Solved

Minor problem with UCC certificate

Posted on 2010-08-28
27
552 Views
Last Modified: 2013-12-04
I'm having a small problem with Outlook reporting when it tries to connect to Exchange that "mail.domain.com" is missing on the certificate.

I have purchased a UCC certificate from Godaddy with the following SANs: remote.externaldomain.com, autodiscover.domain.local, autodiscover.externaldomain.com, DNSservername, and DNSservername.domain.local.

My understanding is that those SANs were enough for normal operation.

But Outlook (but only on some computers) is reporting about the one domain that's not included.  We are not using "mail.domain.com".  I need to find out where it's configured (probably in autodiscover) and change it to what the certificate says.  (Hopefully).

Anybody have any ideas where to start?
0
Comment
Question by:PC-Gear
  • 15
  • 7
  • 3
27 Comments
 
LVL 3

Expert Comment

by:Andre Thibodeau
ID: 33551058
Did you update the autodiscover cert?

More than likely, your autodiscover server is hosted on the same server as Exchange 2007 owa CASH server, and it's cert contains the SAN name of your autodiscvoer, there is no need to create or import a new cert for autodiscover since you added via the exchange shell, however you do need to tell IIS about it.  

Open the IIS Manager, and open the properties of the Autodiscover website.  Click Server Certificate on the Directory Security tab, then replace the cert with the new one previous stored in the Certificate store by Exchange, it should be listed, double click to open the cert, and verify it is the correct cert by looking at the SAN names assigned to the cert.  If all is good apply the cert, recycle the autodiscover apppool and restart the autodiscover web site.
Test at https://www.testexchangeconnectivity.com/Default.aspx


Cheers

Andre
0
 

Author Comment

by:PC-Gear
ID: 33551100
Yes, the CAS server is on the same box.  How do I get to the "Properties" of the Autodiscover website, exactly?
0
 

Author Comment

by:PC-Gear
ID: 33551180
I have the proper certificate added under the bindings of "SBS Web Applications".

There is no "Properties" when you right-click on the website, and I don't see "Directory Security" under the IIS grouping.  Could you please be more specific?
0
 
LVL 3

Expert Comment

by:Andre Thibodeau
ID: 33551201
Hi,

You will need to assign your certificate to the autodiscover website using IIS.

Open IIS Manager.

Select the autodiscover site.

From the "Actions" menu (on the right), click on "Bindings." This will open the "Site Bindings" window.

In the "Site Bindings" window, click "Edit"

Choose you new cert, pull the menu down, then view the cert to ensure the SAN names are correct, also look at the expiry date, then click the ok`s and restart the autodiscover app pool and site.

:)

Test at https://www.testexchangeconnectivity.com/Default.aspx

Andre
0
 

Author Comment

by:PC-Gear
ID: 33551220
There ISN'T a "Bindings" link on the action pane, with "Autodiscover" selected.  There is only a "Bindings" option on the action pane when the SBS Web Applications site is selected.  And again, the proper certificate is listed on the website.
0
 
LVL 3

Expert Comment

by:Andre Thibodeau
ID: 33551239
you need to set the bindings on the site.

Server - Sites - `your site name` (globe icon) then click bindings

then edit the 443 binding and select your cert.  Even if it is already selected, choose it again and select the cert and press the ok`s.  if 443 is not there, add it with your cert.   then run the "ìisreset /restart" from and admin cmd prompt.
0
 

Author Comment

by:PC-Gear
ID: 33551285
I created another Outlook profile on this computer and it doesn't happen anymore.

The only thing happening now is on this particular computer is it's unable to download the OAB.  I get an object not found error message on it when I try to test by downloading it.

This particular computer is connection VIA RPC/HTTPS.
0
 
LVL 3

Expert Comment

by:Andre Thibodeau
ID: 33551304
In outlook 2007/2010, autodiscover is required for oab and out of office assistant to function correctly.

Is your autodiscover setup correctly, add a test account and run the tests at that site I mentioned.  

0
 

Author Comment

by:PC-Gear
ID: 33551531
No, it's not.  In Outlook, it's prompting me to allow for Autodiscover to reconfigure Outlook, but it's coming from the wrong domain (mail.externaldomain.com).  I have added autodiscover.externaldomain.com to the cert for it, not mail.externaldomain.com.  

Here is the obfuscated get-autodiscovervirtualdirectory:


Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://ACCO-SS.acco.local/W3SVC/3/ROOT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodiscover
Server                        : ACCO-SS
InternalUrl                   : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
ExternalUrl                   : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP, CN=Protocols,CN=ACCO-SS,CN=Servers,CN=Exchange
Administrative Group (AEFIBOJS32SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=acco,DC=local
Identity                      : ACCO-SS\Autodiscover (SBS Web Applications)
Guid                          : C84C5498-23c0-612b-1a8d-6dc8d2a1165d (obfuscated)
ObjectCategory                : acco.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 7/24/2010 4:38:51 PM
WhenCreated                   : 7/13/2010 6:50:32 PM
OriginatingServer             : ACCO-SS.acco.local
IsValid                       : True

-------

Again, the URLs for Autodiscover are supposed to be: autodiscover.externaldomain.com and autodiscover.internaldomain.local (according to the cert).

I guess I need to change both the internal URL and External URL to: autodiscover.externaldomain.com to match the cert.

Is that right?
0
 

Author Comment

by:PC-Gear
ID: 33551544
Where exactly do you think Outlook is getting the "mail.externaldomain.com" from?
0
 
LVL 3

Accepted Solution

by:
Andre Thibodeau earned 500 total points
ID: 33551638
you can set the oab and autodiscover values following this doc

http://technet.microsoft.com/en-us/library/bb201695%28EXCHG.80%29.aspx

now looking at the output above, your autodiscover is a virtual directory site remote.externaldomain.com, you have a cert for this right?

Did you add the autodiscover dns record?

I see other posts from you with related issues, rpc, etc. Are these issues fixed?  

Have a good read throuth this blog, http://www.exchange-genie.com/2007/07/exchange-2007-autodiscover-service-part-1/

Andre
0
 

Author Comment

by:PC-Gear
ID: 33551676
Yes, we have a UCC cert for:
remote.externaldomain.com (Primary)
autodiscover.externaldomain.com
autodiscover.domain.local
acco-ss.domain.local
acco-ss

When I try to test the Autodiscover using testexchangeconnectivity.com, it fails (all attempted methods fail.)

Here is some partial output from that:

Attempting to test potential AutoDiscover URL https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name autodiscover.externaldomain.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 256.256.256.256 (obfuscated)
 
 Testing TCP Port 443 on host autodiscover.externaldomain.com to ensure it is listening and open.
  The port was opened successfully.
 ExRCA is testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
   Test Steps
   The certificate name is being validated.
  Successfully validated the certificate name
   Additional Details
  Found hostname autodiscover.externaldomain.com in Certificate Subject Alternative Name entry
 
 The certificate date is being confirmed to ensure the certificate is valid.
  Date validation passed. The certificate hasn't expired.
   Additional Details
  Certificate is valid: NotBefore = 8/24/2010 9:29:56 PM, NotAfter = 8/24/2013 9:29:56 PM"
 
 
 The IIS configuration is being checked for client certificate authentication.
  Client certificate authentication wasn't detected.
   Additional Details
  Accept/Require Client Certificates not configured.
 
 ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
   Test Steps
   Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml for user jerry.smith@externaldomain.com
  Failed to obtain AutoDiscover XML response.
   Additional Details
  A Web Exception occurred because an HTTP 503 - ServiceUnavailable response was received from Unknown
 
 
 
 
 
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 
LVL 3

Expert Comment

by:Andre Thibodeau
ID: 33551720
check your authentication methods for autodiscover virtual site in IIS

do you have anonymous, basic and windows auth enabled?

Can you browse https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml ?  YOu should get a logon prompt.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33553181
Hi there

get-autodiscovervirtualdirectory | set-autodiscovervirtualdirectory -internalurl:"https://ACCO-SS.acco.local/Autodiscover/Autodiscover.xml"

If your external OWA url is this
https://remote.externaldomain.com/owa
then the following setting below is fine

ExternalUrl                   : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
---
0
 

Author Comment

by:PC-Gear
ID: 33554057
athibodeau: No, anonymous was not enabled.  I enabled it.
0
 

Author Comment

by:PC-Gear
ID: 33554105
When I test going to Autodiscover.xml from the external domain name:  https://remote.externaldomain.com/autodiscover/autodiscover.xml, I get the following error message:

Service Unavailable
--------------------------------------------------------------------------------
HTTP Error 503. The service is unavailable.

Sunnyc7: Hello again!

I have changed the internal virtual directory to: https://acco-ss.acco.local/autodiscover/autodiscover.xml I still get the above error message.

Service unavailable doesn't sound like it should :~)
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33554240
Check if all exchange services and iis is running ?
If you can restart the server, now will be a good time.
0
 

Author Comment

by:PC-Gear
ID: 33555519
Hello all:

I have restarted the server.

I don't get the error message anymore (from above).

I get a: HTTP 403: Forbidden error message now when I try to go to https://remote.externaldomain.com/Autodiscover/autodiscover.xml at least that's something different.  
I do NOT get a login prompt when I try to access autodiscover.xml.  This seems important at this time.  Please elaborate on this and some possible reasons why I'm not getting a login prompt when trying to access autodiscover.xml.

Also, No, I don't have autodiscover added in DNS.  Should I add it?

I have found another issue, however.  Everyone has lost connectivity to their computer through logging into remote.externaldomain.com and choosing to connect to their computer.  I'm not sure, but I think that this probably stopped working the same time I added the Godaddy UCC cert.  I had disabled all of the other certs that were self-signed with ACCO-SS.  Do I need to use any of these self-signed certs for clients' connectivity to their computers?

Oh great, I restarted W3SVC, and now it's reporting: HTTP Error 503. The service is unavailable.
when trying to connect to autodiscover.xml again.

Well, IIS was reporting that it (w3svc) was started again, but all of the sites were not running, and when I tried to start each (any) of the sites, it reported that they couldn't start because W3SVC wasn't running!  Anyway, the problem fixed itself after a few minutes, it's all back up again, but I still get the error message: HTTP 403: Forbidden again.

0
 

Author Comment

by:PC-Gear
ID: 33559064
I have an autodiscover SRV record added to the domain: SRV: _autodiscover._tcp IN SRV 10 10 443 remote.externaldomain.com.

Should I still need an autodiscover DNS entry added?

Let's try to address the HTTP 403: Forbidden error first.

Thanks.

HELP!
0
 
LVL 3

Expert Comment

by:Andre Thibodeau
ID: 33559526
Entering a service record for autodiscover is all that is required.  If in doubt, add the DNS host record too. I believe Outlook will check for the service record first, and if does not exist then checks for a host record.

When you browse to https://remote.externaldomain.com/Autodiscover/autodiscover.xml the expected response is a logon prompt.

once you logon, you should get something like...  (use IE)

  <?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="12:00:34.4148490" Id="2712708472">
  <ErrorCode>600</ErrorCode>
  <Message>Invalid Request</Message>
  <DebugData />
  </Error>
  </Response>
  </Autodiscover>

You will get a 600 error and this is ok as you are connecting to the autodiscover service just fine.  The reason why you get the 600 error is that you are not sending a proper http/get request with the schema data that is needed.

If something else...  Then you have an issue with autodiscovery

Check your Offline address book URL's

Open the Exchange management gui and load up Server Config\Client Access and look at the offline address book and the internal and external URL's, adjust if necessary.

Check the IIS Authnication setup for autodiscover.

run the ps command to Test-OutlookWebServices.

Andre
0
 

Author Comment

by:PC-Gear
ID: 33564214
Again, I do NOT get a login prompt when trying to access http://remote.externaldomain.com/autodiscover/autodiscover.xml.  

I get a  HTTP 403: Forbidden response.

Is anyone actually reading my above posts?

Can we please address the HTTP 403: Forbidden error.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33568568
can you reissue the certificate and then try
0
 

Author Comment

by:PC-Gear
ID: 33612057
Sorry for the delays.

I have been busy working on another project.  (No, I don't need any help on this one, it all went flawlessly -- it's NOT Microsoft).

I think I found the problem, I had added mail.externaldomain.com to an external SRV record on the domain.  I have removed it and it *seems* to be working correctly now.
0
 

Author Comment

by:PC-Gear
ID: 33612248
On the other issue, I'm not sure why exactly, but I'm now being presented with a logon prompts when I try to to https://remote.externaldomain.com/autodiscover/autodiscover.xml.  

I'm now getting a correct response and testexchangeconnectivity.com's Autodiscover test is passing as well.

It seems to be working now.  But I'm not sure exactly whom to award points to because I'm not sure what fixed it ???
0
 

Author Closing Comment

by:PC-Gear
ID: 33643526
I discovered that I had added an additional SRV record that included mail.externaldomain.com.  So his post helped me fix the original problem.  I'm not sure what fixed the autodiscover problem, but I'm sure happy it's fixed.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now