Solved

Outlook cannot connect over VPN

Posted on 2010-09-13
28
638 Views
Last Modified: 2012-05-10
Hi,
I have an exchange server 2007 installed on windows 2003.
And a terminal server install outlook 2007 connect to exchange over the VPN.

recently , every time I open the outlook , it ask me to type the username and password again
and then I get this message
There is a problem with the proxy server's security certificate, %s. The name on the security certificate is invalid or does not match the name of the site. Outlook is unable to connect to this server. (%s)

I have installed a certificate for server as webmail.domain.com , it used for outlook web access
I thought maybe this cause the problem , the certificate should be mail.domain.com
but I dont want to change the webaccess  url .

can I still keep the web access as webmail.domain.com  and fix the outlook to conect well?
0
Comment
Question by:GordonLiq
  • 14
  • 9
  • 3
  • +1
28 Comments
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
yes you can

For outlook clients @ security cert mismatch
Go to DNS for that lan

(from outlook do this
ipconfig /all)
find dNS
Go to that server.

start > run > dnsmgmt.msc
Create a A-record for

webmail.domain.com - to point to lan IP of exchange server.

that should work.
0
 
LVL 9

Expert Comment

by:v_9mhdrf
Comment Utility
Or,
Please follow the article - http://support.microsoft.com/kb/940726
and also http://support.microsoft.com/kb/927612

Hope this helps

Thanks
Mohammed
0
 
LVL 4

Expert Comment

by:Sean_D76
Comment Utility
http://www.petri.co.il/save-your-exchange-password-in-microsoft-outlook-2003-or-2007.htm

Method #2 works for most of my XP/2003 users.  Your mileage may vary though.
0
 

Author Comment

by:GordonLiq
Comment Utility
in  http://support.microsoft.com/kb/927612

This problem occurs if the following Service Principal Names are registered on the Exchange server and if the Exchange server is not a global catalog server:

that describe my situation , My exchange server is a domain controller but not GC, should change this server as GC?
0
 
LVL 4

Expert Comment

by:Sean_D76
Comment Utility
Yes. Exchange relies heavily on having access to a GC.  If it's already a DC then its good practice to go ahead and make it a GC so that if the other DC is down you don't have problems with your email.
0
 

Author Comment

by:GordonLiq
Comment Utility
And should change the primary DNS Ip to myself ?

It is point to one of the GC before.
0
 
LVL 9

Expert Comment

by:v_9mhdrf
Comment Utility
Yes!
that will do. Change the Host Ip to point to the Exchange server if you promoting Exchange server DC as GC.
Please try that and revert back if you have issues.

Awaiting for ur comment

Thanks
Mohammed
0
 

Author Comment

by:GordonLiq
Comment Utility
I will do that when I in office, somethine change the DNS make the network disconnect and need a clean shutdown.
0
 
LVL 9

Expert Comment

by:v_9mhdrf
Comment Utility
Ok.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Please do not do that >> Have Exchange installed on a server with GC role.

Exchange relies heavily on GC to do AD-lookups. This is a bad idea @ upgrading a DC to GC role

http://www.computerperformance.co.uk/exchange2003/exchange2003_global_catalog.htm#Why_does_Exchange_2003_need_Global_Catalog_Servers_
0
 

Author Comment

by:GordonLiq
Comment Utility
Change the Exchange box from DC to GC does not help. still get that message, but outlook can connect.
0
 

Author Comment

by:GordonLiq
Comment Utility
In
http://support.microsoft.com/kb/927612

It says:
    * You replace the default self-signed Exchange Server 2007 or Exchange Server 2010 certificate with a different certificate.

      Note The Setup program in Exchange Server 2007 or in Exchange Server 2010 creates a default self-signed certificate when Exchange Server 2007 or Exchange Server 2010 is installed.
    * The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:
          o The Service Connection Point object for the Autodiscover service
          o The InternalUrl attribute of Exchange 2007 Web Service (EWS)
          o The InternalUrl attribute of the Offline Address Book Web service
          o The InternalUrl attribute of the Exchange unified messaging (UM) Web service

Is that means that my default certificate is
svremail.localdomain   but I install the webmail.domain.com to replace it?
how can I check the current insatlled certificate.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
You should not change Exchange to Global Catalog. That messes up a lot of things.
GC has nothing to do with cert mismatch prompts.

a) Check the last section on registry settings here
http://technet.microsoft.com/en-us/library/cc179161(office.12).aspx

b) copy paste the output of this here
get-clientaccesserver | fl
get-autodiscovervirtualdirectory | fl
get-exchangecertificate | fl
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Your UCC/SAN Cert should have the 4 following domains

mail.domain.com (external fqdn)
autodiscover.domain.com (external autodiscover)
mailservername.domain.local (internal fqdn)
mailserver (internal mail server name)

Given that you have a cert for webmail.domain.com - which is also used by OWA,
what you need to do is
a) create an A-record in your local DNS (which is used by terminal server)
for
 webmail.domain.com - to point to LAN IP of exchange server.
b) then add the users account in outlook - by going to webmail.domain.com - as servername

Also check the prior post on registry settings for TS install of Outlook 2007 in Ex 2007 env.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:GordonLiq
Comment Utility
I have done
a) create an A-record in your local DNS (which is used by terminal server)
for
 webmail.domain.com - to point to LAN IP of exchange server

the A-record is point to the internet IP of exchange before.

but it still does not work ,
I still get this message when I login from My laptop in office.
I have done a ipconfig /flushdns to clear the DNS before I try from my laptop
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Please post the gets in above post
0
 

Author Comment

by:GordonLiq
Comment Utility
[PS] C:\Documents and Settings\admin>get-autodiscovervirtualdirectory | fl



Name                          : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated}
BasicAuthentication           : False
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://svr02.aaa.local/W3SVC/1/ROOT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\Autodiscover
Server                        : SVR02
InternalUrl                   :
ExternalUrl                   :
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (Default Web Site),CN=HTTP,CN=P
                                rotocols,CN=SVR02,CN=Servers,CN=Exchange Admini
                                strative Group (FYDIBOHF23SPDLT),CN=Administrat
                                ive Groups,CN=aaa Care Management,CN=Microsoft
                                Exchange,CN=Services,CN=Configuration,DC=aaa,DC
                                =local
Identity                      : SVR02\Autodiscover (Default Web Site)
Guid                          : 3ec7186e-4c5f-4712-a989-3569bce61468
ObjectCategory                : aaa.local/Configuration/Schema/ms-Exch-Auto-Dis
                                cover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscove
                                rVirtualDirectory}
WhenChanged                   : 14/07/2009 11:31:52 AM
WhenCreated                   : 14/07/2009 11:31:52 AM
OriginatingServer             : svr02.aaa.local
IsValid                       : True



[PS] C:\Documents and Settings\admin>get-exchangecertificate | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {webmail.aaacare.com.au}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : E=premium-server@thawte.com, CN=Thawte Premium Server CA,
                     OU=Certification Services Division, O=Thawte Consulting cc
                     , L=Cape Town, S=Western Cape, C=ZA
NotAfter           : 21/11/2010 9:59:59 AM
NotBefore          : 20/11/2008 10:00:00 AM
PublicKeySize      : 1024
RootCAType         : ThirdParty
SerialNumber       : 311C5AF0072427F9A57220D8E4D1796F
Services           : IIS
Status             : Valid
Subject            : CN=webmail.aaacare.com.au, OU=aaa Care Management, O=aaa C
                     are Management, L=Toowoomba, S=Queensland, C=AU
Thumbprint         : 559BDE0CA62D90BA7D3127B6244881AAB5B87DF4

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {svr02.aaacare.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=svr02.aaacare.local
NotAfter           : 17/07/2009 10:19:42 PM
NotBefore          : 17/07/2008 4:19:42 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : 6FE76E48E61A8747E41EF8CE5530D4
Services           : None
Status             : Invalid
Subject            : CN=svr02.aaacare.local
Thumbprint         : CD7D3F19EABAD3BC7B967ADB6114FCEBBF5F11F9

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {mail.aaacare.com.au}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=aaa Intranet, DC=aaa, DC=local
NotAfter           : 17/07/2010 3:59:18 PM
NotBefore          : 17/07/2008 3:59:18 PM
PublicKeySize      : 1024
RootCAType         : Unknown
SerialNumber       : 2077C76E000000000006
Services           : None
Status             : Invalid
Subject            : CN=mail.aaacare.com.au, OU=aaa Care Management, O=aaa Care
                      Management, L=Toowoomba, S=Queensland, C=AU
Thumbprint         : 7BEBD0675A70B9A4F06A5C581B5C808B8495D7F1

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {svr02, svr02.aaa.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=svr02
NotAfter           : 9/07/2009 1:35:41 PM
NotBefore          : 9/07/2008 1:35:41 PM
PublicKeySize      : 2048
RootCAType         : Unknown
SerialNumber       : A88B06C7DED91C9744981C5309ADC6B2
Services           : IMAP, POP, SMTP
Status             : Invalid
Subject            : CN=svr02
Thumbprint         : E3917918EBB7EEFD10DCE2A75559F17B00A5D816



[PS] C:\Documents and Settings\admin>get-clientaccessserver | fl


Name                           : SVR02
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : svr02
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://webmail.aaacare.com.au/autodiscover/au
                                 todiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site}
IsValid                        : True
OriginatingServer              : svr02.aaa.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SVR02,CN=Servers,CN=Exchange Administrative
                                  Group (FYDIBOHF23SPDLT),CN=Administrative Gro
                                 ups,CN=aaa Care Management,CN=Microsoft Exchan
                                 ge,CN=Services,CN=Configuration,DC=aaa,DC=loca
                                 l
Identity                       : SVR02
Guid                           : c0d6953a-0142-41b9-b473-9ca11f6e6229
ObjectCategory                 : aaa.local/Configuration/Schema/ms-Exch-Exchang
                                 e-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 13/08/2008 9:58:34 AM
WhenCreated                    : 9/07/2007 12:17:21 PM



[PS] C:\Documents and Settings\admin>
0
 

Author Comment

by:GordonLiq
Comment Utility
in  get-exchangecertificate | fl


it says : CertificateDomains : {svr02.aaacare.local}

is that cause problem?

the domain should be svr02.aaa.local   or webmail.aaacare.com.au
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
run this
you will be all set after that

get-autodiscovervirtualdirectory | set-autodiscovervirtualdirectory -InternalUrl:"https://webmail.aaacare.com.au/autodiscover/autodiscover.xml" -ExternalUrl:"https://webmail.aaacare.com.au/autodiscover/autodiscover.xml"
0
 
LVL 28

Accepted Solution

by:
sunnyc7 earned 500 total points
Comment Utility
and this
Enable-ExchangeCertificate -Thumbprint 559BDE0CA62D90BA7D3127B6244881AAB5B87DF4 -Services "SMTP, IIS"
0
 

Author Comment

by:GordonLiq
Comment Utility
Now , the result is below,

but it still does not work. the get-exchangecertificate | fl
still svr02.aaacare.local

but I don't have this domain , my
local domain  is aaa.local
and interdomain is : aaacare.com.au
[PS] C:\Documents and Settings\admin>get-exchangecertificate | fl





AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi

                     ty.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {webmail.aaacare.com.au}

HasPrivateKey      : True

IsSelfSigned       : False

Issuer             : E=premium-server@thawte.com, CN=Thawte Premium Server CA,

                     OU=Certification Services Division, O=Thawte Consulting cc

                     , L=Cape Town, S=Western Cape, C=ZA

NotAfter           : 21/11/2010 9:59:59 AM

NotBefore          : 20/11/2008 10:00:00 AM

PublicKeySize      : 1024

RootCAType         : ThirdParty

SerialNumber       : 311C5AF0072427F9A57220D8E4D1796F

Services           : IIS, SMTP

Status             : Valid

Subject            : CN=webmail.aaacare.com.au, OU=aaa Care Management, O=aaa C

                     are Management, L=Toowoomba, S=Queensland, C=AU

Thumbprint         : 559BDE0CA62D90BA7D3127B6244881AAB5B87DF4



AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                     .Security.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {svr02.aaacare.local}

HasPrivateKey      : True

IsSelfSigned       : True

Issuer             : CN=svr02.aaacare.local

NotAfter           : 17/07/2009 10:19:42 PM

NotBefore          : 17/07/2008 4:19:42 PM

PublicKeySize      : 2048

RootCAType         : Unknown

SerialNumber       : 6FE76E48E61A8747E41EF8CE5530D4

Services           : None

Status             : Invalid

Subject            : CN=svr02.aaacare.local

Thumbprint         : CD7D3F19EABAD3BC7B967ADB6114FCEBBF5F11F9



AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                     .Security.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {mail.aaacare.com.au}

HasPrivateKey      : True

IsSelfSigned       : False

Issuer             : CN=aaa Intranet, DC=aaa, DC=local

NotAfter           : 17/07/2010 3:59:18 PM

NotBefore          : 17/07/2008 3:59:18 PM

PublicKeySize      : 1024

RootCAType         : Unknown

SerialNumber       : 2077C76E000000000006

Services           : None

Status             : Invalid

Subject            : CN=mail.aaacare.com.au, OU=aaa Care Management, O=aaa Care

                      Management, L=Toowoomba, S=Queensland, C=AU

Thumbprint         : 7BEBD0675A70B9A4F06A5C581B5C808B8495D7F1



AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System

                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi

                     ty.AccessControl.CryptoKeyAccessRule}

CertificateDomains : {svr02, svr02.aaa.local}

HasPrivateKey      : True

IsSelfSigned       : True

Issuer             : CN=svr02

NotAfter           : 9/07/2009 1:35:41 PM

NotBefore          : 9/07/2008 1:35:41 PM

PublicKeySize      : 2048

RootCAType         : Unknown

SerialNumber       : A88B06C7DED91C9744981C5309ADC6B2

Services           : IMAP, POP, SMTP

Status             : Invalid

Subject            : CN=svr02

Thumbprint         : E3917918EBB7EEFD10DCE2A75559F17B00A5D816







[PS] C:\Documents and Settings\admin>get-clientaccessserver | fl





Name                           : SVR02

OutlookAnywhereEnabled         : True

AutoDiscoverServiceCN          : svr02

AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service

AutoDiscoverServiceInternalUri : https://webmail.aaacare.com.au/autodiscover/au

                                 todiscover.xml

AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596

AutoDiscoverSiteScope          : {Default-First-Site}

IsValid                        : True

OriginatingServer              : svr02.aaa.local

ExchangeVersion                : 0.1 (8.0.535.0)

DistinguishedName              : CN=SVR02,CN=Servers,CN=Exchange Administrative

                                  Group (FYDIBOHF23SPDLT),CN=Administrative Gro

                                 ups,CN=aaa Care Management,CN=Microsoft Exchan

                                 ge,CN=Services,CN=Configuration,DC=aaa,DC=loca

                                 l

Identity                       : SVR02

Guid                           : c0d6953a-0142-41b9-b473-9ca11f6e6229

ObjectCategory                 : aaa.local/Configuration/Schema/ms-Exch-Exchang

                                 e-Server

ObjectClass                    : {top, server, msExchExchangeServer}

WhenChanged                    : 15/09/2010 8:52:47 AM

WhenCreated                    : 9/07/2007 12:17:21 PM







[PS] C:\Documents and Settings\admin>get-autodiscovervirtualdirectory | fl







Name                          : Autodiscover (Default Web Site)

InternalAuthenticationMethods : {Ntlm, WindowsIntegrated}

ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated}

BasicAuthentication           : False

DigestAuthentication          : False

WindowsAuthentication         : True

MetabasePath                  : IIS://svr02.aaa.local/W3SVC/1/ROOT/Autodiscover

Path                          : C:\Program Files\Microsoft\Exchange Server\Clie

                                ntAccess\Autodiscover

Server                        : SVR02

InternalUrl                   : https://webmail.aaacare.com.au/autodiscover/aut

                                odiscover.xml

ExternalUrl                   : https://webmail.aaacare.com.au/autodiscover/aut

                                odiscover.xml

AdminDisplayName              :

ExchangeVersion               : 0.1 (8.0.535.0)

DistinguishedName             : CN=Autodiscover (Default Web Site),CN=HTTP,CN=P

                                rotocols,CN=SVR02,CN=Servers,CN=Exchange Admini

                                strative Group (FYDIBOHF23SPDLT),CN=Administrat

                                ive Groups,CN=aaa Care Management,CN=Microsoft

                                Exchange,CN=Services,CN=Configuration,DC=aaa,DC

                                =local

Identity                      : SVR02\Autodiscover (Default Web Site)

Guid                          : 3ec7186e-4c5f-4712-a989-3569bce61468

ObjectCategory                : aaa.local/Configuration/Schema/ms-Exch-Auto-Dis

                                cover-Virtual-Directory

ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscove

                                rVirtualDirectory}

WhenChanged                   : 15/09/2010 8:51:50 AM

WhenCreated                   : 14/07/2009 11:31:52 AM

OriginatingServer             : svr02.aaa.local

IsValid                       : True







[PS] C:\Documents and Settings\admin>

Open in new window

0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
there are couple of fixes which I will give - in terms of authentication settings.

apart from that, I hope you are adding the exchange server as
webmail.aaacare.com.au
in server-name field
When you are trying to create a new outlook profile.

thanks
0
 

Author Comment

by:GordonLiq
Comment Utility
But what about the old users? I have 100 users and cannot change them one by one.

and , the outlook 2007 in windows 2003 R2 works well without any message

the outlook 2007 in windows 2008 R2 get that message , and ask me to enter the password for svr02.aaa.local and then said exchange is unavailable.

the oulook 2007 in my windows 7 get that message and ask for password for svr02.aaa.local and then work but I need enter the password everytime.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
you would need UCC/SAN cert to rectify most of these issues.
The cases spring from the fact that we are trying to use your one Good SSL and trying to apply it everywhere.
We havent gotten to the phones part yet (Droids Windows mobile 6)

lets try to isolate the cases.
a) Outlook 2003 - should not have any issues.
b) for outlook 2007/windows 2008 R2 - dont enter server name as SVR02.aaa.local
enter servername as webmail.aaacare.com.au (you  mentioned you created a dNS entry pointing to lan ip of exchange for this)
c) Outlook 2007/Windows 7 repeated password prompts > try this one

If “Remember my password” doesn’t work and you keep getting prompted:
a) close outlook
b) go to Start... Run and type 'control userpasswords2' (without the quotes) and press OK
c) click on the Advanced tab and press 'Manage Passwords'
d) find the entry for your mail server and click ‘Properties’
e) erase the Server name and type in vexch01 or the name of your DC /  global catalog server
f) leave the password blank and click OK
g) start Outlook, enter your password and check off ‘Remember my password’ one last time. It should not prompt again.

http://www.petri.co.il/forums/showthread.php?t=18808

Please try this one by one and let me know if it works.
0
 

Author Comment

by:GordonLiq
Comment Utility
I have done all as your describe , but it still doesnot work,

the error message is :
there is a problem with the proxy server's security certificate. the name on the security certificate is invalid or does not match the name of the target site mail.aaacare.com.au
outlook is unable to connect to the proxy server.

0
 

Author Comment

by:GordonLiq
Comment Utility
please ignore the latest question, it is caused the system attendant server stoppped.
0
 

Author Comment

by:GordonLiq
Comment Utility
I have done all as your describe , but it still doesnot work,

the error message is :
there is a problem with the proxy server's security certificate. the name on the security certificate is invalid or does not match the name of the target site mail.aaacare.com.au

the security is webmail.aaa.com.au

outlook can connect but keep get this message everytime.
0
 

Author Closing Comment

by:GordonLiq
Comment Utility
Finally I install a certificate like *.aaadomain.com and fix the problem
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now