Robert Andrews
asked on
internal outlook client certificate error
Hi
I have migrated my exchange from SBS2003 to Server 2012 with Exchange 2010
My external clients (OWA) and mobiles work great with no issues BUT my outlook clients on my local LAN get a certificate error when they open up or go to set out of office.
it still looks like its trying to connect to SVR2012.mycompany.local but using the mail.mycompany.co.uk certificate
( strange thing is if I change the binding in IIS to use the SVR2012.mycompany.local certificate then outlook flips the error the other way round and uses the external address to connect and the internal SSL)
so far I have done the following
I have a godaddy SSL ceritifacte with mail.mycompany.co.uk installed on the server and in exchange.
I have bind the mail.mycompany.co.uk in IIS
I have set all the cas urls to mail.mycompany.co.uk for both internal and external
I have created a DNS zone on the 2012 server of mycompany.co.uk and created an A record for mail.mycompany.co.uk pointing to 192.168.1.251 (server address)
any suggestions would be great as I can not see why its still using the internal URL
Thanks
Rob
I have migrated my exchange from SBS2003 to Server 2012 with Exchange 2010
My external clients (OWA) and mobiles work great with no issues BUT my outlook clients on my local LAN get a certificate error when they open up or go to set out of office.
it still looks like its trying to connect to SVR2012.mycompany.local but using the mail.mycompany.co.uk certificate
( strange thing is if I change the binding in IIS to use the SVR2012.mycompany.local certificate then outlook flips the error the other way round and uses the external address to connect and the internal SSL)
so far I have done the following
I have a godaddy SSL ceritifacte with mail.mycompany.co.uk installed on the server and in exchange.
I have bind the mail.mycompany.co.uk in IIS
I have set all the cas urls to mail.mycompany.co.uk for both internal and external
I have created a DNS zone on the 2012 server of mycompany.co.uk and created an A record for mail.mycompany.co.uk pointing to 192.168.1.251 (server address)
any suggestions would be great as I can not see why its still using the internal URL
Thanks
Rob
Please check this url for resolution https://www.experts-exchange.com/questions/28692710/Outlook-certificate-mismatch-error.html
Get-ClientAccessServer | fl and check AutoDiscoverServiceInterna lUri should be mail.mycompany.co.uk
Also check get-WebServicesVirtualDire ctory | fl internalurl and externalurl should be mail.mycompany.co.uk
Set-ClientAccessServer -Identity "servername" -AutoDiscoverServiceIntern alUri https://mail.mycompany.co.uk/autodiscover/autodiscover.xml
Set-WebServicesVirtualDire ctory -Identity "servername\EWS (Default Web Site)" -InternalUrl https://mail.mycompany.co.uk/EWS/Exchange.asmx -ExternalUrl https://mail.mycompany.co.uk/EWS/Exchange.asmx
configure OA url to mail.mycompany.co.uk
Get-ClientAccessServer | fl and check AutoDiscoverServiceInterna
Also check get-WebServicesVirtualDire
Set-ClientAccessServer -Identity "servername" -AutoDiscoverServiceIntern
Set-WebServicesVirtualDire
configure OA url to mail.mycompany.co.uk
ASKER
Thanks
I have checked these and they are ok, can I as what is OA ( sorry don't do acronyms)
This morning the client has stopped saying there is a certificate error but out of office still says unavailable. when I do a auto discovery test from the outlook client it all looks ok except the RPC server that still has the .local address is this correct.
the other thing I have noticed is if I go to
https://mail.mycompany.co.uk/ews/exchange.asmx I get a username and password box but it does not authenticate. The password box just keeps coming back, I presume this is incorrect.
I have checked these and they are ok, can I as what is OA ( sorry don't do acronyms)
This morning the client has stopped saying there is a certificate error but out of office still says unavailable. when I do a auto discovery test from the outlook client it all looks ok except the RPC server that still has the .local address is this correct.
the other thing I have noticed is if I go to
https://mail.mycompany.co.uk/ews/exchange.asmx I get a username and password box but it does not authenticate. The password box just keeps coming back, I presume this is incorrect.
OA stands for outlook anywhere
ASKER
After about 5 mins of wracking my brain I realised it was that thanks and yes it was set to the mail.domin.co.uk
Did the issue resolved?
ASKER
No. Out of office still does not work on any outlook clients.
Should the rpc bit in the outlook connection test still point to the .loacal address.
secondly if i put the ews url in a browser it asks for user and password constantly but never gets past that point. Is this normal.
Should the rpc bit in the outlook connection test still point to the .loacal address.
secondly if i put the ews url in a browser it asks for user and password constantly but never gets past that point. Is this normal.
Please configure all the Virtual directories internal external url as mail.mycompany.co.uk
Run this
Set-ClientAccessServer -Identity "servername" -AutoDiscoverServiceIntern alUri https://mail.mycompany.co.uk/autodiscover/autodiscover.xml
Set-WebServicesVirtualDire ctory -Identity "servername\EWS (Default Web Site)" -InternalUrl https://mail.mycompany.co.uk/EWS/Exchange.asmx -ExternalUrl https://mail.mycompany.co.uk/EWS/Exchange.asmx
Create a internal DNs zone with mycompany.co.uk and create host A record mail.mycompany.co.uk and point it to Exchange ip.
Configure OA with mail.mycompany.co.uk
Run this
Set-ClientAccessServer -Identity "servername" -AutoDiscoverServiceIntern
Set-WebServicesVirtualDire
Create a internal DNs zone with mycompany.co.uk and create host A record mail.mycompany.co.uk and point it to Exchange ip.
Configure OA with mail.mycompany.co.uk
ASKER
Thanks I had already done the above but I have checked it again and it they all do point to mail.mycompany.co.uk already.
doing the above did cure the certificate error but it still did not resolve the out of office error. I do think it may be a permissions thing with the EWS folder in IIS as I can not access it via internet explorer which I would expect to be able to do.
doing the above did cure the certificate error but it still did not resolve the out of office error. I do think it may be a permissions thing with the EWS folder in IIS as I can not access it via internet explorer which I would expect to be able to do.
Please check my article and let me know if this doesn't fix your issue.
https://www.experts-exchange.com/articles/13676/Out-Of-office-not-working.html
Thanks
MAS
https://www.experts-exchange.com/articles/13676/Out-Of-office-not-working.html
Thanks
MAS
ASKER
Thanks MAS I have rechecked using your link and it has all been done as per link except our certificate was a single domain certificate mail.mycompany.co.uk should it also have autodiscovery for outlook clients to work,
today our clients still come up with certificate mismatch, it still says security alert
has a certificate mismatch, (its using the mail.mycompany.co.uk one.
out of office still says server unavailable.
could this be because at present the old SB2003 server is still on the domain and part of the exchange, even though everything has been migrated over.
I can not see why internal outlook clients still use SVR2012.mycomany.local to connect.
do I have to remove the account and re add it in outlook now we have changed the internal URL's
Rob
today our clients still come up with certificate mismatch, it still says security alert
has a certificate mismatch, (its using the mail.mycompany.co.uk one.
out of office still says server unavailable.
could this be because at present the old SB2003 server is still on the domain and part of the exchange, even though everything has been migrated over.
I can not see why internal outlook clients still use SVR2012.mycomany.local to connect.
do I have to remove the account and re add it in outlook now we have changed the internal URL's
Rob
ASKER
You need only 2 certificates with these services enabled
1. Your self signed certificates services- SMTP
2. Godaddy certificate Services- IIS,SMTP, (POP and IMAP u can add if u need)
It should look like this. Note:This is without POP and IMAP. If you want you can add POP and IMAP on Godaddy certificate
1. Your self signed certificates services- SMTP
2. Godaddy certificate Services- IIS,SMTP, (POP and IMAP u can add if u need)
It should look like this. Note:This is without POP and IMAP. If you want you can add POP and IMAP on Godaddy certificate
ASKER
Hi
things have now got a bit worse for the outlook clients
it is now asking for a password constantly on a few of the outlook users,
I have also noticed that the outlook anywhere users are only connecting if I change the security to basic from ntlm
things have now got a bit worse for the outlook clients
it is now asking for a password constantly on a few of the outlook users,
I have also noticed that the outlook anywhere users are only connecting if I change the security to basic from ntlm
It is supposed to be Basic for Exchange2010.
For credential issues, there are many causes. Generally, it can be caused by public folder cannot be accessed or web services authentication.
https://social.technet.microsoft.com/Forums/exchange/en-US/918d173d-a547-4b8e-ae27-8d601b601a07/outlook-2010-exchange-2010-keeps-asking-for-credentials-please-help?forum=exchangesvrgenerallegacy
For credential issues, there are many causes. Generally, it can be caused by public folder cannot be accessed or web services authentication.
https://social.technet.microsoft.com/Forums/exchange/en-US/918d173d-a547-4b8e-ae27-8d601b601a07/outlook-2010-exchange-2010-keeps-asking-for-credentials-please-help?forum=exchangesvrgenerallegacy
ASKER
Thanks Mas
I think its because I have removed the 2003 server after transferring all the mailboxes.
For some reason I lost the OAB in the mailbox settings of ex2010
I am still getting SSL errors even after re running the csr command and getting a multi domain SSL from Godaddy. I attached it by following Godaddys guide and added both the intermediate certificate via MMC and the ssl in the pending SSL request in EMC
in outlook 2007 clients I get the certificate is invalid and not to be trusted for both mail.mydomain.co.uk and autodiscover.mydomain.co.u k
still cant get out of office working or get rid of certificate erros
I think its because I have removed the 2003 server after transferring all the mailboxes.
For some reason I lost the OAB in the mailbox settings of ex2010
I am still getting SSL errors even after re running the csr command and getting a multi domain SSL from Godaddy. I attached it by following Godaddys guide and added both the intermediate certificate via MMC and the ssl in the pending SSL request in EMC
in outlook 2007 clients I get the certificate is invalid and not to be trusted for both mail.mydomain.co.uk and autodiscover.mydomain.co.u
still cant get out of office working or get rid of certificate erros
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for etechgrimsby's comment #a41026915
for the following reason:
I researched this more and found by Microsoft support the correct solution which I have now put up here for others to use
Accepted answer: 0 points for etechgrimsby's comment #a41026915
for the following reason:
I researched this more and found by Microsoft support the correct solution which I have now put up here for others to use
There is a mistake regarding autodiscover internal URL.
Apart from this my article has almost everything u typed in the last post except recycle.
Apart from this my article has almost everything u typed in the last post except recycle.
ASKER
I have run the Test email config on the client machine
There are still a few local server urls
Protocol Exchange RPC
Server:SVR2012.mycompany.l
Availability ServiceURL: https://SVR2012.mycompany.local/EWS/Exchange.asmx
OOF URL: https://SVR2012.mycompany.local/EWS/Exchange.asmx
OAB URL Public Folder
Unified Message ServiceURL:https://SVR2012.mycompany.local/EWS/UM2007Legacy.asmx
Where do these setting come from please