?
Solved

Exchange 2010 autodiscover security certificate

Posted on 2011-10-03
13
Medium Priority
?
879 Views
Last Modified: 2012-05-12
We have been running Exchange 2010 for about a year with no trouble. All of the sudden when we open Outlook we get a Security Alert pop up stating the autodiscover.domain.com, the name on the security certificate is invalid or does not match the name of the site. Everything looks correct on the server, why is this happening and how do I fix it?  certificate-error.pdf
0
Comment
Question by:clifford_m71
  • 4
  • 4
  • 3
  • +1
13 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36903991
Is your SSL certificate a SAN / UCC (Multi-Name) SSL certificate with the following names included:

mail.externaldomain.com (or whichever FQDN you prefer to use)
autodiscover.externaldomain.com
internalservername.internamdomainname.local
internalservername

Without those names - you will get certificate errors.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36904059
Your certificate has expired in 2010 how can you say it was working ?

also how is it showing notyourdomain.com is this your certificate ?

0
 

Author Comment

by:clifford_m71
ID: 36904075
I should have mentioned, when I view the certificate it is absolutely not our domain. Our domain is registered with GoDaddy, the one that shows up with this error message is registered with Equifax.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 49

Expert Comment

by:Akhater
ID: 36904083
yes I noticed this thus my question....


are you having these warning internally or from outside the organization ?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 36904084
Where does autodiscover.domain.com point to ?  Does it point to your server?

Does your Firewall / Router use an SSL cert issued by Equifax?

Is your firewall grabbing port 443 for itself for remote management?
0
 
LVL 6

Expert Comment

by:Vipin Vasudevan
ID: 36904153
try to get Exchange server certificate by runnning "Get-ExchangeCertificate |fl " on CAS server

Or on EMC go to Server configuration and check assigned certificate for IIS, SMTP and others as required.

Are getting the proper certificate on WEbaccess?

Is it happning from internal or externla access?
0
 

Author Comment

by:clifford_m71
ID: 36905465
Thanks for the reponses. I will try to answer all of your questions. As I had mentioned, this was all working great a couple of weeks ago.

The correct certificate is from GoDaddy and is a UCC/SAN certificate with all the correct names. The correct certificate is good until 2014, but somehow Outlook is not seeing that certificate anymore. The warnings are internal and are not really affecting anything. It is simply an annoyance having the error message pop up everytime you open outlook. Also, since Autodiscover does not work anymore, when I set up a new mailbox I have to manually enter the information on the client side. Web access is working fine with the correct cert and when I run Get-ExchangeCertificate |fl all looks good.

Our firewall does not use 443 for management and there is no cert attached to it.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 664 total points
ID: 36905566
Do you have Autodiscover.domain.com configured in DNS externally?
0
 
LVL 49

Accepted Solution

by:
Akhater earned 668 total points
ID: 36906343
you didn't answer my question are you having these warning internally or from outside the organization ?


also from a computer you are working on remove any proxy settings from IE and test again.


also from a computer giving this warning run nslookup autodiscover.yourdomain.com and make sure it returns the correct ip
0
 

Author Comment

by:clifford_m71
ID: 36910775
In my previous post I did state that the problem was internal. I said that because OWA is working fine and the only time I see the autodiscover error is when I am in Outlook on the local network. That being said, I did an nslookup and the reply was the server name and IP of our domain controller/dns server and the Non-Authoritative answer is the public IP of our website, not our exchange server. Our website is hosted offsite, our exchange server is internal.

Just a little more info. When I do an nslookup of mail.mydomain.com I get the server name and IP of our DC/DNS server and the internal IP of our Exchange Server.

Whenever I deal with DNS I get a headache.....I hope this means something to one of you.

Thanks!

0
 
LVL 6

Assisted Solution

by:Vipin Vasudevan
Vipin Vasudevan earned 668 total points
ID: 36911205
Do you have an autodiscover.<yourdomain.com> mapped to your CAS server?

as per your latest port, when you do nslookup to autodiscover.<yourdomain.com>, going to public IP of your website.

Do you have an entry for Autodiscover.<yourdomain.com> in public DNS ( Which may causing this issue)
0
 
LVL 49

Expert Comment

by:Akhater
ID: 36912269
well as a start you should point autodiscover.domain.com to your exchange 2010 server on your internal DNS also did you try to remove proxy settings from IE as I suggested ?
0
 

Author Closing Comment

by:clifford_m71
ID: 36918629
Thank you gentlemen. I had never set up autodiscover externaly and never had a problem with it. All of my outlook 2010 clients seemed to be working fine but my 2007 couldn't use their Out Of Office Assistant. Now they can and I realize that's because of Autodiscover. Learn something new everyday! I can also see the online archive in 2007.

As far as to why we never had this certificate error before I do not know but now that I have configured autodiscover on both internal and external DNS the error is gone. I am awarding points to all of you because each pointed me in the right direction. Thank you.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
I came across an unsolved Outlook issue and here is my solution.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question