Configuring certificates and trust in SharePoint 2010 for accessing Exchange Web Services

Wed, Nov 9, 2011 2-minute read

Exchange is built on web services and as I posted about a while about accessing EWS from SharePoint can be pretty neat. There is a managed API to make your life even easier. However, one issue you may come across is actually getting SharePoint and Exchange to talk nicely to each other. This will walk you through some of the steps required to get things going.

Typically, the Exchange infrastructure will be using self-signed certificates to authenticate traffic to and from it. If this is the case, when you login to Outlook Web Access, you might see a certificate error:

You can usually ignore it and login OK, but you will still see a certificate error.

However, if the server is untrusted, then when you use Exchange Web Services within SharePoint, then you will likely see the following error in your event logs:

 

 

 

An operation failed because the following certificate has validation errors: nnSubject Name: CN=… The root of the certificate chain is not a trusted root authority.

This gets annoying. To stop this message, you need set up a trust relationship between your SharePoint Farm and your Exchange server.

To do this, navigate to your Exchange Web Services web service end point. This is the file that is called Exchange.asmx. In my case it was:

http://server.domain.com/EWS/Exchange.asmx. If you browse to this site, you should see the certificate error. You can then click on the Certificate Error, and Install the Certificate. Use the default options.

Once you’ve done this, you then need to get a copy of the certificate. At a run command, type mmc. In the Management Console, go File > Add/remove snapin. In the list of available snapins, select Certificates, and choose “My user account”. Expand Certificates - Current User, then expand Intermediate Certification Authorities > Certificates. You should see the certificate for your server listed.

Right click the certificate > All Tasks > Export… Use the default options and save the file somewhere (e.g., Desktop.)

Now to create the Trust relationship. Login to Central Administration and choose Security > Manage Trust. You will likely see an entry for “local”.

Click New, give the it a name then use the certificate you just created. Save the item.

Now restart your SharePoint services and perform an iisreset. With all being well, you’ll no longer see the certificate error in your event logs. Issues? Leave a note in the comments.