Link to home
Start Free TrialLog in
Avatar of PC-Gear
PC-Gear

asked on

Minor problem with UCC certificate

I'm having a small problem with Outlook reporting when it tries to connect to Exchange that "mail.domain.com" is missing on the certificate.

I have purchased a UCC certificate from Godaddy with the following SANs: remote.externaldomain.com, autodiscover.domain.local, autodiscover.externaldomain.com, DNSservername, and DNSservername.domain.local.

My understanding is that those SANs were enough for normal operation.

But Outlook (but only on some computers) is reporting about the one domain that's not included.  We are not using "mail.domain.com".  I need to find out where it's configured (probably in autodiscover) and change it to what the certificate says.  (Hopefully).

Anybody have any ideas where to start?
Avatar of Andre Thibodeau
Andre Thibodeau
Flag of Canada image

Did you update the autodiscover cert?

More than likely, your autodiscover server is hosted on the same server as Exchange 2007 owa CASH server, and it's cert contains the SAN name of your autodiscvoer, there is no need to create or import a new cert for autodiscover since you added via the exchange shell, however you do need to tell IIS about it.  

Open the IIS Manager, and open the properties of the Autodiscover website.  Click Server Certificate on the Directory Security tab, then replace the cert with the new one previous stored in the Certificate store by Exchange, it should be listed, double click to open the cert, and verify it is the correct cert by looking at the SAN names assigned to the cert.  If all is good apply the cert, recycle the autodiscover apppool and restart the autodiscover web site.
Test at https://www.testexchangeconnectivity.com/Default.aspx


Cheers

Andre
Avatar of PC-Gear
PC-Gear

ASKER

Yes, the CAS server is on the same box.  How do I get to the "Properties" of the Autodiscover website, exactly?
Avatar of PC-Gear

ASKER

I have the proper certificate added under the bindings of "SBS Web Applications".

There is no "Properties" when you right-click on the website, and I don't see "Directory Security" under the IIS grouping.  Could you please be more specific?
Hi,

You will need to assign your certificate to the autodiscover website using IIS.

Open IIS Manager.

Select the autodiscover site.

From the "Actions" menu (on the right), click on "Bindings." This will open the "Site Bindings" window.

In the "Site Bindings" window, click "Edit"

Choose you new cert, pull the menu down, then view the cert to ensure the SAN names are correct, also look at the expiry date, then click the ok`s and restart the autodiscover app pool and site.

:)

Test at https://www.testexchangeconnectivity.com/Default.aspx

Andre
Avatar of PC-Gear

ASKER

There ISN'T a "Bindings" link on the action pane, with "Autodiscover" selected.  There is only a "Bindings" option on the action pane when the SBS Web Applications site is selected.  And again, the proper certificate is listed on the website.
you need to set the bindings on the site.

Server - Sites - `your site name` (globe icon) then click bindings

then edit the 443 binding and select your cert.  Even if it is already selected, choose it again and select the cert and press the ok`s.  if 443 is not there, add it with your cert.   then run the "ìisreset /restart" from and admin cmd prompt.
Avatar of PC-Gear

ASKER

I created another Outlook profile on this computer and it doesn't happen anymore.

The only thing happening now is on this particular computer is it's unable to download the OAB.  I get an object not found error message on it when I try to test by downloading it.

This particular computer is connection VIA RPC/HTTPS.
In outlook 2007/2010, autodiscover is required for oab and out of office assistant to function correctly.

Is your autodiscover setup correctly, add a test account and run the tests at that site I mentioned.  

Avatar of PC-Gear

ASKER

No, it's not.  In Outlook, it's prompting me to allow for Autodiscover to reconfigure Outlook, but it's coming from the wrong domain (mail.externaldomain.com).  I have added autodiscover.externaldomain.com to the cert for it, not mail.externaldomain.com.  

Here is the obfuscated get-autodiscovervirtualdirectory:


Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://ACCO-SS.acco.local/W3SVC/3/ROOT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodiscover
Server                        : ACCO-SS
InternalUrl                   : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
ExternalUrl                   : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP, CN=Protocols,CN=ACCO-SS,CN=Servers,CN=Exchange
Administrative Group (AEFIBOJS32SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=acco,DC=local
Identity                      : ACCO-SS\Autodiscover (SBS Web Applications)
Guid                          : C84C5498-23c0-612b-1a8d-6dc8d2a1165d (obfuscated)
ObjectCategory                : acco.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 7/24/2010 4:38:51 PM
WhenCreated                   : 7/13/2010 6:50:32 PM
OriginatingServer             : ACCO-SS.acco.local
IsValid                       : True

-------

Again, the URLs for Autodiscover are supposed to be: autodiscover.externaldomain.com and autodiscover.internaldomain.local (according to the cert).

I guess I need to change both the internal URL and External URL to: autodiscover.externaldomain.com to match the cert.

Is that right?
Avatar of PC-Gear

ASKER

Where exactly do you think Outlook is getting the "mail.externaldomain.com" from?
ASKER CERTIFIED SOLUTION
Avatar of Andre Thibodeau
Andre Thibodeau
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of PC-Gear

ASKER

Yes, we have a UCC cert for:
remote.externaldomain.com (Primary)
autodiscover.externaldomain.com
autodiscover.domain.local
acco-ss.domain.local
acco-ss

When I try to test the Autodiscover using testexchangeconnectivity.com, it fails (all attempted methods fail.)

Here is some partial output from that:

Attempting to test potential AutoDiscover URL https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name autodiscover.externaldomain.com in DNS.
  Host successfully resolved
   Additional Details
  IP(s) returned: 256.256.256.256 (obfuscated)
 
 Testing TCP Port 443 on host autodiscover.externaldomain.com to ensure it is listening and open.
  The port was opened successfully.
 ExRCA is testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
   Test Steps
   The certificate name is being validated.
  Successfully validated the certificate name
   Additional Details
  Found hostname autodiscover.externaldomain.com in Certificate Subject Alternative Name entry
 
 The certificate date is being confirmed to ensure the certificate is valid.
  Date validation passed. The certificate hasn't expired.
   Additional Details
  Certificate is valid: NotBefore = 8/24/2010 9:29:56 PM, NotAfter = 8/24/2013 9:29:56 PM"
 
 
 The IIS configuration is being checked for client certificate authentication.
  Client certificate authentication wasn't detected.
   Additional Details
  Accept/Require Client Certificates not configured.
 
 ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
   Test Steps
   Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml for user jerry.smith@externaldomain.com
  Failed to obtain AutoDiscover XML response.
   Additional Details
  A Web Exception occurred because an HTTP 503 - ServiceUnavailable response was received from Unknown
 
 
 
 
 
check your authentication methods for autodiscover virtual site in IIS

do you have anonymous, basic and windows auth enabled?

Can you browse https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml ?  YOu should get a logon prompt.
Hi there

get-autodiscovervirtualdirectory | set-autodiscovervirtualdirectory -internalurl:"https://ACCO-SS.acco.local/Autodiscover/Autodiscover.xml"

If your external OWA url is this
https://remote.externaldomain.com/owa
then the following setting below is fine

ExternalUrl                   : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
---
Avatar of PC-Gear

ASKER

athibodeau: No, anonymous was not enabled.  I enabled it.
Avatar of PC-Gear

ASKER

When I test going to Autodiscover.xml from the external domain name:  https://remote.externaldomain.com/autodiscover/autodiscover.xml, I get the following error message:

Service Unavailable
--------------------------------------------------------------------------------
HTTP Error 503. The service is unavailable.

Sunnyc7: Hello again!

I have changed the internal virtual directory to: https://acco-ss.acco.local/autodiscover/autodiscover.xml I still get the above error message.

Service unavailable doesn't sound like it should :~)
Check if all exchange services and iis is running ?
If you can restart the server, now will be a good time.
Avatar of PC-Gear

ASKER

Hello all:

I have restarted the server.

I don't get the error message anymore (from above).

I get a: HTTP 403: Forbidden error message now when I try to go to https://remote.externaldomain.com/Autodiscover/autodiscover.xml at least that's something different.  
I do NOT get a login prompt when I try to access autodiscover.xml.  This seems important at this time.  Please elaborate on this and some possible reasons why I'm not getting a login prompt when trying to access autodiscover.xml.

Also, No, I don't have autodiscover added in DNS.  Should I add it?

I have found another issue, however.  Everyone has lost connectivity to their computer through logging into remote.externaldomain.com and choosing to connect to their computer.  I'm not sure, but I think that this probably stopped working the same time I added the Godaddy UCC cert.  I had disabled all of the other certs that were self-signed with ACCO-SS.  Do I need to use any of these self-signed certs for clients' connectivity to their computers?

Oh great, I restarted W3SVC, and now it's reporting: HTTP Error 503. The service is unavailable.
when trying to connect to autodiscover.xml again.

Well, IIS was reporting that it (w3svc) was started again, but all of the sites were not running, and when I tried to start each (any) of the sites, it reported that they couldn't start because W3SVC wasn't running!  Anyway, the problem fixed itself after a few minutes, it's all back up again, but I still get the error message: HTTP 403: Forbidden again.

Avatar of PC-Gear

ASKER

I have an autodiscover SRV record added to the domain: SRV: _autodiscover._tcp IN SRV 10 10 443 remote.externaldomain.com.

Should I still need an autodiscover DNS entry added?

Let's try to address the HTTP 403: Forbidden error first.

Thanks.

HELP!
Entering a service record for autodiscover is all that is required.  If in doubt, add the DNS host record too. I believe Outlook will check for the service record first, and if does not exist then checks for a host record.

When you browse to https://remote.externaldomain.com/Autodiscover/autodiscover.xml the expected response is a logon prompt.

once you logon, you should get something like...  (use IE)

  <?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="12:00:34.4148490" Id="2712708472">
  <ErrorCode>600</ErrorCode>
  <Message>Invalid Request</Message>
  <DebugData />
  </Error>
  </Response>
  </Autodiscover>

You will get a 600 error and this is ok as you are connecting to the autodiscover service just fine.  The reason why you get the 600 error is that you are not sending a proper http/get request with the schema data that is needed.

If something else...  Then you have an issue with autodiscovery

Check your Offline address book URL's

Open the Exchange management gui and load up Server Config\Client Access and look at the offline address book and the internal and external URL's, adjust if necessary.

Check the IIS Authnication setup for autodiscover.

run the ps command to Test-OutlookWebServices.

Andre
Avatar of PC-Gear

ASKER

Again, I do NOT get a login prompt when trying to access http://remote.externaldomain.com/autodiscover/autodiscover.xml.  

I get a  HTTP 403: Forbidden response.

Is anyone actually reading my above posts?

Can we please address the HTTP 403: Forbidden error.
can you reissue the certificate and then try
Avatar of PC-Gear

ASKER

Sorry for the delays.

I have been busy working on another project.  (No, I don't need any help on this one, it all went flawlessly -- it's NOT Microsoft).

I think I found the problem, I had added mail.externaldomain.com to an external SRV record on the domain.  I have removed it and it *seems* to be working correctly now.
Avatar of PC-Gear

ASKER

On the other issue, I'm not sure why exactly, but I'm now being presented with a logon prompts when I try to to https://remote.externaldomain.com/autodiscover/autodiscover.xml.  

I'm now getting a correct response and testexchangeconnectivity.com's Autodiscover test is passing as well.

It seems to be working now.  But I'm not sure exactly whom to award points to because I'm not sure what fixed it ???
Avatar of PC-Gear

ASKER

I discovered that I had added an additional SRV record that included mail.externaldomain.com.  So his post helped me fix the original problem.  I'm not sure what fixed the autodiscover problem, but I'm sure happy it's fixed.