Solved

Outlook certificate prompt

Posted on 2011-09-18
28
714 Views
Last Modified: 2012-05-12
Have a 2008 SBS server with XP, Vista and 7 computers all patched simple network setup.  One user on the network when opening outlook 2010 is prompted by a security alert stating that the ceritficate name is invalid. 2003 and 2007 outlook users do not get this error.  I do not know if the other 2010 user gets this message but have heard no complaints.  We have a go daddy cert on the server.  When i view the cert on the problem machine the cert does not match the go daddy cert we are supposedly using.  How do I fix this without breaking for rest of users?  This is a clean load of win7 pro and office 2010 by the way.

Thanks,

MCT
0
Comment
Question by:madcitytechs
  • 12
  • 12
  • 4
28 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36556693
What sort of Cert did you install on the SBS 2008 server when it was installed?

Was it a SAN / UCC SSL cert and were the following names included in the cert?

remote.externaldomain.com (or whatever you chose)
autodiscover.externaldomain.com
internalservername.internaldomain.local
internalservername
sites

Did you also configure an A record in your External Domain's Control Panel?
0
 

Author Comment

by:madcitytechs
ID: 36556710
Not sure what type of SSL except that it was the cheaper one or default.  When i run get-exchangecertificate i get.
IP..S      CN=tce1.externaldomain.com
IP.WS      CN=tce1.externaldomain.com
.......S      CN=tce2externaldomain.com
IP..S      CN=tce1.externaldomain.com
........      CN=WMSvc-WIN-NP04MONWLDA
IP..S      CN=tce1.externaldomain.com
.....      CN=TCE2.tc.local
....S      CN=Sites
.....      CN=tc-TCE2-CA

Then actual machine name is tce2 but the cert was created with the old server name tce1.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36556740
Okay - if you want to get rid of all the Cert errors and have Activesync / OWA / Remote Web Workplace etc work, you would be well advised to by a SAN / UCC SSL certificate (multi-name) with a minimum of 5 names.  GoDaddy are about the cheapest, but a GoDaddy Reseller account are even cheaper!!

If you install one of these SAN / UCC certs on the server, then the errors should go away.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36556767
Please have a read of the following article, specifically the limitations of the self-signed certificate:

http://technet.microsoft.com/en-us/library/bb851554(EXCHG.80).aspx
0
 

Author Comment

by:madcitytechs
ID: 36557147
We have a paid cert on the server. Signed by godaddy.  I need to know why one particular outlook client (2010) is looking at the wrong cert. (cleanly loaded, and only client on network with issue.) (some random numbered cert like 523444234455)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36557162
I understand your question.  Until you put the correct certificate on the server, you are going to have certificate errors.

My Exchange server, and those of my customers have the correctly named certificate and not a single certificate error out of some 400+ clients.

You can ignore the problem and try to fix this by fudging a solution or you can tackle the cause of the problem - the wrong type of certificate with the wrong names in it - it's your call.
0
 
LVL 3

Expert Comment

by:WiReDWolf
ID: 36557468
Do you have OWA enabled? You can get the right cert from OWA and install it to the problem machine then check to see if outlook is still having a problem.  Check the cert via OWA on other systems as well to make sure you are getting the same certificate.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36557493
How exactly is that going to help?
0
 
LVL 3

Expert Comment

by:WiReDWolf
ID: 36557509
How else is the user going to confirm the right certificate is being served with the connection? Exchange automatically provides IIS with the correct certificate which can be installed to the system by hitting OWA.
0
 

Author Comment

by:madcitytechs
ID: 36557516
didnt mean to start a argument.  I presumed that because the other machines arent having problems, OWA and RWW work and have the correct cert listed, that i had the correct cert installed properly

I will check your solution wolf
0
 

Author Comment

by:madcitytechs
ID: 36557533
Confirmed OWA shows wrong cert from the users computer.  If i go to OWA from any other computer it shows the godaddy.

This machine is a clean load with a fresh 2010 install.  What now?
0
 
LVL 3

Expert Comment

by:WiReDWolf
ID: 36557580
When you run get-exhangecertificate from the cli how many different certificates show as being installed? You really only want one SAN certificate. If you show more than one certificate I would suggest deleting all but the go daddy certificate and reset associations of the services to the remaining certificate.
0
 
LVL 3

Expert Comment

by:WiReDWolf
ID: 36557613
Check this out
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26926886.html

If you check OWA on a system where outlook is working correctly and it's right then you may be having a dns issue with the affected pc. It's not outlook but name resolution. Is the machine joined to the domain? Is your exchange server also a domain controller? In your tcp settings do you hace any dns registration set or search domains?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36557709
What is the result of the following exchange management shell command on the SBS server:

get-exchangecertificate | fl certificatedomains
0
Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 

Author Comment

by:madcitytechs
ID: 36557732
The new SBS (dc and exchange) is named tce2 and the old sbs server (decommissioned but still online for old software) was named tce1.  The person that ordered the cert put in the old domain name tce1.x.net

[PS] C:\Windows\System32>get-exchangecertificate | fl certificatedomains
CertificateDomains : {tce1.x.net, x.net, TCE2.tc.local}
CertificateDomains : {tce1.x.net, www.tce1.x.net}
CertificateDomains : {tce2.x.net, x.net, TCE2.tc.local}
CertificateDomains : {tce1.x.net, www.tce1.x.net}
CertificateDomains : {WMSvc-WIN-NP04MONWLDA}
CertificateDomains : {tce1.x.net, x.net, TCE2.tc.local}
CertificateDomains : {TCE2.tc.local}
CertificateDomains : {Sites, TCE2.tc.local}
CertificateDomains : {tc-TCE2-CA}
[PS] C:\Windows\System32>
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36557752
Okay - so it looks like you only have the following names in your certificate from GoDaddy:

tce1.x.net, www.tce1.x.net

So - as I have mentioned before, you don't have all the right names included in your certificate, so you are going to get errors.

Please open up IIS manager, Click on your servername and then in the middle window, double-click on Server Certificates.

Click on your Purchased certificate and click on View.

Click on the details Tab and scroll down to Subject Alternative Names and click onto it.

What names are displayed?
0
 

Author Comment

by:madcitytechs
ID: 36557763
CN = tce1.x.net
OU = Domain Control Validated
O = tce1.x.net

I have two godaddy certs listed in this area with different thumbprints. Same info in subject for both and expiration is the same.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36557770
Okay - so your cert names are not correct and this will be causing your errors.

You don't have Autodiscover configured, so I would imagine that Out Of Office won't be working for Outlook 2007 / 2010 users too.  Can you confirm this please.
0
 

Author Comment

by:madcitytechs
ID: 36557784
Out of office is sending me replies when I enabled it in OWA for admin account.  When i try to enable it on afflicted user (2010) it says server not available.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36557797
Okay - point being that you can't enable it in Outlook for 2007 / 2010 users.  Setting this in OWA is always going to work unless OWA doesn't work.

Can you also run the Test Email Autoconfiguration test please.

Hold down the Left-Hand CTRL key and then Right-Click on the Outlook System Tray Icon, then release the CTRL key and select Test Email Autoconfiguration.

Untick the Guessmart boxes and then fill in the email address and password for a user and click on Test.

Does it complete happily or fail?  (I know which I think it is going to do!!)
0
 

Author Comment

by:madcitytechs
ID: 36557800
unticking guessmart and i get "autoconfiguration was unable to determine your settings."
0
 

Author Comment

by:madcitytechs
ID: 36557802
says autodiscover failed in the log
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36557805
Okay - so Autodiscover doesnt work, Out Of Office doesn't work from within Outlook and you are getting certificate Errors when opening Outlook.

Please now refer back to my very first comment.  This will solve all of these issues in one fell swoop.  Buy the correct SSL certificate (a SAN / UCC not a Single Name SSL cert) and case closed.

Do you now understand why I keep banging on about the certificate?
0
 

Author Comment

by:madcitytechs
ID: 36557809
well i see the issues you have layed out but I dont understand the difference between what I bought and what I need.  I will review what you have posted previously.  I have purchased these certs for other users with the same setup and havent had the issue. I will need to look at the cert on Godaddy and see what I can do about getting a different one.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36557821
What you have bought appears to be a Single name SSL Certificate, which would work with Exchange 2003, but not with Exchange 2007 / 2010.

For Exchange 2007 / 2010, you need a Multi-Name SSL certificate so that ALL aspects of Exchange can work properly.

Out Of Office relies upon Autodiscover to find the server and in addition to the SSL Cert, you need either an A record in DNS pointing to the IP Address of your server, or an SRV record pointing to your server.

If Autodiscover is configured properly and you have autodiscover.externaldomain.com in the SSL cert names, then Out Of Office will work, the downloading of Global Address Lists will work and the Outlook Test Email Autoconfiguration test will pass.

With the right certificate, Activesync will also work - which I would imagine this currently doesn't work, or you aren't using it.

If you bought a Single Name SSL cert from GoDaddy, you will need to purchase a Multi-Name cert with no more than 5 names included - they won't be able to convert the current cert to a multi name one (as far as I know).

Once you have purchased, requested, authorised, downloaded, imported and enabled the correctly named SSL cert, then everything will work and you won't have any Cert errors opening Outlook.

If you have done this before with other servers, you haven't done this correctly up to now and you now have the chance to correct these mistakes :)

Sorry.
0
 

Author Comment

by:madcitytechs
ID: 36557833
Thanks for your import. I will have to look into the purchase tomorrow.  So is it that the cert doesnt have the capability to match my autodiscover url? when i run

http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/

i get the https://tce1.x.net/autodiscovery.....xml

So it looks like exchange is fine?
0
 

Author Comment

by:madcitytechs
ID: 36557838
oops, wrong clipboard lol.  getting late.

meant to post
Get-ClientAccessServer -Identity CASServer | FL

0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 36557852
The cert you currently have doesn't meet the needs of Exchange 2007.

As already stated - you need the following names:

remote.externaldomain.com (for OWA / Remote Web Workplace / Activesync)
autodiscover.externaldomain.com (for Out Of Office / Activesync / Outlook account auto-configuration)
internalservername.internaldomain.local (for internal resolution within Outlook when on-site)
internalservername (as above)
sites (to match sites in IIS which is only present in SBS)

Exchange is most probably working perfectly well - but because the cert isn't correct, various aspects of it won't work properly and this is why you are having the errors that this question is about plus the issues I have highlighted for you with the tests I asked you to perform.

It's 2:15am for me now - so time to head to bed.  Back in the morning if you have any further questions.

Alan
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now