Exchange 2019 Question about certificate on mobile phones

Brass Contributor

Hello Everyone, 

I have a question that has plagued me for quite some time and I cannot figure out the answer.

I have my on prem exchange server working fine but I've always had an issue where connecting the account to the phones doesn't work because in the exchange server settings is always detects and not 

I have a valid certificate everything is working fine

The only way I can make this work is if I cancel the connection and change the username to 

domain\username and then manually put in it works right away.


Normally, I live with this but I recently changed server and I rekeyed my certificate, now all my phones are prompting for a password and no matter what the password is always incorrect.


I don't want to have to redo all the phones is there any way for this to work does anyone know?


My IIS bindings all have my certificate as the working certificate (front end and back end) 

Is there anything I need to do there?



5 Replies

I should also add that my public DNS both have A records pointing to the correct IPs

Just another quick note
when I run the testconnectivity from Microsoft, everything completes successfully but when it scans for it returns the address I have in my public DNS that is incorrect (it is returning the root public IP <--This is the original address the phone receives) but then it continues and searches for autodiscover and mail @ and it resolves to the correct IPS but the phones never get the prefix, they only get the and not

A little more info (I should have mentioned this earlier)
I have 2 exchange servers (was migrating an older 2013 to a new 2019)
The old exchange server didn't / doesn't have any issues. In my firewall, if I point my mail to go to the old server the phones work properly, the autodiscover populates and everything completes correctly. If I point my firewall to the new server (2019) the mail is still able to flow BUT it never populates the on the phones. Additionally, since this server has been in place the local Outlook clients keep getting a popup when they open outlook saying the certificate doesn't make the GoDaddy certificate because it is looking for

I am asking myself what the actual issue is. Why does the old server work correctly and when I point the mail to route to the new server I have all these certificate errors?

Both servers have the new re-keyed Godaddy certificate in the IIS bindings in all the same places. The new server only has the new godaddy certificate in it but not the old certificate from the old server. The old server however still has the old certificate present under certificates which still has SMTP / POP / IMAP as services installed but not IIS.


I also tried to export the exchange certificate from the old server and import it to the new server with the same roles installed and still no success

best response confirmed by audi911 (Brass Contributor)

@audi911 have you tried the active sync default domain setting under IIS?

compare this with existing ex2013, check if that has it


iis-default site-microsoftserver-activesync


basic auth -edit


default domain



if these are blank, copy from ex2013 and reset iis

You were right this is what I had to do although not configured in my old EX server but i had to go to IIS and expand default website and then select Microsoft Exchange Active Sync and select Authentication

Under Basic Authentication I had to select EDIT and then put a \ under default domain and mydomain.local under realm

I've never seen this I don't understand why it has done this I have done so many migrations of Exchange to newer versions this is the first time I've ever seen this.

If someone can chime in as to why it would help me understand more.