SBS 2011 Exchange activesync/autodiscover SSL problem
I just migrated from sbs2003 to sbs2011 and I'm having autodiscover issues with my outlook over http. OWA works fine and local email works fine, but when any user tries to access their outlook over http, they get an autodiscover.domain.com certificate error. When I viewed the certificate, it isn't the right certificate for my network. It shows the CN name of website associated with the domain instead of my remote.domain.com. Below is the textexchange log:
Connectivity Test Successful
Test Details
Attempting the Autodiscover and Exchange ActiveSync test (if requested).
Autodiscover was successfully tested for Exchange ActiveSync.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential Autodiscover URL https://samcc.org/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name samcc.org in DNS.
The host name resolved successfully.
Additional Details
Testing TCP port 443 on host samcc.org to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name samcc.org doesn't match any name found on the server certificate CN=new.thebelfordgroup.com
Attempting to test potential Autodiscover URL https://autodiscover.samcc.org/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.samcc.org in DNS.
The host name resolved successfully.
Additional Details
Testing TCP port 443 on host autodiscover.samcc.org to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.samcc.org in DNS.
The host name resolved successfully.
Additional Details
Testing TCP port 80 on host autodiscover.samcc.org to ensure it's listening and open.
The port was opened successfully.
ExRCA is checking the host autodiscover.samcc.org for an HTTP redirect to the Autodiscover service.
ExRCA failed to get an HTTP redirect response for Autodiscover.
Additional Details
A Web exception occurred because an HTTP 404 - NotFound response was received from IIS6.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA successfully contacted the Autodiscover service using the DNS SRV redirect method.
Test Steps
I bolded the two portions of this log that I think are relevent.
I have created a SRV record in my public dns as well. For some reason outlook over http is using this goofy certificate. How do I make it use the correct one?
Connectivity Test Successful
Test Details
Attempting the Autodiscover and Exchange ActiveSync test (if requested).
Autodiscover was successfully tested for Exchange ActiveSync.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential Autodiscover URL https://samcc.org/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name samcc.org in DNS.
The host name resolved successfully.
Additional Details
Testing TCP port 443 on host samcc.org to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name samcc.org doesn't match any name found on the server certificate CN=new.thebelfordgroup.com
Attempting to test potential Autodiscover URL https://autodiscover.samcc.org/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.samcc.org in DNS.
The host name resolved successfully.
Additional Details
Testing TCP port 443 on host autodiscover.samcc.org to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.samcc.org in DNS.
The host name resolved successfully.
Additional Details
Testing TCP port 80 on host autodiscover.samcc.org to ensure it's listening and open.
The port was opened successfully.
ExRCA is checking the host autodiscover.samcc.org for an HTTP redirect to the Autodiscover service.
ExRCA failed to get an HTTP redirect response for Autodiscover.
Additional Details
A Web exception occurred because an HTTP 404 - NotFound response was received from IIS6.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA successfully contacted the Autodiscover service using the DNS SRV redirect method.
Test Steps
I bolded the two portions of this log that I think are relevent.
I have created a SRV record in my public dns as well. For some reason outlook over http is using this goofy certificate. How do I make it use the correct one?
ASKER
I have an external ssl certificate I created with windows pki.
what do you mean "regenerate that folder"? I have an autodiscover folder inside of IIS
what do you mean "regenerate that folder"? I have an autodiscover folder inside of IIS
i guess you missed to add that host name to your SSL certificate SAN
as for the autodiscover folder it may be corrupted
try recreating it with
New-AutodiscoverVirtualDir
as for the autodiscover folder it may be corrupted
try recreating it with
New-AutodiscoverVirtualDir
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
resolved
AremP: I have the exact same setup (SBS 2011) and I'm getting the same error. Can you explain what you did to fix it, this is driving me crazy.
SBS 2011 created a self signed SSL cert which is using remote.company.co.nz. Internal Outlook clients work fine, but RPC over the internet does not work and I get the mismatch SSL cert error.
Any help would be great.
Thank you.
SBS 2011 created a self signed SSL cert which is using remote.company.co.nz. Internal Outlook clients work fine, but RPC over the internet does not work and I get the mismatch SSL cert error.
Any help would be great.
Thank you.
https://www.digicert.com/easy-csr/exchange2010.htm
as for the error
A Web exception occurred because an HTTP 404 - NotFound response was received from IIS6.
outlook can not find your autodiscover xml file . you have to regenarte that folder .