Solved

Outlook Anywhere using strange certificate

Posted on 2009-05-05
24
1,338 Views
Last Modified: 2012-05-06
I just migrated to Small Business Server 2008. Most of my users are running Outlook 2003. I have a GoDaddy multiple domain certificate issued to ww3.mydomain.com that also covers mail.mydomain.com, remote.mydomain.com, and vpn.mydomain.com (in the Subject Alternative Name field). ww3.mydomain.com is actually a secondary server with a different public IP than my main server.  mail.mydomain.com, remote.mydomain.com, and vpn.mydomain.com all point to my main server. I installed the GoDaddy cert on the main server using the SBS wizard and it is listed as correctly installed. Outlook Anywhere is enabled and set to use Basic Authentication.

I can connect to Outlook Anywhere using Outlook 2007, but I do get a certificate warning. When I click View Certificate I get some weird certificate that seems to have something to do with att.com. I can't find that certificate anywhere on my server. ATT is hosting www.mydomain.com but I don't see how Outlook could be retrieving the certificate for that site. See Cert.png.

None of my users can connect to Outlook Anywhere. They get an endless series of requests for username and password. "username" doesn't work, "domain\username" doesn't work, "usename@domain.com" doesn't work, nothing works. I've tried all sorts of combinations of settings and even deleted and recreated the profile on one user's machine; nothing helps.

When I configure Outlook 2007 on my machine to acces a user's mailbox, I get the endless series of login prompts but the error box is different. See Outlook-error.png.

It sure seems as if somebody's serving up a rotten certificate, but how do I fix this?
Cert.png
Outlook-error.png
0
Comment
Question by:JonFleming
  • 11
  • 10
  • 3
24 Comments
 
LVL 9

Expert Comment

by:esmith69
ID: 24307143
It might be the autodiscover service.  If you have your domain setup with a wilcard A record (that is, making it so that someone can just type your domain name and it will go to your web site) then this might be the problem.  You should setup a public DNS record called "autodiscover" and point it to your SBS server.  Do the same thing for internal DNS as well.

Did you get the SSL cert with "autodiscover" as one of the SANs?
0
 
LVL 9

Expert Comment

by:esmith69
ID: 24307182
Just to clarify---the wildcard A record that probably exists for your domain is making it so that someone can type ANYTHING before your domain name (including "autodiscover", which is what Outlook 2007 will always try and use) and it automatically sends the request to whatever IP is specified in the * A record.  If the server hosting your web site support SSL, this is the cert that Outlook 2007 autodiscover is probably trying to use.

You'll need to do a few things, mainly recreate the certificate with "autodiscover.domainname.com" as a SAN.  Also make sure your internal DNS is setup to resolve this domain name, and configure an A record that points back to your SBS server's internal IP.  On your public DNS you'll have to create an A record as well and have this also point to your SBS server's externally-accessible IP address.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 24307211
In the RPC/HTTPS settings in your outlook, set the:
 + Only connect to proxy servers that have this principal name in their certificate:
To:
 + *.sslcert35.com

The Principal Name mentioned in the error is the Issued to: on the certificate.

Your coms should work from there.

Philip
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 38

Expert Comment

by:Philip Elder
ID: 24307225
Further reading:
 + http://blog.mpecsinc.ca/2008/08/sbs-2k3-premium-configuring-ssl.html

About half way down was our first encounter with wildcards.

Philip
0
 

Author Comment

by:JonFleming
ID: 24307293
Ah, there is a wildcard that points to the IP of www.mydomain.com. That explains the weird certificate I'm getting with Outlook 2007. Now I'll have to redo the cert ...

I presume a CNAME record is what's really desired here.

But  that shouldn't affect Outlook 2003, which doesn't so autodiscover. And all but onwof my users are on Outlook 2003 and failing to connect.

Maybe more to come after the DNS changes propagate ...
0
 
LVL 9

Expert Comment

by:esmith69
ID: 24307346
It doesn't really matter if you do a CNAME record or a regular A record.  The CNAME makes it slightly easier if the public IP of your SBS server ever changes (i.e. you'd only need to update the record that the CNAME points to, not the CNAME record itself).  If you used just a regular A record you'd need to update that as well.
0
 

Author Comment

by:JonFleming
ID: 24308103
Arrgh!!.

Ok, the DNS changes have propagated so autodiscover.mydomain.com now points to my main server.

But the certificate import wizard in the SBS console is now crashing the instant I try to open it. I tried importing  the new cert through MMC\Certificates, but that's not good enough. Somehow the server is serving up the old cert so when I open Outlook using my profile it lets me in but it complains about the autodiscover cert; it is getting the old GoDaddy cert that doesn't mention autodiscover. I'm going to try a reboot but that will have to wait until the evening, since it's not an emergency.

I looked at the link MPECSInc posted. When I used msstd:*.mydomain.com Outlook still presented the error that's the second image in my OP. When I set msstd:ww3.mydomain.com (the principal name on the cert) Outlook still presented an infinite series of login requests when I tried with my test user profile. I wonder if the cert problem is a red herring as far as the ability to log in is concerned?
0
 
LVL 9

Expert Comment

by:esmith69
ID: 24308496
I don't think that msstd setting is the cause of your issues.  I believe it is that Outlook is trying to connect to what it believes is the autodiscover service, but that ends up pointing to your web host.  At least that was the initial problem.  The repeated prompts to authenticate can be caused be many different things, so we should make sure DNS is all set internally and externally.  It might require you to recreate the Outlook profile, once the certificate on the SBS server is all fixed.

Do you have a record internally for "autodiscover.mydomain.com" that points to your SBS server as well?
0
 

Author Comment

by:JonFleming
ID: 24315020
OK, the cert is in place, SBS Console is happy, and I can try either profile without any cert prompts. I added an autodiscover.mydomain.com CNAME to my internal DNS (don't see how that's going to help, but I suppose it won't hurt. I already have an autodiscover.mydomain.local record. I seem to recall reading somewhere that SBS 2008 DNS was smart enough to automatically figure out when autodiscover.mydomain.com points to the main server's external IP that it should use the external server's internal IP when appropriate).

Still gettting infinite login loops. Any next steps?
0
 
LVL 9

Expert Comment

by:esmith69
ID: 24315382
Now would probably be a good time to run some of the tests at https://testexchangeconnectivity.com
0
 
LVL 9

Expert Comment

by:esmith69
ID: 24315457
Also have you tried changing Outlook Anywhere to use NTLM authentication?
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 24317396
OA on SBS needs Basic Authentication only.

Philip
0
 

Author Comment

by:JonFleming
ID: 24336886
When I try https://testexchangeconnectivity.com from a system with Outlook 2007 installed and try the Autodiscover test, it fails with no further information. If I try it from a system with Outlook 2003 installed and try the rpc test, the test itself fails to test. See Fail.png.

I once found a manual method of testing RPC over HTTP connectivity, but I can't seem to dig it up now ...
0
 

Author Comment

by:JonFleming
ID: 24337129
Whoops, here's fail.png
Fail.PNG
0
 
LVL 9

Expert Comment

by:esmith69
ID: 24337165
outlook.exe /rpcdiag
0
 

Author Comment

by:JonFleming
ID: 24337387
Oh, yeah, outlook.exe /rpcdiag.

And with that my test setup, which was fialing, is now working. I'll have to see if it works for the real users ...
0
 

Author Comment

by:JonFleming
ID: 24341065
Rats. Not working for the real users.
0
 
LVL 9

Expert Comment

by:esmith69
ID: 24346227
What are the differences between the test account and the real user accounts?  Does the test account have any kind of elevated permissions?  Was the test account created AFTER the migration to the new server?
0
 

Author Comment

by:JonFleming
ID: 24348028
The test account _is_ a real user account that's existed for years. The real user whose account it is, is using Outlook 2003 on Windows XP, I'm testing with Outlook 2007 on Vista Ultimate. Wasn't working for me or him, then started working for me.

Also: using my account on Outlook 2007 / VIsta works. Using my account in Outlook 2003 / XP in a VM on my home compiuter does not. I'd almost believe it was something to do with XP, except for the fact that testing with the user's account in Outlook 2007 / Vista failed so many times and so repeatedly.
0
 
LVL 9

Expert Comment

by:esmith69
ID: 24349209
The error message you got from the testexchangeconnectivity.com site is a little odd.  Doesn't look like the error messages I've seen from that site before.

Also, it shouldn't matter what computer you're running the test from, as the info gets sent through the MS site to their servers.  As long as the computer has internet connectivity, you should get the same results regardless.
0
 

Author Comment

by:JonFleming
ID: 24353399
That error message seems to indicate that testexchangeconnectivity.com is broken.
0
 

Author Comment

by:JonFleming
ID: 24357246
Humph, now https://testexchangeconnectivity.com/ is up. The Outlook 2003 RPC over HTTP fails:

Attempting to Resolve the host name mail.bioprocessconsultants.com in DNS.
  Host successfully Resolved
 Additional Details
  IP(s) returned: 71.248.178.178  
 
 Testing TCP Port 443 on host mail.bioprocessconsultants.com to ensure it is listening/open.
  The port was opened successfully.
 
 Testing SSL Certificate for validity.
  The SSL Certificate failed one or more certificate validation checks.
 Test Steps
   Validating certificate name
  Successfully validated the certificate name
 Additional Details
  Found hostname mail.bioprocessconsultants.com in Certificate Subject Alternative Name entry  
 
 Validating certificate trust
  Certificate trust validation failed
 Additional Details
  The certificate chain has errors, Chain status = PartialChain  
 
 
 
0
 

Accepted Solution

by:
JonFleming earned 0 total points
ID: 24366442
Since the testexchangeconnectivity failed, I went and bought a single-domain GoDaddy certificate, on which my server is the only name. And now Outlook 2003 Outlook Anywhere works!

I guess Outlook 2003 wants the server's name to be the primary name.

Of course, now Outlook 2007 complains that autodiscover.{domain}.com doesn't match the name on the certificate, but I think I can live with that.
0
 
LVL 9

Expert Comment

by:esmith69
ID: 24366507
I guess I misread your original post and when I saw you mention you already had a godaddy certificate, I thought you meant that's what was on the Exchange server, so I didn't even think to suggest that.  Glad to hear you got it working though!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question