and continue.  When I tap Sync again I get the same Personal Certificate error.

    What can it mean?

    Thanks so much for replying.

    Ian

    Friday, September 18, 2015 1:42 AM
  • I'm assuming when you enter the ActiveSync information you're in the "advanced" settings?  Can you access the OWA website from your phone's web browser and successfully logon? You can also go to this MS site: https://testconnectivity.microsoft.com/  Once the page loads, it should automatically default to "Exchange ActiveSync".  From that page click "next".  On the next page, choose "Manually specify server settings" and enter the web URL to your exchange server (ex. mail.xyz.com).  Enter your domain\username or UPN and your password (twice). The next two options are up to you, but you have to select the "I understand...." checkbox.  fill in the verification characters and click on "Verify".  The test will run and then show you the output of the test results.  You will see successes and possibly failures.  If you see failures, post them back to this thread so we can further assist you.

    Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.

    • Marked as answer by ianwuk Saturday, September 19, 2015 2:05 PM
    Friday, September 18, 2015 7:09 PM
  • Hello.

    Thanks so much for replying.

    The issue has now been solved.  Basically, due to changes in Outlook or the Exchange server configuration, it meant that the server URL had changed.  Instead of typing https://EXHANGESERVERURL.com when setting up the account we had to type EXHANGESERVERURL.com instead and it worked fine.

    Thank you so much for replying and for all your help.

    Regards.

    Ian

    Saturday, September 19, 2015 2:07 PM