Certificate error when Sending/Receiving

This is SBS2008/Exchange 2007  with XP Pro clients

All but one client has no problems. Just one client is getting a certificate error in Outlook. The error is:

"The name on the certificate is invalid or does not match the name of the site."

It asks if I want to continue, if I click 'Yes' the process seems to complete, but there is a Send/Receive error at the bottom right. When I click this is says:

"0x8004010F The operation failed. An object could not be found."

It gave me the option to install the certificate. Doing so made no difference to the error.

If I log onto that same workstation as a different user, there is no problem. I logged in again as the original user and deleted/recreated the Outlook profile. The original problem still persists.

Help please.

Ian

ipendleburyAsked:
Who is Participating?
 
MegaNuk3Connect With a Mentor Commented:
You could always add autodiscover.ourexternaldomain.com into your DNS, but the certificate name will still not match...

Otherwise I think you can see which certificate is assigned to your default web site on Windows 2008 by doing the following:
Open IIS Manager-->Your Server==>Default web site-->Bindings (in far right pane)-->click on https (443)-->Edit-->View

http://www.digicert.com/ssl-certificate-installation-microsoft-iis-7.htm
0
 
Sector5Commented:
Hi ipendlebury,

Do this. Download the rootsupd.exe from http://www.microsoft.com/downloads/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0&displaylang=en
run the install and try again.
0
 
MegaNuk3Commented:
What version of Outlook?
Can you post the sync issues log?
Is that error received (0x8004010F) when outlook is trying to download the OAB?
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
ipendleburyAuthor Commented:
Sector5: I tried that update. It made no difference.

Mequanuk3: This is Outlook2007. I dont' know how to access the Sync issues log. Perhaps you can tell me? The error occurs when I click the Send/Receive button. I dont know which particular stage of the process is generating the error.

Because the error message said the error might have occured because the name on the certificate does not match the site, I took a look at the certificate and yes there is a difference. The name on the certficate is www.ourwebsite.com but this domain name is not part of our internal business. www.ourwebsite.com is hosted elsewhere by a web hosting company.

I'm not sure what to make of this. This server was installed 8 months ago and none of the other clients has any problems.
0
 
MegaNuk3Commented:
To see the Sync issues log, in Outlook do -->Go-->Folder List OR press Ctrl+6
and then you will see a "Sync Issues" folder, expand it and you should see a log in the right hand pane.
In the log it should tell you what it is trying to synch when you get the error.
0
 
MegaNuk3Commented:
Do you only have one user with this issue? You said "one client" so I am assuming this means one user not one customer (group of users)
0
 
ipendleburyAuthor Commented:
It's just one user when she logs onto her usual pc. If I log onto that pc on my own account, there is no problem. If she logs onto another pc, there is no problem.

I found the Sync Issues log. It contains multiple entries like this:


15:21:32 Synchronizer Version 12.0.6509
15:21:32 Synchronizing Mailbox 'vivien Ainsworth'
15:21:32 Done
15:21:54 Microsoft Exchange offline address book
15:21:54  Not downloading Offline address book files.  A server (URL) could not be located.
15:21:54 0X8004010F

0
 
MegaNuk3Commented:
Sounds like you have OWA configured with AutoDiscover? Are all the other users setup like that?
Try an Outlook autoconfig test:
With outlook open do: Hold down the CTRL key and then right-click on the Outlook icon in the system tray(near the time on the bottom right-hand side of the screen)-->Test e-mail autoconfiguration-->enter a valid e-mail address and password-->make sure "Use AutoDiscover" is the only one ticked-->Press Test and then look in the Log for the OAB URL
0
 
ipendleburyAuthor Commented:
Whilst a couple of users do use OWA This user does not. This is just a default installation. I have not deliberately made any setting about autodiscover. I tried the autoconfig test. All three boxes at the top of the screen were initially checked. I unchecked the other 2 like you said. It came back and said:

Autoconfiguration was unable to determine your settings.

We are closing for the easter holiday now. So I will not be able to pursue this any further until Tuesday, but thanks for your help so far.

Ian

0
 
MegaNuk3Commented:
Sorry I didn't mean OWA I meant Outlook.

when you install the cert, make sure it is in the trusted root certificate store, not personal store.

Does the problem follow the user? i.e. if you get the user to logon to another machine do they get the same issue?
0
 
ipendleburyAuthor Commented:
Yes I have been installing the certificate in the trusted root certificate store.

No the problem does not follow the user, the problem only occurs when this user logs into that particular machine. Like I said earlier in this thead, I deleted/recreated the mailbox profile from the windows control panel. It made no difference.

Ian
0
 
MegaNuk3Commented:
log on as the user-->Export this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles

Then delete the key and then create a new outlook profile for the user
0
 
ipendleburyAuthor Commented:
Ok i'm at home now. When I get into the office tomorrow, i'll give it a try. Thanks for your help.

Ian
0
 
MegaNuk3Commented:
any joy?
0
 
ipendleburyAuthor Commented:
Thanks for reminding me. I was engrossed in something else.

No it didn't change anything. I noticed also that when I deleted the profile, that key became empty anyway

Ian
0
 
MegaNuk3Commented:
well it is definitely something in the user profile as you have found out.

See if you can find the  www.ourwebsite.com certificate and then export & delete it from IE-->Tools-->Internet Options-->Content-->Certificates

See if the client can get to
http://pfserver/public/non_ipm_subtree/offline%20address%20book/

Another thing you can try is to:
1.)      Do start run paste in C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\Outlook hit enter
2.)      Close outlook
3.)      Create a subfolder called OLD_OAB in the location of step1
4.)      move the 6 .OAB files into the OLD_OAB subfolder
5.)      Restart Outlook
0
 
ipendleburyAuthor Commented:
I'm sorry, i didn't get an email to say that you'd replied again. I should have checked earlier....

Something has come up now which throws another perspective on this.... 2 more users are now getting a certificate error. I mentioned this error at the top of this thread. I can't imagine why it would start affecting these users only now.

The message which pops up is giving  the address: autodiscover@ourinternaldomain.com presumably it is expecting to see a certificate with that same address. The certificate it shows me is for: www.ourexternaldomain.com issued by Thawte Server. I've no idea where that came from.

I'm really not up to speed with creating and deploying certificates, but it now sounds to me like the server is using the wrong certificate. I think most other clients are using Outlook 2003. Perhaps this explains why they are not seeing the error. If so It would explain why I didn't get that error when I logged onto another machine as the original user.

Ian

0
 
MegaNuk3Commented:
Interesting:
http://technet.microsoft.com/en-us/sbs/cc817589.aspx
"What are the advantages of purchasing a certificate from a well-known certification authority?
Purchasing a trusted certificate is an inexpensive and convenient way to help secure business credentials and data. When you install a trusted certificate on Windows Small Business Server 2008, the certificate is distributed automatically to domain-joined clients, which means that administrators do not need to manually install the certificate package on computers or devices."

Hmmm, so that certificate is being pushed out to your domain joined clients automatically.
0
 
ipendleburyAuthor Commented:
I've just made another discovery...

Several months ago I installed a Proxy Server package on the the SBS Server. This is called Wingate. We only connected a few users to it. I should have realised earlier that the users  getting the error are the only Outlook 2007 users who are using the Proxy Server. I just went to a 'Healthy' Outlook 2007 machine and configured it to use the proxy server. It immediately came up with the certificate error.

So it seems that something is getting modified as it passes through the proxy server
0
 
MegaNuk3Commented:
So if you change it back to not use the proxy server does Outlook work fine again? Is this the proxy IE setting? Have you tried ticking the "do not use proxy for internal addresses" option?
0
 
ipendleburyAuthor Commented:
Hmmm... interesting thought. But I can't try this until tommorrow now though.

I would be surprised if it succeeded because when the certificate error is reported on the screen, it shows the name of the site as autodiscover.ourexternaldomain.com

I don't know where that domain name is coming from in this case. Our external website/domain is hosted by a third party we dont have any contact with it, except that mail.ourexternaldomain.com is sent to our exchange server.
0
 
MegaNuk3Commented:
If you are setting manual server settings and not using AutoDiscover then it shouldn't be looking for autodiscover.ourexternaldomain.com...
0
 
ipendleburyAuthor Commented:
I would love to turn off Autodiscover, but I have read in several places that it is not possible to do this in Outlook 2007.

 The proxy server logs are packed with autodiscover entries. Perhaps because the request is afailing, Outlook tries every few minutes.
0
 
ipendleburyAuthor Commented:
Sorry for the delay again....

When I looked in IIS, the default website was not running. When i tried to start it, I got an error saying that it could not be started due to the port already being in use.

I had to ask a question in the SBS forum, but what I was told was that I should not have a https binding on the default website. So I removed this binding and now the default website is running. I still got the same problem in Outlook 2007 though. I've asked the Proxy Server supplier if he can help. Not got an answer yet.
0
 
MegaNuk3Commented:
hmmm see if OWA still works now that you have done that.
0
 
ipendleburyAuthor Commented:
Yes it's fine. The conversation was a little more complicated than I indicated. I was told that if I just remove the binding it would cause other damage. So I did it by editing a .config file.
0
 
MegaNuk3Commented:
Have you viewed the cert to see what it is and what names it has listed in the cert?
0
 
MegaNuk3Commented:
So if you take out the proxy setting from the previously "healthy" outlook 2007 client it doesn't work anymore? Are your other "healthy" outlook 2007 clients still working?
0
 
ipendleburyAuthor Commented:
The name on the certificate is www.ourexternaldomain.com issued by Thawte Server. I mentioned earlier, this is really strange because www.ourexternaldomain.com does not exist at this location. It is hosted elsewhere by a third party. I assume that the Proxy Server has a part in all this because Outllook 2007 works fine on machines which are not on the proxy server.
0
 
ipendleburyAuthor Commented:
I put on client on the proxy server yesterday and immediately got the certificate error in Outlook 2007. This morning I took that client off the proxy server and Outlook 2007 started working normally again.
0
 
MegaNuk3Commented:
Hmmmm, well it definitely sounds like it is not an exchange/outlook issue. So I don't think we should mess around with those anymore.

Is the proxy setting an Internet Explorer setting? Is the "bypass proxy for local addresses" box ticked?
0
 
MegaNuk3Commented:
On a well Outlook 2007 machine open outlook with /rpcdiag and see if the connection is TCP/IP or HTTP

Do the same on the proxy outlook. Is it HTTP?
0
 
ipendleburyAuthor Commented:
The 'well' machine is connecting with http. The proxy machines are connecting with tcpip
0
 
MegaNuk3Commented:
errr. Are you sure it isn't the other way round?
0
 
ipendleburyAuthor Commented:
It would make sense to me. The proxy machines are having a problem connecting with http through the proxy server, so they use TCPIP instead. I just checked again. It's how I said in the previous message
0
 
MegaNuk3Commented:
So R all these clients inside the LAN, are they setup to use Outlook Anywhere/RPC over HTTPs? So the cert is fine.

It's the proxy setting that's the problem here. The proxy needs to be bypassed for internal addresses.
0
 
ipendleburyAuthor Commented:
Yes the clients are all inside the lan, and no they are not set up to use Outlook anywhwere. These are desktop pc's which never move. So they only need the standard Exchange client.

Bypassing the proxy for internal addresses has no effect because autodiscover.myexternaldomain.com is perceived to be an external address. Although you mentioned that I could add that address to the DNS server.

I'm not in the office today. I'll give that a try on monday.

Ian
0
 
MegaNuk3Commented:
I take it that your internal domain has a different FQDN to your external domain? e.g. mydomain.local (internal) vs. mydomain.com (external)?

Have a look at this article for what URLs Outlook tries to use for AutoDiscover:
http://support.microsoft.com/kb/940881
0
 
ipendleburyAuthor Commented:
Our internal domain is completely different from the external one which  is ourbrandname.co.uk The internal domain is ourcompanyname.local

So I was completely surprised that Outlook is using autodiscover.ourbrandname.co.uk This domain is not used internally and I cant imagine how the server knows about it, except for the fact that the mx record for that domain comes into our server and everyone has an email adress for that domain.

Anyway I added the autodiscover address to DNS and configured everyone's pc to bypass the proxy server for local addresses and it fixed the problem,

Thank you very much for your patience in getting this fixed. I'ts much appreciated.

Ian
0
 
MegaNuk3Commented:
Thanks for the update and the points.

So I take it that you added autodiscover.ourbrandname.co.uk to DNS?
0
 
ipendleburyAuthor Commented:
Yes, thats correct. Thanks again
0
 
MegaNuk3Commented:
no problem, glad we got there in the end...
0
All Courses

From novice to tech pro — start learning today.