Exchange 2013 server reporting internal certificate error(s) + end users being prompted for username and password with outlook.

Hi all -- 

Exchange 2013 running on 2008r2 with win7 sp1 clients running office 2010 sp1. Single exchange server running all roles.

Exchange is reporting these errors in eventlog:

Log Name:      Application

Source:        MSExchangeTransportDelivery
Date:          12/07/2013 9:20:42 AM
Event ID:      12023
Task Category: TransportService
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      exchange.domain.local
Description:
Microsoft Exchange could not load the certificate with thumbprint of AC5F2ED465745B0FC73910BDC29C83352FFF557B from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate AC5F2ED465745B0FC73910BDC29C83352FFF557B -Services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, the certificate with thumbprint DB9703DAC5519D008A4B49989CFAA2BDA6DA34CD is being used.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeTransportDelivery" />
    <EventID Qualifiers="32772">12023</EventID>
    <Level>3</Level>
    <Task>12</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-07-11T23:20:42.000000000Z" />
    <EventRecordID>371072</EventRecordID>
    <Channel>Application</Channel>
    <Computer>exchange.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>AC5F2ED465745B0FC73910BDC29C83352FFF557B</Data>
    <Data>DB9703DAC5519D008A4B49989CFAA2BDA6DA34CD</Data>
  </EventData>
</Event>

And

Log Name:      Application
Source:        MSExchangeFrontEndTransport
Date:          12/07/2013 9:18:53 AM
Event ID:      1035
Task Category: SmtpReceive
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      exchange.domain.local
Description:
Inbound authentication failed with error LogonDenied for Receive connector Client Frontend EXCHANGE. The authentication mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [127.0.0.1].
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeFrontEndTransport" />
    <EventID Qualifiers="32772">1035</EventID>
    <Level>3</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-07-11T23:18:53.000000000Z" />
    <EventRecordID>371068</EventRecordID>
    <Channel>Application</Channel>
    <Computer>exchange.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>LogonDenied</Data>
    <Data>Client Frontend EXCHANGE</Data>
    <Data>Login</Data>
    <Data>127.0.0.1</Data>
  </EventData>
</Event>

AND

Log Name:      Application
Source:        MSExchangeTransport
Date:          12/07/2013 9:10:25 AM
Event ID:      12014
Task Category: TransportService
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      exchange.domain.local
Description:
Microsoft Exchange could not find a certificate that contains the domain name exchange.externaldomain.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector THAC Send Connector with a FQDN parameter of exchange.externaldomain.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeTransport" />
    <EventID Qualifiers="49156">12014</EventID>
    <Level>2</Level>
    <Task>12</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-07-11T23:10:25.000000000Z" />
    <EventRecordID>371042</EventRecordID>
    <Channel>Application</Channel>
    <Computer>exchange.domain.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data>exchange.thac.nsw.edu.au</Data>
    <Data>THAC Send Connector</Data>
  </EventData>
</Event>

These all started appearing fairly recently and im not sure if its related but at the same time my end users will spontaneously ask for authentication when accessing outlook. Which even though they are on domain bound machine and retype password corectly will not get access. If they say cancel outlook fails. IT must then assist them by deleting their outlook profile and reconfig exchange account which will work.


Many thanks for any/all assistance.