Solved

Outlook 2010 Exchange cert issue

Posted on 2010-09-14
11
999 Views
Last Modified: 2012-05-10
I cannot get my newly updated Outlook 2010 to connect to my SBS2008/exchange 2007 server remotly. I was on Outlook 2007 and it was working. I uninstalled 07 and installed 10 and now I can't get the remote connection working. I tried installing the cert again but that didn't work.

The error is:
there is a problem with the proxy server's security certificate. the security certificate is not from a trusted certifying authority. Outlook is unable to connect to proxy server remote.mydomain.com (error code 8).

is there a setting in the new outlook 10 to allow self signed certs, it sounds like a security feature they added.
0
Comment
Question by:calitech
  • 5
  • 4
  • 2
11 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 334 total points
Comment Utility
Have you seen the following troubleshooting guide?
http://support.microsoft.com/kb/923575
You may not have installed the certificate in the "Trusted root" folder.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Are you connecting over LAN or over RPC/HTTPS

Also please post the output of this from Exchange shell
Run this from SBS

get-clientaccessserver | fl
get-autodiscovervirtualdirectory | fl
get-exchangecertificate | fl

did you purchase a UCC/SAN cert and installed it on SBS ?

thanks
0
 

Author Comment

by:calitech
Comment Utility
Yes I installed the cert in the trusted group.
 
I am using RPC/HTTPS but connecting throgh the lan.

No I didn't purchase a cert, I am using the self signed that SBS generates. I have been fine so far using that cert.

here is the print out.

         Welcome to the Exchange Management Shell!

 Full list of cmdlets:          get-command
 Only Exchange cmdlets:         get-excommand
 Cmdlets for a specific role:   get-help -role *UM* or *Mailbox*
 Get general help:              help
 Get help for a cmdlet:         help <cmdlet-name> or <cmdlet-name> -?
 Show quick reference guide:    quickref
 Exchange team blog:            get-exblog
 Show full output for a cmd:    <cmd> | format-list

Tip of the day #19:

If you want to test all IP Block List providers, you just have to pipe the Get-I
pBlockListProvider cmdlet to the Test-IpBlockListProvider cmdlet:

 Get-IpBlockListProvider | Test-IpBlockListProvider -IpAddress 192.168.0.1

[PS] C:\Windows\System32>get-clientaccessserver | fl


Name                           : SBS2008
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : SBS2008
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://remote.mydomain.com/Autodiscover
                                 /Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b12341
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SBS2008.domain.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SBS2008,CN=Servers,CN=Exchange Administrati
                                 ve Group (FYDIBOHF23SPDLT),CN=Administrative G
                                 roups,CN=First Organization,CN=Microsoft Excha
                                 nge,CN=Services,CN=Configuration,DC=domain,DC=local
Identity                       : SBS2008
Guid                           : 702a97db-a424-4b7f-adcd-e3ee5346c6
ObjectCategory                 : domain.local/Configuration/Schema/ms-Exc
                                 h-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 8/13/2010 1:45:28 PM
WhenCreated                    : 1/26/2009 11:06:41 AM



[PS] C:\Windows\System32>get-autodiscovervirtualdirectory | fl


Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://SBS2008.domain.local/W3SVC/3/ROOT/A
                                utodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\Autodiscover
Server                        : SBS2008
InternalUrl                   : https://remote.mydomain.com/Autodiscover/
                                Autodiscover.xml
ExternalUrl                   : https://remote.mydomain.com/Autodiscover/
                                Autodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP,
                                CN=Protocols,CN=SBS2008,CN=Servers,CN=Exchange
                                Administrative Group (FYDIBOHF23SPDLT),CN=Admin
                                istrative Groups,CN=First Organization,CN=Micro
                                soft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity                      : SBS2008\Autodiscover (SBS Web Applications)
Guid                          : 44e425e7-4c44-449c-b5b1-4eef798fef89
ObjectCategory                : domain.local/Configuration/Schema/ms-Exch
                                -Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscove
                                rVirtualDirectory}
WhenChanged                   : 2/1/2009 12:35:52 PM
WhenCreated                   : 1/26/2009 11:11:12 AM
OriginatingServer             : SBS2008.domain.local
IsValid                       : True



[PS] C:\Windows\System32>get-exchangecertificate | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SBS2008, SBS2008.domain.local, localhost}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Default CA, C=US
NotAfter           : 2/23/2015 8:21:21 AM
NotBefore          : 2/24/2010 8:21:21 AM
PublicKeySize      : 1024
RootCAType         : Registry
SerialNumber       : 4B45E1354302B3D5
Services           : IMAP, POP
Status             : Unknown
Subject            : CN=SBS2008
Thumbprint         : 555BB5941764036435016BE2D977D45F

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SBS2008, SBS2008.domain.local, localhost}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Default CA, C=US
NotAfter           : 2/22/2015 5:06:54 PM
NotBefore          : 2/23/2010 5:06:54 PM
PublicKeySize      : 1024
RootCAType         : Registry
SerialNumber       : 27F8E5F54340DC948A
Services           : IMAP, POP
Status             : Unknown
Subject            : CN=SBS2008
Thumbprint         : CC3CED23450693CCDA00DBC2F01531AC5EA88E23A8F3

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SBS2008.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SBS2008-CA
NotAfter           : 12/15/2010 11:35:23 AM
NotBefore          : 12/15/2009 11:35:23 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 20234569D5000000000008
Services           : IMAP, POP
Status             : Valid
Subject            : CN=SBS2008.domain.local
Thumbprint         : 42A5903A4DEE02483223AD874AE9FE031AE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.mydomain.com, mydomain.com, SBS2008.ca
                     litech-inc.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SBS2008-CA
NotAfter           : 2/1/2011 12:25:31 PM
NotBefore          : 2/1/2009 12:25:31 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 1EC3254EF0023450000004
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=remote.mydomain.com
Thumbprint         : BEA286207FAC8835D77899E43D36978243547E

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SBS2008.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SBS2008-CA
NotAfter           : 1/26/2011 10:54:01 AM
NotBefore          : 1/26/2009 10:54:01 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6103D7890000000002
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : E3ADC273545FC1E824353EF0F65FFFDF8FE785

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {domain-SBS2008-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=domain-SBS2008-CA
NotAfter           : 1/26/2014 11:03:26 AM
NotBefore          : 1/26/2009 10:53:26 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 741A116EED30D596423452928A64E1
Services           : None
Status             : Valid
Subject            : CN=domain-SBS2008-CA
Thumbprint         : 742C288D702AAACFCB83451A37C7ECB0878F5

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-SNRV23P3O51}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-SNRV23P3O51
NotAfter           : 1/24/2019 10:19:01 AM
NotBefore          : 1/26/2009 10:19:01 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 468D57S9699EFAB48d87F56AF66B9D
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-SNRV23P3O51
Thumbprint         : F692C6561C5910204761F725F0B8D0237341F



[PS] C:\Windows\System32>
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
when you ping remote.domain.com - do you get the LAN IP of SBS server - or a external IP ?

did you buy a UCC/SAN cert from godaddy/digicert ?

these cert's look like they are issued by SBS
0
 

Author Comment

by:calitech
Comment Utility
when i ping remote.domain.com I get the external ip.

I didn't purchase any cert for my server. I have been fine till now. I have been using the server one that gets created when you setup SBS.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
What is your internal FQDN ?
Is it
SBS2008.domain.local
0
 

Author Comment

by:calitech
Comment Utility
No, it really is my company name. I just replace my name to domain for this post.
0
 
LVL 28

Assisted Solution

by:sunnyc7
sunnyc7 earned 166 total points
Comment Utility
I just want to make sure that I give correct commands to reset your autodiscoveruri's

Replace appropriate parts
mail.domain.local - internal fqdn of sbs
mail.domain.com - external FQDN / MX / where you access OWA

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://mail.domain.local/Autodiscover/Autodiscover.xml"

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://mail.domain.local/Autodiscover/Autodiscover.xml"

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -ExternalUrl:"https://mail.domain.com/Autodiscover/Autodiscover.xml"

For outlook cert issues
The name on the cert has to match the name on autodiscover - that is mail.domain.local

Hence UCC/SAN cert's are preferable - than self-signed.


0
 

Author Comment

by:calitech
Comment Utility
I entered the following commands, now what? I tested Outlook and still was not able to get in.
Can I get a RapidSSL?  http://www.ssl247.com/ssl-certificates/brands/rapidssl/


[PS] C:\Windows\System32>Get-ClientAccessServer | Set-ClientAccessServer -AutoDi
scoverServiceInternalUri:"https://SBS2008.domain.local/Autodiscover/Autodi
scover.xml"

[PS] C:\Windows\System32>Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirt
ualDirectory -InternalUrl:"https://SBS2008.domain.local/Autodiscover/Autod
iscover.xml"

[PS] C:\Windows\System32>Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirt
ualDirectory -ExternalUrl:"https://remote.mydomain.com/Autodiscover/Autodi
scover.xml"
WARNING: The command completed successfully but no settings of
'SBS2008\Autodiscover (SBS Web Applications)' have been modified.
[PS] C:\Windows\System32>
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 334 total points
Comment Utility
>>"Can I get a RapidSSL?"
Yes, but RapidSSL is now owned by Symantec, I would recomend a Godday.com certificate which is also a little cheaper.
http://blogs.technet.com/b/sbs/archive/2009/02/11/sean-daniel-how-to-install-a-godaddy-certificate-on-sbs-2008.aspx
0
 

Author Closing Comment

by:calitech
Comment Utility
I guess I need to buy a cert for this to work
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now