Solved

Outlook 2007 keeps asking for password and autodiscover has wrong certificate information

Posted on 2011-03-23
19
1,746 Views
Last Modified: 2012-05-11
Hello all:

I have been having a very perplexing problem for the last few months and can not figure out how to resolve it.  I have a small office network running SBS 2008 with Exchange Server 2007 and Outlook 2007 as my client.  Whenever we open outlook, we are prompted for the password.  If we enter the password, the dialog box reappears.  This happens several times before it goes away.  Then the autodiscover dialog box appears (autodiscover.mydomain.com) with an X next to 'The name on the security certificate is invalid or does not match the name of the site'.  If I View Certificate, it shows issued to *.startlogic.com (the name of our web hosting company).  

Just to give you a few more details:

For example purposes,  the name of our hosted website is www.capitalfinancial.com.

The name of my domain is CAPITAL, with my domain controller being server.capital.local

To access our email remotely, we use https://remote.capitalfinancial.com.  This works remotely via a browser (and even our iPhones - go figure!), however if I try to access it using Outlook, I get the same issue as if I am in the office (which is the popups and autodiscover error).  I thought it was an issue with the cerificate expiring (as some sites suggests), but my certificate isn't due to expire until another year.  I also called startlogic, but they couldn't help me, saying it was an issue with my domain.

Can someone please help me resolve this issue?  I am at my wits end and can't figure out what to do.  Also, as I am not a very experienced Exchange user  (especially when it comes to the certificates for 2007 as well as the Exchange console), please leave me detailed information.  I think I need a lot of handholding with this one.

Many thanks!

jocasio
0
Comment
Question by:Juan Ocasio
  • 8
  • 5
  • 3
  • +2
19 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 400 total points
ID: 35203617
First thing to do is check options 1 and 3 of my article here: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2300-Outlook-continually-prompting-for-username-and-password.html

The article says to use service Pack 2 but you should be using Service Pack 3 now for Exchange 2007.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 35203681
You have a certificate issue, you have a wildcard certificate and you need a simple UCC certificate, this should contain the hostname autodiscover.mydomain.com, internal FQDN, external.mydomain.com, NetBIOS name of your SBS server.

I must note that depending on your skill level you actually don't need a UCC certificate to complete the task at hand and if you are confident you can following this link on what changes to make to get around the issue you're having. Microsoft have a whitepaper on the issue you're having and what to do to get around this.

http://technet.microsoft.com/en-us/library/bb332063%28EXCHG.80%29.aspx#Scenario2

The following MS KB article also points out what needs to be changed on the back end based on your scenario too. http://support.microsoft.com/?kbid=940726

I would point out further to demazters suggestions, to install Exchange 2007 SP3. However remember to ensure you have a full system backup / image before installing this.

Attached is a link for further reading to be prepared if things don't appear to be working as expected following the installation.

http://support.microsoft.com/kb/982423

Hope this helps and let us know how you get on.
 
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35203700
The problem is not the SSL certificate, it's the autodiscover records.  It's very common.  It's looking up your domain name and getting a certificate from your hosting provider.

Try my article first and if that doesn't fix it we can look at configuring your DNS properly.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 35203820
Configuring DNS can get around the DNS rewrite issue, as its affecting internal clients only. Also configuring the web directories needs to be setup correctly, problem solved.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35203843
No it's not, outlook will use the SCP record internally to locate the autodiscover services as long as SBS hasn't been "modified" this will work.

I've seen this issue literally hundreds if times, and if my article doesn't fix it, then it's either a DNS issue or an SSL issue (expired or wrong name)
0
 
LVL 14

Author Comment

by:Juan Ocasio
ID: 35204076
Thanks all.  I will look at the other posts and see if I can get it to work.  I'm a bit worried about updating to SP3 however.  Is it pretty straight forward?  I do not currently have a backup solution on this server, so I'm not sure if I'll be able to back it up.  Is this a crazy idea?  Should I be worried about something going wrong?  Why would I want to 'roll back' the SP3?  Also, can I just update using Exchange 2007 SP3 even the Exchange I have is a part of the SBS package?  I know, dumb questions, but Exchange server is not my forte.

Thanks!
0
 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 100 total points
ID: 35204122
Jocasio,

First of all your need a portable USB hard drive and enable the feature Server Backup, you then need to take a full backup of your server to the USB drive, be aware that the server will format it so save anything you need off it before you proceed.

Exchange SP3 can be installed safely on SBS 2008, just download and install - be patient and don't interrupt the install. During installation your mail delivery will be disrupted and users will not be able to access their mail, so weekend or out of hours may be your best window to update Exchange.

Should anything go wrong you can use the original SBS DVD and restore the server backup from the USB drive back onto your metal.

I doubt you should have anything to be concerned off, just have a good backup. Get some time late night or weekend and complete the service pack, finally remember to reboot the server and not leave the server in a state where its pending reboot.

Best of luck!
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35204663
>>I'm a bit worried about updating to SP3 however.  Is it pretty straight forward?

Yes, just download and install, I've not seen one fail yet. And yes you can still use it on SBS2008.
0
 
LVL 31

Expert Comment

by:MegaNuk3
ID: 35204922
I'll watch this one to see how it pans out.
Install Exchange 2007 SP3 and go from there ( as per demazter's comment), this will sort out a lot of cert/password prompts
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 14

Author Comment

by:Juan Ocasio
ID: 35205836
Thanks again all!

I greatly appreciate your time and efforts in trying to assist me.  I will be tackling this in the very near future ad I'll let you all know how it works out.

And of course, any new info is always greatly appreciated!

Thanks again.
0
 
LVL 14

Author Comment

by:Juan Ocasio
ID: 35211323
OK.  So here is what I've done so far:

Backed up the server.
Installed SP3

I've noticed that the issue has gone away while connected locally.  Well, I think this is the case.  I am remote, but connect via VPN.  If I log on to my Outlook, it does connect and now the autodiscover test is successful.  However, if I try to connect remotely (using https://remote.capitalfinancial.com) using outlook I still get prompted.  Also, the autodiscover test fails when I do this.  Is this by design?  I'm also still getting certificate pop-ups with my website host (*.startlogic.com) in it.

Any other insight would be greatly appreciated!
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35211344
You getting the certificate request from outside?

Do you have an autodiscover.domainname.com A record in your external DNS? If not you need one.
0
 
LVL 14

Author Comment

by:Juan Ocasio
ID: 35211447
dematzer:

yes from outside.  And I think i just had a major revelation.  These two issues (the continuous prompting and the certificate) are not related to one another.  I know, Duh...But it looks like the prompting issue is corrected but the certificate issue is still present.  This would probably also explain why I can no longer connect to any of my computers remotely using Remote Workplace...

So I need an autodiscover.domainname.com A record, huh...  Can you kindly explain to me (in as much detail as possible) how to do that?  I will also look at my DNS now to see if it's there, but it would be great to have the instruction anyway.

Many thanks for your assistance!
0
 
LVL 14

Author Comment

by:Juan Ocasio
ID: 35211456
Oh, BTW where would my 'external' DNS be?  Would that be with my web host? or a section on my internal DNS?
0
 
LVL 14

Author Comment

by:Juan Ocasio
ID: 35211508
OK so I added the autodiscover.capitalfinancial.com A record to my web host's dns.  I'll wait a bit to test out.  Stupid thing:  The certificate error came up again and I clicked ok (I think I accepted it)  is there a way to remote it?  or should I worry about it?

Thanks again
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 35211653
As a complete tangent (but since the advice in this question has brought you to this point), you should download and install UR2 for Exchange 2007 SP3. The update rollup fixes a specific issue with the companyweb website that SP3 breaks.

And for the record, this is not a criticism of the advice given. SP3 fixes much more than it breaks, was the proper course of action, and from what I can tell, demazter's advice has been spot-on with my own thoughts on the issue. But since SP3 *has* been applied, I just thought I'd save the hassle of opening another question in a few weeks when you run into the few problems that SP3 actually creates. UR2 will avoid that issue (and as always, have a backup!)

-Cliff
0
 
LVL 14

Author Comment

by:Juan Ocasio
ID: 35212033
OK.  I think I am 95% there.  When I open Outlook externally now, I receive Security Alert from autodiscover.capitalfinancial.com.  The error is 'The name on the security certificate is invalid or does not match the name of the site.  Do you want to proceed?  If I vie the certificate, it states the following:

Issued to: remote.capitalfinancial.com
Issued by: capital-SERVER-CA
Valid From 3/24/2011 to 3/23/2013

It gives me an option to install the certificate, which I have done and is successful.  However, everytime I open Outlook remotely, I get this security alert.  If I proceed, it goes away.  The good news is now the autodiscover test is working externally.

Any final thoughts are appreciated!
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 35212056
Two choices:

1) Get a UCC cert that includes the domain names for remote.* and autodiscover.*

or

2) Remove the autodiscover A record, any wildcard A records, and create a DNS SRV record that instructs Outlook Autodiscover to use remote.* as its autodiscover URL.

The former is easier, but more expensive. I actually prefer the latter, but requires that your DNS host supports SRV records.

More info here (including the specifics of creating the SRV record)

http://support.microsoft.com/kb/940881

-Cliff
0
 
LVL 14

Author Comment

by:Juan Ocasio
ID: 35222283
Thanks for all the help.  While I still have issues with the certificate (I will look into that later), it is at least working properly now withour multiole logon and certificate errors.

I would like to thank all that have comtributed, however I am compelled to give out the points to the suggestions I actually used.  This is not discrediting the other, but instead not watering down the points for the posters that helped my situation.

Many thanks again,

jocasio
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now