ctechnologies
asked on
Outlook Anywhere SSL cert error popup
I have to be missing something simple here...
Outlook clients can connect remotely and everything works just fine... except it complains of an SSL certificate problem - but that only shows up about 30 seconds after you've already connected and it is saying the main external domain certificate is not valid. If you just bypass the cert error - Outlook continues to work without any problems.
There is a valid certificate for mail.company.com which is where the 2008 SBS server is located but I do not have a certificate for company.com because that is the web server.
So something is pointing to company.com when it really should be mail.company.com. I've looked around the internal/external URLs and don't see anything wrong there.
I have a multiple domain UCC certificate from GoDaddy with the following subject alt names:
mail.company.com
company.com
server
server.domain.local
Driving me nuts!
thanks for your suggestions!
Outlook clients can connect remotely and everything works just fine... except it complains of an SSL certificate problem - but that only shows up about 30 seconds after you've already connected and it is saying the main external domain certificate is not valid. If you just bypass the cert error - Outlook continues to work without any problems.
There is a valid certificate for mail.company.com which is where the 2008 SBS server is located but I do not have a certificate for company.com because that is the web server.
So something is pointing to company.com when it really should be mail.company.com. I've looked around the internal/external URLs and don't see anything wrong there.
I have a multiple domain UCC certificate from GoDaddy with the following subject alt names:
mail.company.com
company.com
server
server.domain.local
Driving me nuts!
thanks for your suggestions!
the issue maybe due to wrong autodiscover configuration .. its possible that your certificate does'nt contain autodsicover.domain.com
Jake is correct
You are missing autodiscover.company.com
Just add that to your SAN CERT and create an external DNS entry pointing auto discover to your exchange environment, and that will solve your issue. If you don't want to do that then what jake said will also work.
You are missing autodiscover.company.com
Just add that to your SAN CERT and create an external DNS entry pointing auto discover to your exchange environment, and that will solve your issue. If you don't want to do that then what jake said will also work.
ASKER
Thanks, I will try this out tomorrow and let you know!
ASKER
Hmm no luck. I actually had autodiscover.company.com in the cert already and did the external DNS entry that jack suggested. So I just did the SBS Internet setup wizard again, and now I am getting two cert errors:
1. domain.com (when I view the properties of the cert, this one is not my cert)
2. remote.domain.com (when I view the properties of the cert, this one IS pulling up correct cert)
But it is still letting me in and the cert errors don't show up until about 10 seconds after Outlook has already connected.
1. domain.com (when I view the properties of the cert, this one is not my cert)
2. remote.domain.com (when I view the properties of the cert, this one IS pulling up correct cert)
But it is still letting me in and the cert errors don't show up until about 10 seconds after Outlook has already connected.
IF you do a get-exchangecertifiacte from EMC what do you get for the IIS service? is it the correct cert or the domain.com cert?
ASKER
It is the correct cert.
please run these commands on powershell and post results here :
get-autodiscovervirtualdir ectory |fl
get-clientaccessserver |fl
and also list the cn name and alternative names of your certificate to make things easy for you
get-autodiscovervirtualdir
get-clientaccessserver |fl
and also list the cn name and alternative names of your certificate to make things easy for you
ASKER
[PS] C:\Users\Support\Desktop>g et-autodis covervirtu aldirector y | fl
Name : Autodiscover (SBS Web Applications)
InternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMeth ods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://SERVER01.company.loc al/W3SVC/3 /ROOT/Auto disco
ver
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\Autodiscover
Server : SERVER01
InternalUrl : https://mail.company.org/Autodiscover/Autodisco
ver.xml
ExternalUrl : https://mail.company.org/Autodiscover/Autodisco
ver.xml
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Autodiscover (SBS Web Applications),CN=HTTP,
CN=Protocols,CN=SERVER01,C N=Servers, CN=Exchang e
Administrative Group (FYDIBOHF23SPDLT),CN=Admi
nistrative Groups,CN=First Organization,CN=Micr
osoft Exchange,CN=Services,CN=Co nfiguratio n,DC=
company,DC=local
Identity : SERVER01\Autodiscover (SBS Web Applications)
Guid : 61231004-af0a-4e05-8272-08 d5ef82a1f1
ObjectCategory : company.local/Configuratio n/Schema/m s-Exch-Aut o-Dis
cover-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscove
rVirtualDirectory}
WhenChanged : 12/11/2011 10:54:12 PM
WhenCreated : 12/10/2009 1:31:15 PM
OriginatingServer : SERVER01.company.local
IsValid : True
Name : Autodiscover (SBS Web Applications)
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://SERVER01.company.loc
ver
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\Autodiscover
Server : SERVER01
InternalUrl : https://mail.company.org/Autodiscover/Autodisco
ver.xml
ExternalUrl : https://mail.company.org/Autodiscover/Autodisco
ver.xml
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Autodiscover (SBS Web Applications),CN=HTTP,
CN=Protocols,CN=SERVER01,C
Administrative Group (FYDIBOHF23SPDLT),CN=Admi
nistrative Groups,CN=First Organization,CN=Micr
osoft Exchange,CN=Services,CN=Co
company,DC=local
Identity : SERVER01\Autodiscover (SBS Web Applications)
Guid : 61231004-af0a-4e05-8272-08
ObjectCategory : company.local/Configuratio
cover-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscove
rVirtualDirectory}
WhenChanged : 12/11/2011 10:54:12 PM
WhenCreated : 12/10/2009 1:31:15 PM
OriginatingServer : SERVER01.company.local
IsValid : True
ASKER
[PS] C:\Users\Support\Desktop>g et-clienta ccessserve r | fl
Name : SERVER01
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : SERVER01
AutoDiscoverServiceClassNa me : ms-Exchange-AutoDiscover-S ervice
AutoDiscoverServiceInterna lUri : https://mail.company.org/Autodiscover/Autodisc
over.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e 7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}
IsValid : True
OriginatingServer : SERVER01.company.local
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=SERVER01,CN=Servers,CN= Exchange Administrat
ive Group (FYDIBOHF23SPDLT),CN=Admin istrative
Groups,CN=First Organization,CN=Microsoft Exch
ange,CN=Services,CN=Config uration,DC =company,D C=lo
cal
Identity : SERVER01
Guid : d5bc164a-b1bc-49b0-a202-a7 f5181d99d9
ObjectCategory : company.local/Configuratio n/Schema/m s-Exch-Exc hang
e-Server
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 12/11/2011 10:54:13 PM
WhenCreated : 12/10/2009 1:26:38 PM
Name : SERVER01
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : SERVER01
AutoDiscoverServiceClassNa
AutoDiscoverServiceInterna
over.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e
AutoDiscoverSiteScope : {Default-First-Site-Name}
IsValid : True
OriginatingServer : SERVER01.company.local
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=SERVER01,CN=Servers,CN=
ive Group (FYDIBOHF23SPDLT),CN=Admin
Groups,CN=First Organization,CN=Microsoft Exch
ange,CN=Services,CN=Config
cal
Identity : SERVER01
Guid : d5bc164a-b1bc-49b0-a202-a7
ObjectCategory : company.local/Configuratio
e-Server
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 12/11/2011 10:54:13 PM
WhenCreated : 12/10/2009 1:26:38 PM
can you check if there is alternative name found in certificate called :
autodiscover.company.com
autodiscover.company.com
ASKER
CN: mail.company.org
Alt Names: company.org, server01.company.local, server01, autodiscover.company.org
Alt Names: company.org, server01.company.local, server01, autodiscover.company.org
good , then you need to do the following to solve your problem :
1- you need to change external URL
set-autodiscovervirtualDir ectory -identity "Autodiscover (Default web site)" -externalurl https://autodiscover.company.org/autodisocover/autodiscover.xml -internalURL https://server01.company.local/autodiscover/autodiscover.xml
set-clientaccessserver -identitiy "server01" -AutoDiscoverServiceIntern alUri https://server01.domain.local/autodiscover/autodiscover.xml
Set-WebServicesVirtualDire ctory -Identity "EWS(default web site)" -ExternalUrl https://mail.domain.org/EWS/exchange.asmx - InternalUrl https://server01.domain.local/EWS/webservices.asmx
go to IIS -> default website -> application pool -> point to autodiscoverAppPool -> right click ->recycle
restart IIS
further assist :
1- go to domain control panel ->domain management -> DNS
check if there is SRV record exist called autodiscover.company.org and points to static IP of your company , if there is not exist create SRV record type _tcp name autodiscover.company.org
then all will work fine ..
to test results go to :
www.testexchangeconnectivity.com
this trusted microsoft site and test your configuration after applying above (rpc over http)
the problem will be eliminates.
1- you need to change external URL
set-autodiscovervirtualDir
set-clientaccessserver -identitiy "server01" -AutoDiscoverServiceIntern
Set-WebServicesVirtualDire
go to IIS -> default website -> application pool -> point to autodiscoverAppPool -> right click ->recycle
restart IIS
further assist :
1- go to domain control panel ->domain management -> DNS
check if there is SRV record exist called autodiscover.company.org and points to static IP of your company , if there is not exist create SRV record type _tcp name autodiscover.company.org
then all will work fine ..
to test results go to :
www.testexchangeconnectivity.com
this trusted microsoft site and test your configuration after applying above (rpc over http)
the problem will be eliminates.
ASKER
Thanks jordannet... unfortunately, I'm still having the same issues :(
- Does there a DNS Zone on the your SBS 2008 with comany.org?
- If yes, then delete it and restart the DNS Client and DNS Server Service on the Server.
- After that execute below commands on the Desktop.
ipconfig /flushdns
ipconfig /registerdns
- Then Open the Outlook. The Certificate error should be fixed...
- If yes, then delete it and restart the DNS Client and DNS Server Service on the Server.
- After that execute below commands on the Desktop.
ipconfig /flushdns
ipconfig /registerdns
- Then Open the Outlook. The Certificate error should be fixed...
ASKER
Hi Shreedhar,
No dns zone with company.org. :(
No dns zone with company.org. :(
ASKER
By the way, testexcahngeconnectivity.c om passes with no problems.
- Still you are getting the popup in outlook. If yes, Please post the snapshot of the certificate error.
ASKER
The first one that pops up: company.org
ScreenShot017.jpg
ScreenShot017.jpg
ASKER
Actually, that is the only error I am getting.
- As per the error the security certificate has been expired.
- Click on View Certificate > Go to Detail > Scroll Down and copy the Thumbprint
- Go to Exchange Powershell and execute below command Get-ExchangeCertificate | fl
- Does the Thumbprint match the output of Get-ExchangeCertificate???
- Click on View Certificate > Go to Detail > Scroll Down and copy the Thumbprint
- Go to Exchange Powershell and execute below command Get-ExchangeCertificate | fl
- Does the Thumbprint match the output of Get-ExchangeCertificate???
ASKER
It does not match any of the thumbprints when I run Get-ExchangeCertificate | fl
- Does this popup issue is being faced by all the outlook client users?
- Does you have ISA or TMG?
ASKER
Hi Shreedhar,
No ISA or TMG, just basic default installation of 2008 SBS.
The popup only occurs on remote user's setup with Outlook. Users in the office do not have any popups.
No ISA or TMG, just basic default installation of 2008 SBS.
The popup only occurs on remote user's setup with Outlook. Users in the office do not have any popups.
Okay..
- Does those remote user accessing exchange using outlook anywhere or they getting connected using VPN?
- Does those systems are domain joined?
- Does those remote user accessing exchange using outlook anywhere or they getting connected using VPN?
- Does those systems are domain joined?
ASKER
They are using Outlook Anywhere.
They are not connected to the domain.
They are not connected to the domain.
- Please post the test exchange connecvtity outlook anywhere test results...
ASKER
Testing RPC/HTTP connectivity.
The RPC/HTTP test completed successfully.
Test Steps
ExRCA is attempting to test Autodiscover for user@company.org.
Autodiscover was tested successfully.
Test Steps
Autodiscover settings for Outlook Anywhere are being validated.
ExRCA validated the Outlook Anywhere Autodiscover settings.
Attempting to resolve the host name mail.company.org in DNS.
The host name resolved successfully.
Additional Details
Testing TCP port 443 on host mail.company.org to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Testing HTTP Authentication Methods for URL https://mail.company.org/rpc/rpcproxy.dll.
The HTTP authentication methods are correct.
Additional Details
Testing SSL mutual authentication with the RPC proxy server.
Mutual authentication was verified successfully.
Additional Details
Attempting to ping RPC proxy mail.company.org.
RPC Proxy was pinged successfully.
Additional Details
Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server SERVER01.company.local.
The endpoint was pinged successfully.
Additional Details
Testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
The NSPI interface was tested successfully.
Test Steps
Testing the Referral service on the Exchange Mailbox server.
The Referral service was tested successfully.
Test Steps
Testing the Exchange Information Store on the Mailbox server.
ExRCA successfully tested the Information Store.
Test Steps
The RPC/HTTP test completed successfully.
Test Steps
ExRCA is attempting to test Autodiscover for user@company.org.
Autodiscover was tested successfully.
Test Steps
Autodiscover settings for Outlook Anywhere are being validated.
ExRCA validated the Outlook Anywhere Autodiscover settings.
Attempting to resolve the host name mail.company.org in DNS.
The host name resolved successfully.
Additional Details
Testing TCP port 443 on host mail.company.org to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Testing HTTP Authentication Methods for URL https://mail.company.org/rpc/rpcproxy.dll.
The HTTP authentication methods are correct.
Additional Details
Testing SSL mutual authentication with the RPC proxy server.
Mutual authentication was verified successfully.
Additional Details
Attempting to ping RPC proxy mail.company.org.
RPC Proxy was pinged successfully.
Additional Details
Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server SERVER01.company.local.
The endpoint was pinged successfully.
Additional Details
Testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
The NSPI interface was tested successfully.
Test Steps
Testing the Referral service on the Exchange Mailbox server.
The Referral service was tested successfully.
Test Steps
Testing the Exchange Information Store on the Mailbox server.
ExRCA successfully tested the Information Store.
Test Steps
- Please check the output of this command:
Get-OabVirtualDirectory ¦ fl Server,Name,internalurl,ex ternalurl
Note: Here External and Internal Url has to be https://mail.domain.org/oab
Get-OabVirtualDirectory ¦ fl Server,Name,internalurl,ex
Note: Here External and Internal Url has to be https://mail.domain.org/oab
ASKER
I'm trying to do this just as fast as you are asking me the questions. :)
They both say https://mail.company.org/oab
They both say https://mail.company.org/oab
- Please browse https://mail.company.org/owa on the remote user system.
- Does you get any certificate error?
- Does you get any certificate error?
ASKER
Nope, no errors. Ahhh
1. Open Outlook
2. Hold the Control Key and Right click the Outlook Icon in the system tray
3. Select Test Email AutoConfiguration
4. Input the users email address and credentials ( I like to remove the guess smart and Secure Guess smart authentication to narrow the search scope for my needs)
Lets look over the output
Select the Log tab
Post the Log here...
2. Hold the Control Key and Right click the Outlook Icon in the system tray
3. Select Test Email AutoConfiguration
4. Input the users email address and credentials ( I like to remove the guess smart and Secure Guess smart authentication to narrow the search scope for my needs)
Lets look over the output
Select the Log tab
Post the Log here...
ASKER
ASKER
I must have entered the wrong password the first time. I redid this test and I do not have the "AD lookup for email address failed" message. Everything else is the same.
- Please post the output of get-offlineaddressbook...
ASKER
[PS] C:\Users\Support\Desktop>g et-offline addressboo k | fl
Server : SERVER01
AddressLists : {\Default Global Address List}
Versions : {Version2, Version3, Version4}
IsDefault : True
PublicFolderDatabase : SERVER01\Second Storage Group\Public Folder D
atabase
PublicFolderDistributionEn abled : True
WebDistributionEnabled : True
DiffRetentionPeriod : 30
Schedule : {Sun.5:00 AM-Sun.5:15 AM, Mon.5:00 AM-Mon.5:1
5 AM, Tue.5:00 AM-Tue.5:15 AM, Wed.5:00 AM-We
d.5:15 AM, Thu.5:00 AM-Thu.5:15 AM, Fri.5:00
AM-Fri.5:15 AM, Sat.5:00 AM-Sat.5:15 AM}
VirtualDirectories : {SERVER01\OAB (SBS Web Applications)}
ExchangeVersion : 0.1 (8.0.535.0)
AdminDisplayName :
Name : Default Offline Address Book
DistinguishedName : CN=Default Offline Address Book,CN=Offline Ad
dress Lists,CN=Address Lists Container,CN=Fir
st Organization,CN=Microsoft Exchange,CN=Serv
ices,CN=Configuration,DC=c ompany,DC= local
Identity : \Default Offline Address Book
Guid : 1ff5b91c-7a7b-4c6b-80f0-7b fd4e01439b
ObjectCategory : company.local/Configuratio n/Schema/m s-Exch-OAB
ObjectClass : {top, msExchOAB}
WhenChanged : 12/10/2009 1:31:16 PM
WhenCreated : 12/10/2009 1:30:19 PM
OriginatingServer : SERVER01.company.local
IsValid : True
Server : SERVER01
AddressLists : {\Default Global Address List}
Versions : {Version2, Version3, Version4}
IsDefault : True
PublicFolderDatabase : SERVER01\Second Storage Group\Public Folder D
atabase
PublicFolderDistributionEn
WebDistributionEnabled : True
DiffRetentionPeriod : 30
Schedule : {Sun.5:00 AM-Sun.5:15 AM, Mon.5:00 AM-Mon.5:1
5 AM, Tue.5:00 AM-Tue.5:15 AM, Wed.5:00 AM-We
d.5:15 AM, Thu.5:00 AM-Thu.5:15 AM, Fri.5:00
AM-Fri.5:15 AM, Sat.5:00 AM-Sat.5:15 AM}
VirtualDirectories : {SERVER01\OAB (SBS Web Applications)}
ExchangeVersion : 0.1 (8.0.535.0)
AdminDisplayName :
Name : Default Offline Address Book
DistinguishedName : CN=Default Offline Address Book,CN=Offline Ad
dress Lists,CN=Address Lists Container,CN=Fir
st Organization,CN=Microsoft Exchange,CN=Serv
ices,CN=Configuration,DC=c
Identity : \Default Offline Address Book
Guid : 1ff5b91c-7a7b-4c6b-80f0-7b
ObjectCategory : company.local/Configuratio
ObjectClass : {top, msExchOAB}
WhenChanged : 12/10/2009 1:31:16 PM
WhenCreated : 12/10/2009 1:30:19 PM
OriginatingServer : SERVER01.company.local
IsValid : True
- Please post the output of below commands:
get-outlookanywhere | fl
get-WebServicesVirtualDire ctory | fl
get-ClientAccessServer | fl
get-outlookanywhere | fl
get-WebServicesVirtualDire
get-ClientAccessServer | fl
ASKER
[PS] C:\Users\Support\Desktop>g et-outlook anywhere | fl
ServerName : SERVER01
SSLOffloading : False
ExternalHostname : mail.company.org
ClientAuthenticationMethod : Basic
IISAuthenticationMethods : {Basic, Ntlm}
MetabasePath : IIS://SERVER01.company.loc al/W3SVC/3 /ROOT/Rpc
Path : C:\Windows\System32\RpcPro xy
Server : SERVER01
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Rpc (SBS Web Applications)
DistinguishedName : CN=Rpc (SBS Web Applications),CN=HTTP,CN=P rotocols
,CN=SERVER01,CN=Servers,CN =Exchange Administrative
Group (FYDIBOHF23SPDLT),CN=Admin istrative Groups,
CN=First Organization,CN=Microsoft Exchange,CN=Ser
vices,CN=Configuration,DC= company,DC =local
Identity : SERVER01\Rpc (SBS Web Applications)
Guid : dbaf7107-89c1-4aed-9d18-35 f7414e2b6b
ObjectCategory : company.local/Configuratio n/Schema/m s-Exch-Rpc -Http-Vi
rtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtual
Directory}
WhenChanged : 12/11/2011 10:54:12 PM
WhenCreated : 12/11/2011 10:54:12 PM
OriginatingServer : SERVER01.company.local
IsValid : True
ServerName : SERVER01
SSLOffloading : False
ExternalHostname : mail.company.org
ClientAuthenticationMethod
IISAuthenticationMethods : {Basic, Ntlm}
MetabasePath : IIS://SERVER01.company.loc
Path : C:\Windows\System32\RpcPro
Server : SERVER01
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Rpc (SBS Web Applications)
DistinguishedName : CN=Rpc (SBS Web Applications),CN=HTTP,CN=P
,CN=SERVER01,CN=Servers,CN
Group (FYDIBOHF23SPDLT),CN=Admin
CN=First Organization,CN=Microsoft Exchange,CN=Ser
vices,CN=Configuration,DC=
Identity : SERVER01\Rpc (SBS Web Applications)
Guid : dbaf7107-89c1-4aed-9d18-35
ObjectCategory : company.local/Configuratio
rtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtual
Directory}
WhenChanged : 12/11/2011 10:54:12 PM
WhenCreated : 12/11/2011 10:54:12 PM
OriginatingServer : SERVER01.company.local
IsValid : True
ASKER
[PS] C:\Users\Support\Desktop>g et-WebServ icesVirtua lDirectory | fl
InternalNLBBypassUrl : https://server01.company.local/EWS/Exchange.asmx
Name : EWS (SBS Web Applications)
InternalAuthenticationMeth ods : {Ntlm, WindowsIntegrated, Basic}
ExternalAuthenticationMeth ods : {Ntlm, WindowsIntegrated, Basic}
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://SERVER01.company.loc al/W3SVC/3 /ROOT/EWS
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\exchweb\EWS
Server : SERVER01
InternalUrl : https://server01.company.local/EWS/webservices.asmx
ExternalUrl : https://mail.company.org/EWS/exchange.asmx
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=EWS (SBS Web Applications),CN=HTTP,CN=P rotoc
ols,CN=SERVER01,CN=Servers ,CN=Exchan ge Administ
rative Group (FYDIBOHF23SPDLT),CN=Admin istrativ
e Groups,CN=First Organization,CN=Microsoft Exc
hange,CN=Services,CN=Confi guration,D C=company, DC=lo
cal
Identity : SERVER01\EWS (SBS Web Applications)
Guid : b651d090-9058-4b38-85cd-be c8d314a90f
ObjectCategory : company.local/Configuratio n/Schema/m s-Exch-Web -Serv
ices-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchWebServices
VirtualDirectory}
WhenChanged : 12/12/2011 1:14:22 AM
WhenCreated : 12/10/2009 1:31:00 PM
OriginatingServer : SERVER01.company.local
IsValid : True
InternalNLBBypassUrl : https://server01.company.local/EWS/Exchange.asmx
Name : EWS (SBS Web Applications)
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://SERVER01.company.loc
Path : C:\Program Files\Microsoft\Exchange Server\Clie
ntAccess\exchweb\EWS
Server : SERVER01
InternalUrl : https://server01.company.local/EWS/webservices.asmx
ExternalUrl : https://mail.company.org/EWS/exchange.asmx
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=EWS (SBS Web Applications),CN=HTTP,CN=P
ols,CN=SERVER01,CN=Servers
rative Group (FYDIBOHF23SPDLT),CN=Admin
e Groups,CN=First Organization,CN=Microsoft Exc
hange,CN=Services,CN=Confi
cal
Identity : SERVER01\EWS (SBS Web Applications)
Guid : b651d090-9058-4b38-85cd-be
ObjectCategory : company.local/Configuratio
ices-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchWebServices
VirtualDirectory}
WhenChanged : 12/12/2011 1:14:22 AM
WhenCreated : 12/10/2009 1:31:00 PM
OriginatingServer : SERVER01.company.local
IsValid : True
ASKER
[PS] C:\Users\Support\Desktop>g et-ClientA ccessServe r | fl
Name : SERVER01
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : SERVER01
AutoDiscoverServiceClassNa me : ms-Exchange-AutoDiscover-S ervice
AutoDiscoverServiceInterna lUri : https://server01.company.local/autodiscover/autodi
scover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e 7a48b19596
AutoDiscoverSiteScope : {Default-First-Site-Name}
IsValid : True
OriginatingServer : SERVER01.company.local
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=SERVER01,CN=Servers,CN= Exchange Administrat
ive Group (FYDIBOHF23SPDLT),CN=Admin istrative
Groups,CN=First Organization,CN=Microsoft Exch
ange,CN=Services,CN=Config uration,DC =company,D C=lo
cal
Identity : SERVER01
Guid : d5bc164a-b1bc-49b0-a202-a7 f5181d99d9
ObjectCategory : company.local/Configuratio n/Schema/m s-Exch-Exc hang
e-Server
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 12/11/2011 10:54:13 PM
WhenCreated : 12/10/2009 1:26:38 PM
Name : SERVER01
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : SERVER01
AutoDiscoverServiceClassNa
AutoDiscoverServiceInterna
scover.xml
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e
AutoDiscoverSiteScope : {Default-First-Site-Name}
IsValid : True
OriginatingServer : SERVER01.company.local
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=SERVER01,CN=Servers,CN=
ive Group (FYDIBOHF23SPDLT),CN=Admin
Groups,CN=First Organization,CN=Microsoft Exch
ange,CN=Services,CN=Config
cal
Identity : SERVER01
Guid : d5bc164a-b1bc-49b0-a202-a7
ObjectCategory : company.local/Configuratio
e-Server
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 12/11/2011 10:54:13 PM
WhenCreated : 12/10/2009 1:26:38 PM
Set-ClientAccessServer -Identity SERVER01 -AutoDiscoverServiceIntern alUri https://mail.company.org/Autodiscover/Autodiscover.xml
Set-WebServicesVirtualDire ctory -Identity “SERVER01\EWS (SBS Web Applications)"
-InternalURL https://mail.comapny.org/EWS/Exchange.asmx -BasicAuthentication:$true
- Execute above commands and check the outlook.
Note: Change mail.comapny.org to your original certificate name...
Set-WebServicesVirtualDire
-InternalURL https://mail.comapny.org/EWS/Exchange.asmx -BasicAuthentication:$true
- Execute above commands and check the outlook.
Note: Change mail.comapny.org to your original certificate name...
ASKER
Sorry, still getting that error.
try to test your email using :
www.testexchangeconnectivity.com
test outlook anywhere and post the result here
www.testexchangeconnectivity.com
test outlook anywhere and post the result here
ASKER
Testing RPC/HTTP connectivity.
The RPC/HTTP test completed successfully.
Test Steps
ExRCA is attempting to test Autodiscover for bleonard@company.org.
Autodiscover was tested successfully.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential Autodiscover URL https://company.org/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name company.org in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 97.74.73.122
Testing TCP port 443 on host company.org to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server company.org on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=www.company.org, OU=Domain Control Validated, O=www.company.org, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name company.org was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
Certificate trust validation failed.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=www.company.org, OU=Domain Control Validated, O=www.company.org.
A certificate chain couldn't be constructed for the certificate.
Additional Details
The certificate chain has errors. Chain status = NotTimeValid.
Attempting to test potential Autodiscover URL https://autodiscover.company.org/AutoDiscover/AutoDiscover.xml
Testing of the Autodiscover URL was successful.
Test Steps
Attempting to resolve the host name autodiscover.company.org in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 98.172.43.204
Testing TCP port 443 on host autodiscover.company.org to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.company.org on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.company.org, OU=Domain Control Validated, O=mail.company.org, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.company.org was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=mail.company.org, OU=Domain Control Validated, O=mail.company.org.
One or more certificate chains were constructed successfully.
Additional Details
A total of 2 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Analyzing the certificate chains for compatibility problems with versions of Windows.
No Windows compatibility problems were identified.
Additional Details
The certificate chain has been validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 12/10/2011 9:50:55 PM, NotAfter = 12/10/2013 9:23:15 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.company.org/AutoDiscover/AutoDiscover.xml for user bleonard@company.org.
The Autodiscover XML response was successfully retrieved.
Additional Details
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Beverly Leonard</DisplayName>
<LegacyDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recip
<DeploymentId>fdbcf293-95f
</User>
<Account>
<AccountType>email</Accoun
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>SERVER01.company.l
<ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Confi
<ServerVersion>720180F0</S
<MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Confi
<ASUrl>https://mail.company.org/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://mail.company.org/EWS/Exchange.asmx</OOFUrl>
<OABUrl>https://mail.company.org/OAB/1ff5b91c-7a7b-4c6b-80f0-7bfd4e01439b/</OABUrl>
<UMUrl>https://mail.company.org/UnifiedMessaging/Service.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<PublicFolderServer>SERVER
<AD>SERVER01.company.local
<EwsUrl>https://mail.company.org/EWS/Exchange.asmx</EwsUrl>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.company.org</
<ASUrl>https://mail.company.org/EWS/exchange.asmx</ASUrl>
<OOFUrl>https://mail.company.org/EWS/exchange.asmx</OOFUrl>
<OABUrl>https://mail.company.org/OAB/1ff5b91c-7a7b-4c6b-80f0-7bfd4e01439b/</OABUrl>
<UMUrl>https://mail.company.org/UnifiedMessaging/Service.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<SSL>On</SSL>
<AuthPackage>Basic</AuthPa
<EwsUrl>https://mail.company.org/EWS/exchange.asmx</EwsUrl>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<External>
<OWAUrl AuthenticationMethod="Fba"
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://mail.company.org/EWS/exchange.asmx</ASUrl>
</Protocol>
</External>
<Internal>
<OWAUrl AuthenticationMethod="Basi
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://mail.company.org/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
</Protocol>
</Account>
</Response>
</Autodiscover>
Autodiscover settings for Outlook Anywhere are being validated.
ExRCA validated the Outlook Anywhere Autodiscover settings.
Attempting to resolve the host name mail.company.org in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 98.172.43.204
Testing TCP port 443 on host mail.company.org to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server mail.company.org on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.company.org, OU=Domain Control Validated, O=mail.company.org, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.company.org was found in the Certificate Subject Common name.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=mail.company.org, OU=Domain Control Validated, O=mail.company.org.
One or more certificate chains were constructed successfully.
Additional Details
A total of 2 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Analyzing the certificate chains for compatibility problems with versions of Windows.
No Windows compatibility problems were identified.
Additional Details
The certificate chain has been validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 12/10/2011 9:50:55 PM, NotAfter = 12/10/2013 9:23:15 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Testing HTTP Authentication Methods for URL https://mail.company.org/rpc/rpcproxy.dll.
The HTTP authentication methods are correct.
Additional Details
ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic, Negotiate, NTLM
Testing SSL mutual authentication with the RPC proxy server.
Mutual authentication was verified successfully.
Additional Details
Certificate common name mail.company.org matches msstd:mail.company.org.
Attempting to ping RPC proxy mail.company.org.
RPC Proxy was pinged successfully.
Additional Details
Completed with HTTP status 200 - OK
Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server SERVER01.company.local.
The endpoint was pinged successfully.
Additional Details
RPC Status Ok (0) returned in 485 ms.
Testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
The NSPI interface was tested successfully.
Test Steps
Attempting to ping RPC endpoint 6004 (NSPI Proxy Interface) on server SERVER01.company.local.
The endpoint was pinged successfully.
Additional Details
RPC Status Ok (0) returned in 887 ms.
Testing NSPI "Check Name" for user bleonard@company.org against server SERVER01.company.local.
Check Name succeeded.
Additional Details
DisplayName: Beverly Leonard, LegDN: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recip
Testing the Referral service on the Exchange Mailbox server.
The Referral service was tested successfully.
Test Steps
Attempting to ping RPC endpoint 6002 (Referral Interface) on server SERVER01.company.local.
The endpoint was pinged successfully.
Additional Details
RPC Status Ok (0) returned in 218 ms.
Attempting to perform referral for user /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recip
ExRCA successfully got the referral.
Additional Details
The server returned by the Referral service: SERVER01.company.local
Testing the Exchange Information Store on the Mailbox server.
ExRCA successfully tested the Information Store.
Test Steps
Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server SERVER01.company.local.
The endpoint was pinged successfully.
Additional Details
RPC Status Ok (0) returned in 531 ms.
Attempting to log on to the Exchange Information Store.
ExRCA successfully logged on to the Information Store.
the idea is very simple , there is no SRV record in your domain , go to your domain management "company.com" , then go to DNS , if there is any A record called autodiscover.company.com delete it , then add new SRV record type _tcp -> name : autodiscover.company.com -> points to real IP of your exchange...
then on powershell run these commands :
Set-ClientAccessServer -Identity SERVER01 -AutoDiscoverServiceIntern alUri https://server.localdomain.local/Autodiscover/Autodiscover.xml
Set-WebServicesVirtualDire ctory -Identity “SERVER01\EWS (your default web site)"
-InternalURL https:/server.domain.local/EWS/Exchange.asmx -ExternalURL https://mail.comany.com/EWS/Exchange.asmx
Set-AutodiscoverVirtualDir ectory -Identity “SERVER01\EWS (your default web site)"
-InternalURL https://server.localdomain.local/autodiscover/autodiscover.xml -externalURL https://autodiscover.company.com/autodiscover/autodiscover.xml
focus on the last one (set-autodiscovervirtualDi rectory) ..
go to IIS -> application pool -> find AutodiscoverAppPool -> right click then recycle.
check that your certificate has names :
domain.com
mail.domain.com
server.domain.local
autodiscover.domain.com
install certificate import-exchangecertificate c:\certificate.cer
get-exchangecertificate
You will see certificate like this
thumb print
------------
ABDCDEACCE132EA21
enable-exchangecertificate -thumbprint "ABDCDEACCE132EA21" -services IIS,POP,SMTP,IMAP
restart IIS
then on powershell run these commands :
Set-ClientAccessServer -Identity SERVER01 -AutoDiscoverServiceIntern
Set-WebServicesVirtualDire
-InternalURL https:/server.domain.local/EWS/Exchange.asmx -ExternalURL https://mail.comany.com/EWS/Exchange.asmx
Set-AutodiscoverVirtualDir
-InternalURL https://server.localdomain.local/autodiscover/autodiscover.xml -externalURL https://autodiscover.company.com/autodiscover/autodiscover.xml
focus on the last one (set-autodiscovervirtualDi
go to IIS -> application pool -> find AutodiscoverAppPool -> right click then recycle.
check that your certificate has names :
domain.com
mail.domain.com
server.domain.local
autodiscover.domain.com
install certificate import-exchangecertificate
get-exchangecertificate
You will see certificate like this
thumb print
------------
ABDCDEACCE132EA21
enable-exchangecertificate
restart IIS
ASKER
thanks, i will be making this change tonight.
ASKER
ugghhhhhhhhh still having the same cert pop-up
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
a way around this is to create the following DNS record: -
Name: - _autodiscover._tcp
Type: SRV
Date: 5 443 mail.company.com.
This will tell Outlook Anywhere to look for mail.company.com which has a valid cert.