PC-Gear
asked on
Minor problem with UCC certificate
I'm having a small problem with Outlook reporting when it tries to connect to Exchange that "mail.domain.com" is missing on the certificate.
I have purchased a UCC certificate from Godaddy with the following SANs: remote.externaldomain.com, autodiscover.domain.local, autodiscover.externaldomai n.com, DNSservername, and DNSservername.domain.local .
My understanding is that those SANs were enough for normal operation.
But Outlook (but only on some computers) is reporting about the one domain that's not included. We are not using "mail.domain.com". I need to find out where it's configured (probably in autodiscover) and change it to what the certificate says. (Hopefully).
Anybody have any ideas where to start?
I have purchased a UCC certificate from Godaddy with the following SANs: remote.externaldomain.com,
My understanding is that those SANs were enough for normal operation.
But Outlook (but only on some computers) is reporting about the one domain that's not included. We are not using "mail.domain.com". I need to find out where it's configured (probably in autodiscover) and change it to what the certificate says. (Hopefully).
Anybody have any ideas where to start?
ASKER
Yes, the CAS server is on the same box. How do I get to the "Properties" of the Autodiscover website, exactly?
ASKER
I have the proper certificate added under the bindings of "SBS Web Applications".
There is no "Properties" when you right-click on the website, and I don't see "Directory Security" under the IIS grouping. Could you please be more specific?
There is no "Properties" when you right-click on the website, and I don't see "Directory Security" under the IIS grouping. Could you please be more specific?
Hi,
You will need to assign your certificate to the autodiscover website using IIS.
Open IIS Manager.
Select the autodiscover site.
From the "Actions" menu (on the right), click on "Bindings." This will open the "Site Bindings" window.
In the "Site Bindings" window, click "Edit"
Choose you new cert, pull the menu down, then view the cert to ensure the SAN names are correct, also look at the expiry date, then click the ok`s and restart the autodiscover app pool and site.
:)
Test at https://www.testexchangeconnectivity.com/Default.aspx
Andre
You will need to assign your certificate to the autodiscover website using IIS.
Open IIS Manager.
Select the autodiscover site.
From the "Actions" menu (on the right), click on "Bindings." This will open the "Site Bindings" window.
In the "Site Bindings" window, click "Edit"
Choose you new cert, pull the menu down, then view the cert to ensure the SAN names are correct, also look at the expiry date, then click the ok`s and restart the autodiscover app pool and site.
:)
Test at https://www.testexchangeconnectivity.com/Default.aspx
Andre
ASKER
There ISN'T a "Bindings" link on the action pane, with "Autodiscover" selected. There is only a "Bindings" option on the action pane when the SBS Web Applications site is selected. And again, the proper certificate is listed on the website.
you need to set the bindings on the site.
Server - Sites - `your site name` (globe icon) then click bindings
then edit the 443 binding and select your cert. Even if it is already selected, choose it again and select the cert and press the ok`s. if 443 is not there, add it with your cert. then run the "ìisreset /restart" from and admin cmd prompt.
Server - Sites - `your site name` (globe icon) then click bindings
then edit the 443 binding and select your cert. Even if it is already selected, choose it again and select the cert and press the ok`s. if 443 is not there, add it with your cert. then run the "ìisreset /restart" from and admin cmd prompt.
ASKER
I created another Outlook profile on this computer and it doesn't happen anymore.
The only thing happening now is on this particular computer is it's unable to download the OAB. I get an object not found error message on it when I try to test by downloading it.
This particular computer is connection VIA RPC/HTTPS.
The only thing happening now is on this particular computer is it's unable to download the OAB. I get an object not found error message on it when I try to test by downloading it.
This particular computer is connection VIA RPC/HTTPS.
In outlook 2007/2010, autodiscover is required for oab and out of office assistant to function correctly.
Is your autodiscover setup correctly, add a test account and run the tests at that site I mentioned.
Is your autodiscover setup correctly, add a test account and run the tests at that site I mentioned.
ASKER
No, it's not. In Outlook, it's prompting me to allow for Autodiscover to reconfigure Outlook, but it's coming from the wrong domain (mail.externaldomain.com). I have added autodiscover.externaldomai n.com to the cert for it, not mail.externaldomain.com.
Here is the obfuscated get-autodiscovervirtualdir ectory:
Name : Autodiscover (SBS Web Applications)
InternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://ACCO-SS.acco.local/W 3SVC/3/ROO T/Autodisc over
Path : C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodi scover
Server : ACCO-SS
InternalUrl : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
ExternalUrl : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Autodiscover (SBS Web Applications),CN=HTTP, CN=Protocols,CN=ACCO-SS,CN =Servers,C N=Exchange
Administrative Group (AEFIBOJS32SPDLT),CN=Admin istrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Co nfiguratio n,DC=acco, DC=local
Identity : ACCO-SS\Autodiscover (SBS Web Applications)
Guid : C84C5498-23c0-612b-1a8d-6d c8d2a1165d (obfuscated)
ObjectCategory : acco.local/Configuration/S chema/ms-E xch-Auto-D iscover-Vi rtual-Dire ctory
ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualD irectory}
WhenChanged : 7/24/2010 4:38:51 PM
WhenCreated : 7/13/2010 6:50:32 PM
OriginatingServer : ACCO-SS.acco.local
IsValid : True
-------
Again, the URLs for Autodiscover are supposed to be: autodiscover.externaldomai n.com and autodiscover.internaldomai n.local (according to the cert).
I guess I need to change both the internal URL and External URL to: autodiscover.externaldomai n.com to match the cert.
Is that right?
Here is the obfuscated get-autodiscovervirtualdir
Name : Autodiscover (SBS Web Applications)
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://ACCO-SS.acco.local/W
Path : C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodi
Server : ACCO-SS
InternalUrl : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
ExternalUrl : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Autodiscover (SBS Web Applications),CN=HTTP, CN=Protocols,CN=ACCO-SS,CN
Administrative Group (AEFIBOJS32SPDLT),CN=Admin
Identity : ACCO-SS\Autodiscover (SBS Web Applications)
Guid : C84C5498-23c0-612b-1a8d-6d
ObjectCategory : acco.local/Configuration/S
ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualD
WhenChanged : 7/24/2010 4:38:51 PM
WhenCreated : 7/13/2010 6:50:32 PM
OriginatingServer : ACCO-SS.acco.local
IsValid : True
-------
Again, the URLs for Autodiscover are supposed to be: autodiscover.externaldomai
I guess I need to change both the internal URL and External URL to: autodiscover.externaldomai
Is that right?
ASKER
Where exactly do you think Outlook is getting the "mail.externaldomain.com" from?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, we have a UCC cert for:
remote.externaldomain.com (Primary)
autodiscover.externaldomai n.com
autodiscover.domain.local
acco-ss.domain.local
acco-ss
When I try to test the Autodiscover using testexchangeconnectivity.c om, it fails (all attempted methods fail.)
Here is some partial output from that:
Attempting to test potential AutoDiscover URL https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.externaldomai n.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 256.256.256.256 (obfuscated)
Testing TCP Port 443 on host autodiscover.externaldomai n.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The certificate name is being validated.
Successfully validated the certificate name
Additional Details
Found hostname autodiscover.externaldomai n.com in Certificate Subject Alternative Name entry
The certificate date is being confirmed to ensure the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Certificate is valid: NotBefore = 8/24/2010 9:29:56 PM, NotAfter = 8/24/2013 9:29:56 PM"
The IIS configuration is being checked for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates not configured.
ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml for user jerry.smith@externaldomain .com
Failed to obtain AutoDiscover XML response.
Additional Details
A Web Exception occurred because an HTTP 503 - ServiceUnavailable response was received from Unknown
remote.externaldomain.com (Primary)
autodiscover.externaldomai
autodiscover.domain.local
acco-ss.domain.local
acco-ss
When I try to test the Autodiscover using testexchangeconnectivity.c
Here is some partial output from that:
Attempting to test potential AutoDiscover URL https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.externaldomai
Host successfully resolved
Additional Details
IP(s) returned: 256.256.256.256 (obfuscated)
Testing TCP Port 443 on host autodiscover.externaldomai
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The certificate name is being validated.
Successfully validated the certificate name
Additional Details
Found hostname autodiscover.externaldomai
The certificate date is being confirmed to ensure the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Certificate is valid: NotBefore = 8/24/2010 9:29:56 PM, NotAfter = 8/24/2013 9:29:56 PM"
The IIS configuration is being checked for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates not configured.
ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml for user jerry.smith@externaldomain
Failed to obtain AutoDiscover XML response.
Additional Details
A Web Exception occurred because an HTTP 503 - ServiceUnavailable response was received from Unknown
check your authentication methods for autodiscover virtual site in IIS
do you have anonymous, basic and windows auth enabled?
Can you browse https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml ? YOu should get a logon prompt.
do you have anonymous, basic and windows auth enabled?
Can you browse https://autodiscover.externaldomain.com/AutoDiscover/AutoDiscover.xml ? YOu should get a logon prompt.
Hi there
get-autodiscovervirtualdir ectory | set-autodiscovervirtualdir ectory -internalurl:"https://ACCO-SS.acco.local/Autodiscover/Autodiscover.xml"
If your external OWA url is this
https://remote.externaldomain.com/owa
then the following setting below is fine
ExternalUrl : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
---
get-autodiscovervirtualdir
If your external OWA url is this
https://remote.externaldomain.com/owa
then the following setting below is fine
ExternalUrl : https://remote.externaldomain.com/Autodiscover/Autodiscover.xml
---
ASKER
athibodeau: No, anonymous was not enabled. I enabled it.
ASKER
When I test going to Autodiscover.xml from the external domain name: https://remote.externaldomain.com/autodiscover/autodiscover.xml, I get the following error message:
Service Unavailable
-------------------------- ---------- ---------- ---------- ---------- ---------- ----
HTTP Error 503. The service is unavailable.
Sunnyc7: Hello again!
I have changed the internal virtual directory to: https://acco-ss.acco.local/autodiscover/autodiscover.xml I still get the above error message.
Service unavailable doesn't sound like it should :~)
Service Unavailable
--------------------------
HTTP Error 503. The service is unavailable.
Sunnyc7: Hello again!
I have changed the internal virtual directory to: https://acco-ss.acco.local/autodiscover/autodiscover.xml I still get the above error message.
Service unavailable doesn't sound like it should :~)
Check if all exchange services and iis is running ?
If you can restart the server, now will be a good time.
If you can restart the server, now will be a good time.
ASKER
Hello all:
I have restarted the server.
I don't get the error message anymore (from above).
I get a: HTTP 403: Forbidden error message now when I try to go to https://remote.externaldomain.com/Autodiscover/autodiscover.xml at least that's something different.
I do NOT get a login prompt when I try to access autodiscover.xml. This seems important at this time. Please elaborate on this and some possible reasons why I'm not getting a login prompt when trying to access autodiscover.xml.
Also, No, I don't have autodiscover added in DNS. Should I add it?
I have found another issue, however. Everyone has lost connectivity to their computer through logging into remote.externaldomain.com and choosing to connect to their computer. I'm not sure, but I think that this probably stopped working the same time I added the Godaddy UCC cert. I had disabled all of the other certs that were self-signed with ACCO-SS. Do I need to use any of these self-signed certs for clients' connectivity to their computers?
Oh great, I restarted W3SVC, and now it's reporting: HTTP Error 503. The service is unavailable.
when trying to connect to autodiscover.xml again.
Well, IIS was reporting that it (w3svc) was started again, but all of the sites were not running, and when I tried to start each (any) of the sites, it reported that they couldn't start because W3SVC wasn't running! Anyway, the problem fixed itself after a few minutes, it's all back up again, but I still get the error message: HTTP 403: Forbidden again.
I have restarted the server.
I don't get the error message anymore (from above).
I get a: HTTP 403: Forbidden error message now when I try to go to https://remote.externaldomain.com/Autodiscover/autodiscover.xml at least that's something different.
I do NOT get a login prompt when I try to access autodiscover.xml. This seems important at this time. Please elaborate on this and some possible reasons why I'm not getting a login prompt when trying to access autodiscover.xml.
Also, No, I don't have autodiscover added in DNS. Should I add it?
I have found another issue, however. Everyone has lost connectivity to their computer through logging into remote.externaldomain.com and choosing to connect to their computer. I'm not sure, but I think that this probably stopped working the same time I added the Godaddy UCC cert. I had disabled all of the other certs that were self-signed with ACCO-SS. Do I need to use any of these self-signed certs for clients' connectivity to their computers?
Oh great, I restarted W3SVC, and now it's reporting: HTTP Error 503. The service is unavailable.
when trying to connect to autodiscover.xml again.
Well, IIS was reporting that it (w3svc) was started again, but all of the sites were not running, and when I tried to start each (any) of the sites, it reported that they couldn't start because W3SVC wasn't running! Anyway, the problem fixed itself after a few minutes, it's all back up again, but I still get the error message: HTTP 403: Forbidden again.
ASKER
I have an autodiscover SRV record added to the domain: SRV: _autodiscover._tcp IN SRV 10 10 443 remote.externaldomain.com.
Should I still need an autodiscover DNS entry added?
Let's try to address the HTTP 403: Forbidden error first.
Thanks.
HELP!
Should I still need an autodiscover DNS entry added?
Let's try to address the HTTP 403: Forbidden error first.
Thanks.
HELP!
Entering a service record for autodiscover is all that is required. If in doubt, add the DNS host record too. I believe Outlook will check for the service record first, and if does not exist then checks for a host record.
When you browse to https://remote.externaldomain.com/Autodiscover/autodiscover.xml the expected response is a logon prompt.
once you logon, you should get something like... (use IE)
<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="12:00:34.4148490" Id="2712708472">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>
You will get a 600 error and this is ok as you are connecting to the autodiscover service just fine. The reason why you get the 600 error is that you are not sending a proper http/get request with the schema data that is needed.
If something else... Then you have an issue with autodiscovery
Check your Offline address book URL's
Open the Exchange management gui and load up Server Config\Client Access and look at the offline address book and the internal and external URL's, adjust if necessary.
Check the IIS Authnication setup for autodiscover.
run the ps command to Test-OutlookWebServices.
Andre
When you browse to https://remote.externaldomain.com/Autodiscover/autodiscover.xml the expected response is a logon prompt.
once you logon, you should get something like... (use IE)
<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="12:00:34.4148490" Id="2712708472">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>
You will get a 600 error and this is ok as you are connecting to the autodiscover service just fine. The reason why you get the 600 error is that you are not sending a proper http/get request with the schema data that is needed.
If something else... Then you have an issue with autodiscovery
Check your Offline address book URL's
Open the Exchange management gui and load up Server Config\Client Access and look at the offline address book and the internal and external URL's, adjust if necessary.
Check the IIS Authnication setup for autodiscover.
run the ps command to Test-OutlookWebServices.
Andre
ASKER
Again, I do NOT get a login prompt when trying to access http://remote.externaldomain.com/autodiscover/autodiscover.xml.
I get a HTTP 403: Forbidden response.
Is anyone actually reading my above posts?
Can we please address the HTTP 403: Forbidden error.
I get a HTTP 403: Forbidden response.
Is anyone actually reading my above posts?
Can we please address the HTTP 403: Forbidden error.
can you reissue the certificate and then try
ASKER
Sorry for the delays.
I have been busy working on another project. (No, I don't need any help on this one, it all went flawlessly -- it's NOT Microsoft).
I think I found the problem, I had added mail.externaldomain.com to an external SRV record on the domain. I have removed it and it *seems* to be working correctly now.
I have been busy working on another project. (No, I don't need any help on this one, it all went flawlessly -- it's NOT Microsoft).
I think I found the problem, I had added mail.externaldomain.com to an external SRV record on the domain. I have removed it and it *seems* to be working correctly now.
ASKER
On the other issue, I'm not sure why exactly, but I'm now being presented with a logon prompts when I try to to https://remote.externaldomain.com/autodiscover/autodiscover.xml.
I'm now getting a correct response and testexchangeconnectivity.c om's Autodiscover test is passing as well.
It seems to be working now. But I'm not sure exactly whom to award points to because I'm not sure what fixed it ???
I'm now getting a correct response and testexchangeconnectivity.c
It seems to be working now. But I'm not sure exactly whom to award points to because I'm not sure what fixed it ???
ASKER
I discovered that I had added an additional SRV record that included mail.externaldomain.com. So his post helped me fix the original problem. I'm not sure what fixed the autodiscover problem, but I'm sure happy it's fixed.
More than likely, your autodiscover server is hosted on the same server as Exchange 2007 owa CASH server, and it's cert contains the SAN name of your autodiscvoer, there is no need to create or import a new cert for autodiscover since you added via the exchange shell, however you do need to tell IIS about it.
Open the IIS Manager, and open the properties of the Autodiscover website. Click Server Certificate on the Directory Security tab, then replace the cert with the new one previous stored in the Certificate store by Exchange, it should be listed, double click to open the cert, and verify it is the correct cert by looking at the SAN names assigned to the cert. If all is good apply the cert, recycle the autodiscover apppool and restart the autodiscover web site.
Test at https://www.testexchangeconnectivity.com/Default.aspx
Cheers
Andre