We help IT Professionals succeed at work.

Outlook 2007 Security Certificate is Invalid

BenthamLtd
BenthamLtd asked
on
Hi,

I've just installed a new SBS2008 server into a new office.

When I was configuring the server, using the sbs console I set the Internet Address to mail.testingdomain.co.uk  so I could test the routing of email.

Now that I have installed the server, I cannot seem to get rid of mail.testingdomain.co.uk.

I ran the SBS wizard on the Admin Console, entered the new name, but it errors before completing.
And all Outlook 2007 clients get this error when opening outlook.

They still receive email, but they have to acknowledge this error twice before it will go away.

How can I change this to point to my new domain, remote.newoffice.com

error.JPG
Comment
Watch Question

Top Expert 2013

Commented:
If you run the Configure my internet address wizard you can change the connecting addressing which would by default be remote.mydomain.co.uk.  However the users will receive the error unless you install the SBS self signed certificate on the connecting machines. This is done automatically when the machines join the domain, but you will have to do so manually if you made changes or if the machine is not part of the domain. The certificate is located under \\SBSname\Public\PublicDownloads

If you want to avoid having to install the certificate on all connecting machines, you need to install a 3rd party public certificate from a company like godaddy.com
http://blogs.technet.com/b/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx
Save yourself a lot of trouble and time and get a Unified Communications Certificate(UCC) from GoDaddy.  These certs are specifically designed to work with Exchange and they will even help you over the phone to install it if necessary.  I used to fiddle around with all the self signed, self installing certificate, crap from MS, but a UCC will give you up and running in 20 minutes.
Distinguished Expert 2018

Commented:
You posted the error outlook is giving, but you state that you also get an error when attempting to run the wizard in the SBS console but did *not* post that error. The Internet Address Management Wizard (IAMW) is the correct way to fix this issue, but if it is throwing an error then you need to post that so we can troubleshoot.

I also wanted to make a quick note on some of the other advice you were given here. I also recommend purchasing a 3rd-party certificate such as one from GoDaddy, because as RobWill said, without one you will still see errors *or* have to deploy the locally signed cert to each client. Cumbersome. However, there is no need for it to be a UCC certificate. UCC certs are significantly more expensive, and for SBS are definitely overkill. A basic certificate is perfectly functional on SBS and doesn't require special client deployment steps.

Author

Commented:
Here is the error I receive, pretty non-discript
error.jpg
Distinguished Expert 2018

Commented:
Alright, I think I know what is happening here, but I want to confirm.  Try re-running the wizard, but put instead if remote.<whatever> ,try remote2.<whatever> and see if it completes.

Post back your results.

Author

Commented:
Still errors with different subdomain.
I've just read somewhere that it might be Sharepoint related.

Could that be the problem?
Distinguished Expert 2018

Commented:
Very unlikely. The wizard creates a log file that can help pinpoint the crash. As I recall, it is the DPCW.log. Post the contents from the last run (since you've run multiple times, you can leave out previous runs...)

Commented:
Results of the log,
DPCW.log
Distinguished Expert 2018
Commented:
The key lines from the log are here:
---------------------------------------
An exception of type 'Type: System.NullReferenceException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' has occurred.
Timestamp: 06/13/2010 22:59:24
Message: Object reference not set to an instance of an object.
Stack:    at Microsoft.WindowsServerSolutions.ClientSetup.IEUtility._normalFavoritesEX()
 
As you can see, the "null" object is when it tries to get the list of favorite shortcuts that SBS provides by default. This is usually caused when someone edited the SBS group policies inappropriately. To fix this, you will need to do the following:
Open gpmc.msc and edit the "Windows SBS User Policy".
Navigate to User Configuration -> Policies -> Windows Settings -> Internet Explorer Maintenance -> URLs.
View the properties of Favorites and Links.
Make a note of all the Favorites and Links (This has likely been customized from the default).
Here is where you will need to recreate any links that were removed. RWW, OWA, and sharepoint are the defaults.

Commented:
The properties of Favorites and Links have all the correct links plus some extras that were added.
I've removed the extras.

The default links were point to the mail.testingdomain.co.uk domain.
I have changed then to the domain I want to use.

I have rerun the wizard but it still fails.
DPCW.log
Distinguished Expert 2018

Commented:
Put all the links back as they were. Don't manually "update" the link from mail.* to remote.*  ....that also can break the wizard. Let the wizard do the updating.
Also, for future reference, don't change SBS group policies. You can create your own group policies all you like, and they are cumulative, but changing the default policies can, as you've discovered, cause problems with the wizards and does break migrations in the future.
Try to revert that group policy back to its original state the best you can. If the wizard still breaks then you may have to resort to a previous backup. If *that* still fails then you will have to look at performing a 2008 to 2008 migration to restore the system back to a healthy state.  ...hopefully you have a backup.
Distinguished Expert 2018

Commented:
...and, for the record, I'm a bit confused. Is stewea and BenthamLTD the same person or did this thread get hijacked?

Commented:
Hi,
 Yes, two and the same.

Stewea is my new account.

I've change the Links back, but still no joy.

I'm going down the GoDaddy route now and a Unified Communications Certificate.

Do I need the mail.testingdomain.co.uk  domain in the Unified Communications Certificate or can I drop it.
Distinguished Expert 2018

Commented:
Before you do that, try running the "Fix My Network Wizard"
It *may* help clean up your group policies (I've never tried it in this scenario) and then you can retry the IAMW.
Otherwise, you'll need to keep the mail.* in the UCC cert and you won't be able to run the IAMW, which in my opinion, will have long-term side-effects and I'd strongly discourage "leaving it be."
Top Expert 2013

Commented:
I agree with cgaliher, don't leave this un-repaired. With SBS it will come back to haunt you some day.

Do you get errors with the fix my network wizard as well? Often if you get errors with one you will with the other due some basic configuration errors.
Try running the SBS 2008 Best Practices Analyzer, it will often point out issues that need to be repaired.
http://www.microsoft.com/downloads/details.aspx?familyid=86a1aa32-9814-484e-bd43-3e42aec7f731&displaylang=en

As for using 2 names, BenthamLTD and stewea, that is a definite violation of the agreement you "signed" when you joined Experts-Exchange. You need to close the question, close the account, and then post a new question.
Run this command Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml 

Replace the CAS server and https:// your url.

Commented:
Hi, I ran this command, it executed without error, I restarted the exchange services, but the outlook clients are still pointing to the mail.testingdomain.co.uk

Set-ClientAccessServer -Identity sbsserver -AutodiscoverServiceInternalUri https://remote.sbsprod.com/autodiscover/autodiscover.xml

Commented:
Hi have run the following command from the Exchange Management Shell:
[PS] C:\Windows\System32>GET-ClientAccessServer | fl

And it returned the following:

Snippet ID=720543

The AutoDiscoverServiceInternalUri is correct and everything listed fits with the domain the customer is using.

Do I need to recreate the UCC SSL certificate so it does not include the mail.testingdomain.co.uk?
Name                           : MYSERVER
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : MYSERVER
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://remote.MYprod.com/autodiscover/auto
                                 discover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : MYSERVER.MYprod.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=MYSERVER,CN=Servers,CN=Exchange Administ
                                 rative Group (FYDIBOHF23SPDLT),CN=Administrati
                                 ve Groups,CN=First Organization,CN=Microsoft E
                                 xchange,CN=Services,CN=Configuration,DC=MYp
                                 rod,DC=local
Identity                       : MYSERVER
Guid                           : 4fa242f0-c19d-xxxx-8278-xxxxxxxxxxxx
ObjectCategory                 : MYprod.local/Configuration/Schema/ms-Exch-E
                                 xchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 03/06/2010 20:30:13
WhenCreated                    : 02/06/2010 21:58:42

Open in new window

Commented:
I have also just run Get-WebServicesVirtualDirectory | fl > backupWeb.txt

backupWeb.txt contains the problem domain.

InternalNLBBypassUrl          : https://myserver.myprod.local/ews/exchang
                                e.asmx
Name                          : EWS (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://mySERVER.myprod.local/W3SVC/3/ROOT/
                                EWS
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\exchweb\EWS
Server                        : mySERVER
InternalUrl                   : https://mail.testingdomain.co.uk/EWS/Exchang
                                e.asmx
ExternalUrl                   : https://mail.testingdomain.co.uk/EWS/Exchang
                                e.asmx
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=EWS (SBS Web Applications),CN=HTTP,CN=Protoc
                                ols,CN=mySERVER,CN=Servers,CN=Exchange Admin
                                istrative Group (FYDIBOHF23SPDLT),CN=Administra
                                tive Groups,CN=First Organization,CN=Microsoft
                                Exchange,CN=Services,CN=Configuration,DC=myp
                                rod,DC=local
Identity                      : mySERVER\EWS (SBS Web Applications)
Guid                          : bbb623b9-1c9f-4455-9793-76f1a6624006
ObjectCategory                : myprod.local/Configuration/Schema/ms-Exch-We
                                b-Services-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchWebServices
                                VirtualDirectory}
WhenChanged                   : 03/06/2010 20:22:47
WhenCreated                   : 02/06/2010 22:01:51
OriginatingServer             : mySERVER.myprod.local
IsValid                       : True

Should I look to run the following command to change testingdomain.co.uk  to the correct live  myprod.com domain?

set-WebServicesVirtualDirectory "myserver.quillprod.local\EWS (Default Web Site)" -InternalUrl https://remote.myprod.com/EWS/Exchange.asmx
Distinguished Expert 2018

Commented:
With all the time you've spent on this, you could have done a swing migration on SBS by now and been back up and running without the cloud of a misconfigured server over your head.

Commented:
Swing migration was no use due to the site of site and the fact the old server only ran file services.
Distinguished Expert 2018

Commented:
I'm not talking about the old server.  I'm talking about swinging your *current* install, which is broken (if a wizard crashes, it is broken) back onto the same hardware.  You can swing from SBS08 to SBS08 and get a stable install.

Commented:
I've run set-WebServicesVirtualDirectory "myserver.quillprod.local\EWS (Default Web Site)" -InternalUrl https://remote.myprod.com/EWS/Exchange.asmx

That appears to have resolved the certificate issue.
I have an image of the server, so will try some other fixes for the internet address wizard.

Author

Commented:
Finally fixed this by following the instruction from cgaliher, and also deleting all the links and favorites.

Open gpmc.msc and edit the "Windows SBS User Policy".
Navigate to User Configuration -> Policies -> Windows Settings -> Internet Explorer Maintenance -> URLs.
View the properties of Favorites and Links.
Make a note of all the Favorites and Links (This has likely been customized from the default).

When I ran the IAMW it ran through fine.
It also recreated all the deleted Favorites and Links.

Thanks to all