Solved

Outlook Anywhere using strange certificate

Posted on 2009-05-05
24
1,330 Views
Last Modified: 2012-05-06
I just migrated to Small Business Server 2008. Most of my users are running Outlook 2003. I have a GoDaddy multiple domain certificate issued to ww3.mydomain.com that also covers mail.mydomain.com, remote.mydomain.com, and vpn.mydomain.com (in the Subject Alternative Name field). ww3.mydomain.com is actually a secondary server with a different public IP than my main server.  mail.mydomain.com, remote.mydomain.com, and vpn.mydomain.com all point to my main server. I installed the GoDaddy cert on the main server using the SBS wizard and it is listed as correctly installed. Outlook Anywhere is enabled and set to use Basic Authentication.

I can connect to Outlook Anywhere using Outlook 2007, but I do get a certificate warning. When I click View Certificate I get some weird certificate that seems to have something to do with att.com. I can't find that certificate anywhere on my server. ATT is hosting www.mydomain.com but I don't see how Outlook could be retrieving the certificate for that site. See Cert.png.

None of my users can connect to Outlook Anywhere. They get an endless series of requests for username and password. "username" doesn't work, "domain\username" doesn't work, "usename@domain.com" doesn't work, nothing works. I've tried all sorts of combinations of settings and even deleted and recreated the profile on one user's machine; nothing helps.

When I configure Outlook 2007 on my machine to acces a user's mailbox, I get the endless series of login prompts but the error box is different. See Outlook-error.png.

It sure seems as if somebody's serving up a rotten certificate, but how do I fix this?
Cert.png
Outlook-error.png
0
Comment
Question by:JonFleming
  • 11
  • 10
  • 3
24 Comments
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
It might be the autodiscover service.  If you have your domain setup with a wilcard A record (that is, making it so that someone can just type your domain name and it will go to your web site) then this might be the problem.  You should setup a public DNS record called "autodiscover" and point it to your SBS server.  Do the same thing for internal DNS as well.

Did you get the SSL cert with "autodiscover" as one of the SANs?
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
Just to clarify---the wildcard A record that probably exists for your domain is making it so that someone can type ANYTHING before your domain name (including "autodiscover", which is what Outlook 2007 will always try and use) and it automatically sends the request to whatever IP is specified in the * A record.  If the server hosting your web site support SSL, this is the cert that Outlook 2007 autodiscover is probably trying to use.

You'll need to do a few things, mainly recreate the certificate with "autodiscover.domainname.com" as a SAN.  Also make sure your internal DNS is setup to resolve this domain name, and configure an A record that points back to your SBS server's internal IP.  On your public DNS you'll have to create an A record as well and have this also point to your SBS server's externally-accessible IP address.
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
In the RPC/HTTPS settings in your outlook, set the:
 + Only connect to proxy servers that have this principal name in their certificate:
To:
 + *.sslcert35.com

The Principal Name mentioned in the error is the Issued to: on the certificate.

Your coms should work from there.

Philip
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
Further reading:
 + http://blog.mpecsinc.ca/2008/08/sbs-2k3-premium-configuring-ssl.html

About half way down was our first encounter with wildcards.

Philip
0
 

Author Comment

by:JonFleming
Comment Utility
Ah, there is a wildcard that points to the IP of www.mydomain.com. That explains the weird certificate I'm getting with Outlook 2007. Now I'll have to redo the cert ...

I presume a CNAME record is what's really desired here.

But  that shouldn't affect Outlook 2003, which doesn't so autodiscover. And all but onwof my users are on Outlook 2003 and failing to connect.

Maybe more to come after the DNS changes propagate ...
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
It doesn't really matter if you do a CNAME record or a regular A record.  The CNAME makes it slightly easier if the public IP of your SBS server ever changes (i.e. you'd only need to update the record that the CNAME points to, not the CNAME record itself).  If you used just a regular A record you'd need to update that as well.
0
 

Author Comment

by:JonFleming
Comment Utility
Arrgh!!.

Ok, the DNS changes have propagated so autodiscover.mydomain.com now points to my main server.

But the certificate import wizard in the SBS console is now crashing the instant I try to open it. I tried importing  the new cert through MMC\Certificates, but that's not good enough. Somehow the server is serving up the old cert so when I open Outlook using my profile it lets me in but it complains about the autodiscover cert; it is getting the old GoDaddy cert that doesn't mention autodiscover. I'm going to try a reboot but that will have to wait until the evening, since it's not an emergency.

I looked at the link MPECSInc posted. When I used msstd:*.mydomain.com Outlook still presented the error that's the second image in my OP. When I set msstd:ww3.mydomain.com (the principal name on the cert) Outlook still presented an infinite series of login requests when I tried with my test user profile. I wonder if the cert problem is a red herring as far as the ability to log in is concerned?
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
I don't think that msstd setting is the cause of your issues.  I believe it is that Outlook is trying to connect to what it believes is the autodiscover service, but that ends up pointing to your web host.  At least that was the initial problem.  The repeated prompts to authenticate can be caused be many different things, so we should make sure DNS is all set internally and externally.  It might require you to recreate the Outlook profile, once the certificate on the SBS server is all fixed.

Do you have a record internally for "autodiscover.mydomain.com" that points to your SBS server as well?
0
 

Author Comment

by:JonFleming
Comment Utility
OK, the cert is in place, SBS Console is happy, and I can try either profile without any cert prompts. I added an autodiscover.mydomain.com CNAME to my internal DNS (don't see how that's going to help, but I suppose it won't hurt. I already have an autodiscover.mydomain.local record. I seem to recall reading somewhere that SBS 2008 DNS was smart enough to automatically figure out when autodiscover.mydomain.com points to the main server's external IP that it should use the external server's internal IP when appropriate).

Still gettting infinite login loops. Any next steps?
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
Now would probably be a good time to run some of the tests at https://testexchangeconnectivity.com
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
Also have you tried changing Outlook Anywhere to use NTLM authentication?
0
 
LVL 38

Expert Comment

by:Philip Elder
Comment Utility
OA on SBS needs Basic Authentication only.

Philip
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:JonFleming
Comment Utility
When I try https://testexchangeconnectivity.com from a system with Outlook 2007 installed and try the Autodiscover test, it fails with no further information. If I try it from a system with Outlook 2003 installed and try the rpc test, the test itself fails to test. See Fail.png.

I once found a manual method of testing RPC over HTTP connectivity, but I can't seem to dig it up now ...
0
 

Author Comment

by:JonFleming
Comment Utility
Whoops, here's fail.png
Fail.PNG
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
outlook.exe /rpcdiag
0
 

Author Comment

by:JonFleming
Comment Utility
Oh, yeah, outlook.exe /rpcdiag.

And with that my test setup, which was fialing, is now working. I'll have to see if it works for the real users ...
0
 

Author Comment

by:JonFleming
Comment Utility
Rats. Not working for the real users.
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
What are the differences between the test account and the real user accounts?  Does the test account have any kind of elevated permissions?  Was the test account created AFTER the migration to the new server?
0
 

Author Comment

by:JonFleming
Comment Utility
The test account _is_ a real user account that's existed for years. The real user whose account it is, is using Outlook 2003 on Windows XP, I'm testing with Outlook 2007 on Vista Ultimate. Wasn't working for me or him, then started working for me.

Also: using my account on Outlook 2007 / VIsta works. Using my account in Outlook 2003 / XP in a VM on my home compiuter does not. I'd almost believe it was something to do with XP, except for the fact that testing with the user's account in Outlook 2007 / Vista failed so many times and so repeatedly.
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
The error message you got from the testexchangeconnectivity.com site is a little odd.  Doesn't look like the error messages I've seen from that site before.

Also, it shouldn't matter what computer you're running the test from, as the info gets sent through the MS site to their servers.  As long as the computer has internet connectivity, you should get the same results regardless.
0
 

Author Comment

by:JonFleming
Comment Utility
That error message seems to indicate that testexchangeconnectivity.com is broken.
0
 

Author Comment

by:JonFleming
Comment Utility
Humph, now https://testexchangeconnectivity.com/ is up. The Outlook 2003 RPC over HTTP fails:

Attempting to Resolve the host name mail.bioprocessconsultants.com in DNS.
  Host successfully Resolved
 Additional Details
  IP(s) returned: 71.248.178.178  
 
 Testing TCP Port 443 on host mail.bioprocessconsultants.com to ensure it is listening/open.
  The port was opened successfully.
 
 Testing SSL Certificate for validity.
  The SSL Certificate failed one or more certificate validation checks.
 Test Steps
   Validating certificate name
  Successfully validated the certificate name
 Additional Details
  Found hostname mail.bioprocessconsultants.com in Certificate Subject Alternative Name entry  
 
 Validating certificate trust
  Certificate trust validation failed
 Additional Details
  The certificate chain has errors, Chain status = PartialChain  
 
 
 
0
 

Accepted Solution

by:
JonFleming earned 0 total points
Comment Utility
Since the testexchangeconnectivity failed, I went and bought a single-domain GoDaddy certificate, on which my server is the only name. And now Outlook 2003 Outlook Anywhere works!

I guess Outlook 2003 wants the server's name to be the primary name.

Of course, now Outlook 2007 complains that autodiscover.{domain}.com doesn't match the name on the certificate, but I think I can live with that.
0
 
LVL 9

Expert Comment

by:esmith69
Comment Utility
I guess I misread your original post and when I saw you mention you already had a godaddy certificate, I thought you meant that's what was on the Exchange server, so I didn't even think to suggest that.  Glad to hear you got it working though!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now