Below is the error message while configuring the outlook POP for the Exchange 2013 user. Exchange 2013 with CAS and MBX installed separately.


  • POP services are enabled on the servers and for the user
  • Ran the below command to check the server component state and POP was Active

    Get-Servercomponentstate –server “servername”

  • Checked the Server health report for POP.protocol health set and the below probes were unhealthy



  • Ran the command,

    Invoke-MonitoringProbe POP.Protocol\PopSelfTestProbe -Server “Servername” | Format-List

  • Got the error “Unable to initialize TCP Network connection”
  • Enabled the protocol logging on the CAS server and got the below error in the protocol logs

22T07:30:46.994Z,0000000000000003,2,,,username,1196,78,97,login,username@DOMAIN.COM *****,”R=””z NO [Error=ProxyNotAuthenticated Proxy=EXCHANGESERVER.DOMAIN.COM:1995:SSL] LOGIN failed.””;Msg=Proxy:EXCHANGESERVER.DOMAIN.COM:1993:SSL;ErrMsg=ProxyNotAuthenticated

  • Checked the certificate on the “Exchange Backend website” on the Mailbox servers and the self-signed certificate was assigned properly


  • Found that X509CertificateName was set to the third party certificate pointing to on the mailbox servers as well

    Get-popsettings –server “mailboxservername” | fl

  • Changed it to the self-signed certificate of the mailbox server,

    Set-popsettings –server “mailboxservername” –X509CertificateName “mailboxservername”

  • Restarted the POP services on the CAS & mailbox servers
  • Get-service “*POP*” –computername “servername” | Restart-Service
  • Tried configuring the outlook POP profile and it was successful


In Exchange 2013, both the Mailbox and CAS roles come with a default SAN certificate configured during the install. The self-signed certificate on the CAS server should be replaced by a third party or an internal PKI certificate as part of the configuration. The default certificate on the mailbox role is used to encrypt the communication between the CAS and the Mailbox server. Since the certificate is created and signed by Exchange, all Exchange servers in your organization including the CAS will trust it automatically. This is the reason why clients won’t receive a pop up saying the certificate is not trusted, even though the mailbox role is responsible for everything to do with the user’s mailbox. Hence, you don’t need a third party or internal PKI certificate. You shouldn’t delete it, as it will break your secure client communication through the CAS. No additional configuration is required on this certificate either.


Happy learning!! 🙂

By Ashok M

Microsoft Certified Professional, Blogger, Author at, Real world technical contribution via Microsoft Communities (Social Technet/QnA). Extensive knowledge and experience in Messaging (Microsoft Exchange 2003 - 2019) and services including Infrastructure (Windows Server, Active Directory, ADFS, ADCS, File Servers, SCCM), Cloud (Microsoft Azure, Microsoft 365, EMS), Unified Communication (Skype for Business, Video conferencing room systems, Surface Hub), Virtualization (Hyper V), Database (SQL). Have experience in design, implementation, migration & support for various Microsoft infrastructure products across various industry verticals. Currently working as "Implementation Engineer" with the UAE's first tier IV Data Center design certification in the region.

Leave a Reply

Your email address will not be published. Required fields are marked *