• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1013
  • Last Modified:

Outlook 2010 Exchange cert issue

I cannot get my newly updated Outlook 2010 to connect to my SBS2008/exchange 2007 server remotly. I was on Outlook 2007 and it was working. I uninstalled 07 and installed 10 and now I can't get the remote connection working. I tried installing the cert again but that didn't work.

The error is:
there is a problem with the proxy server's security certificate. the security certificate is not from a trusted certifying authority. Outlook is unable to connect to proxy server remote.mydomain.com (error code 8).

is there a setting in the new outlook 10 to allow self signed certs, it sounds like a security feature they added.
0
calitech
Asked:
calitech
  • 5
  • 4
  • 2
3 Solutions
 
Rob WilliamsCommented:
Have you seen the following troubleshooting guide?
http://support.microsoft.com/kb/923575
You may not have installed the certificate in the "Trusted root" folder.
0
 
sunnyc7Commented:
Are you connecting over LAN or over RPC/HTTPS

Also please post the output of this from Exchange shell
Run this from SBS

get-clientaccessserver | fl
get-autodiscovervirtualdirectory | fl
get-exchangecertificate | fl

did you purchase a UCC/SAN cert and installed it on SBS ?

thanks
0
 
calitechAuthor Commented:
Yes I installed the cert in the trusted group.
 
I am using RPC/HTTPS but connecting throgh the lan.

No I didn't purchase a cert, I am using the self signed that SBS generates. I have been fine so far using that cert.

here is the print out.

         Welcome to the Exchange Management Shell!

 Full list of cmdlets:          get-command
 Only Exchange cmdlets:         get-excommand
 Cmdlets for a specific role:   get-help -role *UM* or *Mailbox*
 Get general help:              help
 Get help for a cmdlet:         help <cmdlet-name> or <cmdlet-name> -?
 Show quick reference guide:    quickref
 Exchange team blog:            get-exblog
 Show full output for a cmd:    <cmd> | format-list

Tip of the day #19:

If you want to test all IP Block List providers, you just have to pipe the Get-I
pBlockListProvider cmdlet to the Test-IpBlockListProvider cmdlet:

 Get-IpBlockListProvider | Test-IpBlockListProvider -IpAddress 192.168.0.1

[PS] C:\Windows\System32>get-clientaccessserver | fl


Name                           : SBS2008
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : SBS2008
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://remote.mydomain.com/Autodiscover
                                 /Autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b12341
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SBS2008.domain.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SBS2008,CN=Servers,CN=Exchange Administrati
                                 ve Group (FYDIBOHF23SPDLT),CN=Administrative G
                                 roups,CN=First Organization,CN=Microsoft Excha
                                 nge,CN=Services,CN=Configuration,DC=domain,DC=local
Identity                       : SBS2008
Guid                           : 702a97db-a424-4b7f-adcd-e3ee5346c6
ObjectCategory                 : domain.local/Configuration/Schema/ms-Exc
                                 h-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 8/13/2010 1:45:28 PM
WhenCreated                    : 1/26/2009 11:06:41 AM



[PS] C:\Windows\System32>get-autodiscovervirtualdirectory | fl


Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://SBS2008.domain.local/W3SVC/3/ROOT/A
                                utodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\Clie
                                ntAccess\Autodiscover
Server                        : SBS2008
InternalUrl                   : https://remote.mydomain.com/Autodiscover/
                                Autodiscover.xml
ExternalUrl                   : https://remote.mydomain.com/Autodiscover/
                                Autodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP,
                                CN=Protocols,CN=SBS2008,CN=Servers,CN=Exchange
                                Administrative Group (FYDIBOHF23SPDLT),CN=Admin
                                istrative Groups,CN=First Organization,CN=Micro
                                soft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity                      : SBS2008\Autodiscover (SBS Web Applications)
Guid                          : 44e425e7-4c44-449c-b5b1-4eef798fef89
ObjectCategory                : domain.local/Configuration/Schema/ms-Exch
                                -Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscove
                                rVirtualDirectory}
WhenChanged                   : 2/1/2009 12:35:52 PM
WhenCreated                   : 1/26/2009 11:11:12 AM
OriginatingServer             : SBS2008.domain.local
IsValid                       : True



[PS] C:\Windows\System32>get-exchangecertificate | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SBS2008, SBS2008.domain.local, localhost}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Default CA, C=US
NotAfter           : 2/23/2015 8:21:21 AM
NotBefore          : 2/24/2010 8:21:21 AM
PublicKeySize      : 1024
RootCAType         : Registry
SerialNumber       : 4B45E1354302B3D5
Services           : IMAP, POP
Status             : Unknown
Subject            : CN=SBS2008
Thumbprint         : 555BB5941764036435016BE2D977D45F

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SBS2008, SBS2008.domain.local, localhost}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Default CA, C=US
NotAfter           : 2/22/2015 5:06:54 PM
NotBefore          : 2/23/2010 5:06:54 PM
PublicKeySize      : 1024
RootCAType         : Registry
SerialNumber       : 27F8E5F54340DC948A
Services           : IMAP, POP
Status             : Unknown
Subject            : CN=SBS2008
Thumbprint         : CC3CED23450693CCDA00DBC2F01531AC5EA88E23A8F3

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {SBS2008.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SBS2008-CA
NotAfter           : 12/15/2010 11:35:23 AM
NotBefore          : 12/15/2009 11:35:23 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 20234569D5000000000008
Services           : IMAP, POP
Status             : Valid
Subject            : CN=SBS2008.domain.local
Thumbprint         : 42A5903A4DEE02483223AD874AE9FE031AE

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {remote.mydomain.com, mydomain.com, SBS2008.ca
                     litech-inc.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SBS2008-CA
NotAfter           : 2/1/2011 12:25:31 PM
NotBefore          : 2/1/2009 12:25:31 PM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 1EC3254EF0023450000004
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=remote.mydomain.com
Thumbprint         : BEA286207FAC8835D77899E43D36978243547E

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {Sites, SBS2008.domain.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=domain-SBS2008-CA
NotAfter           : 1/26/2011 10:54:01 AM
NotBefore          : 1/26/2009 10:54:01 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6103D7890000000002
Services           : IMAP, POP, SMTP
Status             : Valid
Subject            : CN=Sites
Thumbprint         : E3ADC273545FC1E824353EF0F65FFFDF8FE785

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {domain-SBS2008-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=domain-SBS2008-CA
NotAfter           : 1/26/2014 11:03:26 AM
NotBefore          : 1/26/2009 10:53:26 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 741A116EED30D596423452928A64E1
Services           : None
Status             : Valid
Subject            : CN=domain-SBS2008-CA
Thumbprint         : 742C288D702AAACFCB83451A37C7ECB0878F5

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {WMSvc-WIN-SNRV23P3O51}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-WIN-SNRV23P3O51
NotAfter           : 1/24/2019 10:19:01 AM
NotBefore          : 1/26/2009 10:19:01 AM
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 468D57S9699EFAB48d87F56AF66B9D
Services           : None
Status             : Valid
Subject            : CN=WMSvc-WIN-SNRV23P3O51
Thumbprint         : F692C6561C5910204761F725F0B8D0237341F



[PS] C:\Windows\System32>
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
sunnyc7Commented:
when you ping remote.domain.com - do you get the LAN IP of SBS server - or a external IP ?

did you buy a UCC/SAN cert from godaddy/digicert ?

these cert's look like they are issued by SBS
0
 
calitechAuthor Commented:
when i ping remote.domain.com I get the external ip.

I didn't purchase any cert for my server. I have been fine till now. I have been using the server one that gets created when you setup SBS.
0
 
sunnyc7Commented:
What is your internal FQDN ?
Is it
SBS2008.domain.local
0
 
calitechAuthor Commented:
No, it really is my company name. I just replace my name to domain for this post.
0
 
sunnyc7Commented:
I just want to make sure that I give correct commands to reset your autodiscoveruri's

Replace appropriate parts
mail.domain.local - internal fqdn of sbs
mail.domain.com - external FQDN / MX / where you access OWA

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://mail.domain.local/Autodiscover/Autodiscover.xml"

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://mail.domain.local/Autodiscover/Autodiscover.xml"

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -ExternalUrl:"https://mail.domain.com/Autodiscover/Autodiscover.xml"

For outlook cert issues
The name on the cert has to match the name on autodiscover - that is mail.domain.local

Hence UCC/SAN cert's are preferable - than self-signed.


0
 
calitechAuthor Commented:
I entered the following commands, now what? I tested Outlook and still was not able to get in.
Can I get a RapidSSL?  http://www.ssl247.com/ssl-certificates/brands/rapidssl/


[PS] C:\Windows\System32>Get-ClientAccessServer | Set-ClientAccessServer -AutoDi
scoverServiceInternalUri:"https://SBS2008.domain.local/Autodiscover/Autodi
scover.xml"

[PS] C:\Windows\System32>Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirt
ualDirectory -InternalUrl:"https://SBS2008.domain.local/Autodiscover/Autod
iscover.xml"

[PS] C:\Windows\System32>Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirt
ualDirectory -ExternalUrl:"https://remote.mydomain.com/Autodiscover/Autodi
scover.xml"
WARNING: The command completed successfully but no settings of
'SBS2008\Autodiscover (SBS Web Applications)' have been modified.
[PS] C:\Windows\System32>
0
 
Rob WilliamsCommented:
>>"Can I get a RapidSSL?"
Yes, but RapidSSL is now owned by Symantec, I would recomend a Godday.com certificate which is also a little cheaper.
http://blogs.technet.com/b/sbs/archive/2009/02/11/sean-daniel-how-to-install-a-godaddy-certificate-on-sbs-2008.aspx
0
 
calitechAuthor Commented:
I guess I need to buy a cert for this to work
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now