Solved

Outlook Anywhere Certificate Problem - SBS 2008

Posted on 2012-03-20
6
1,312 Views
Last Modified: 2012-04-10
I inherited an SBS 2008 from the client's former IT support tech.  It works pretty well, even though it is obvious that he did most of the configuration manually rather than with the wizards.  I have had to clean up some things.

The issue that has come up is that a remote user who has been able to access his Exchange email via Outlook Anywhere is now receiving a message indicating the certificate cannot be verified.  Also, when I tried to setup a test Outlook Anywhere for the Administor account, I was not able to connect to the server.

I may have inadvertantly caused this by running the Certificate Wizard.  But frankly, I am not real familiar with certificates and could really use some guidence.

I will refer to my environment as:
   Domain: mydomain.com
   Mail server: mail.mydomain.com
   SBS Box: myservername

I have run the Microsoft Remote Connectivity Analyzer.  The analyzer returned with "Certificate trust validation failed".

Here is a summary of the Analyzer steps:

    Remote Conectivity Analyzer
    Outlook Anywhere (RPC over HTTP)

    Email Address: administrator@mydomain.com
    Domain\User name: mydomain\administrator
    Password: xxxx
    Manually specify server settings:
    - RPC proxy server: mail.mydomain.com
    - Exchange server: MDSRVR
    - Mutual authentication principle name (auto fill): msstd.mail.stonegatefoods.com
    - PRPC proxy authentication method: Basic (I also tried Ntlm)

    Test Steps:
    Certificate trust is being validated.
    Certificate trust validation failed.
    Test Steps
    - The host name resolved successfully
    - The port was opened successfully
    Failed: Test SSL certificate to make sure it's valid
    - ExRCA successfully obtained the remote SSL certificate
    - The certificate name was validated successfully

    Certificate trust validation failed
    Test Steps:
       - ExRCA is attempting to build certificate chains for certificate CN=mail.mydomain.com.
       - A certificate chain couldn't be constructed for the certificate.
       -Additional Details
      - The certificate chain couldn't be built. You may be missing required intermediate certificates
 

On the SBS Managem Console, I ran the Trusted Certificate Wizard to view the installed certificate.  It appears that there may be more than one certificate.  I believe there is a self-issued certificate that is the child of a purchased certificate (this is where I am confused).  The date on the child certificate corresponds with the date that the user started receiving the certificate message in Outlook.  So, I think I might have screwed it up without intention.

Here is a summary of the Trusted Certificate Wizard:

Add a Trusted Certificate Wizard.
 Use a certificate that is already installed on the server.
 Choose an installed certificate (NOTE: There was only one certificate listed)
   Issued to: mail.mydomian.com
   Issued by: mydomain-myservername-CA
   Expiration: 3/10/14
   Type: Self-Issued

View Certificate button:
General tab:
   This certificate is intended for the following purpose(s):
       - Ensures the identity of a remote computer
   Shows the same information as above.
   Valid from: 3/10/12 - 3/10/14  (NOTE: The problem started on 3/10)

Certificate Path tab:
   Root: mydomain-myservername-CA (Certificate Status = OK; View Certificate button = Enabled)
         Sub: mail.mydomain.com (Certificate Status = OK; View Certificate button = Disabled)

Selecton the Root Certificate, click the View Certificate button:
   This certificate is intended for the following purpose(s):
       - All issuance policies
       - All application policies
   Issued to: mydomain-myservername-CA
   Issued by: mydomain-myservername-CA
   Valid from: 3/2/11 - 3/2/16

So, I need help resolving this issue so I can test and confirm it by setting up Outlook Anywhere.  I also need to notify the client that things are back to normal, and what he need to do (if anything) to get his mail via Outlook.

This is a burning issue and I appreciate all the help I can get.  As well as insight as to what happened.

Thanks!!
0
Comment
Question by:beyondt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 37746683
So go to Public - Download and get the certificate distribution folder there.   put it on a flash drive...then run on the problem computer and report back if still an issue
0
 

Author Comment

by:beyondt
ID: 37747311
When you say go to public, do you mean the Public folder?
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 37747320
On the server you should see Users > Public > Downloads

If you're browsing from a workstation you should see a share called Public Downloads I believe
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Accepted Solution

by:
beyondt earned 0 total points
ID: 37747987
I found it.
I am working remotely.  Can I run the InstallCertificate.exe from the Public\Downloads folder directly?  Do I need to run it from an external device?
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 37749621
the whole folder needs to be copied to the machine where the cert is needed and then run it there
0
 

Author Closing Comment

by:beyondt
ID: 37826815
I ended up calling Microsoft Support.  I installed teh certificate as suggested, by running the installcertificate.exe file but the certificate would not install.  I had to manually import the certificate by creating a Certificate mmc and importing the cer file into the Trusted Root Certificates folder.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question