Solved

Outlook Anywhere Certificate Problem - SBS 2008

Posted on 2012-03-20
6
1,296 Views
Last Modified: 2012-04-10
I inherited an SBS 2008 from the client's former IT support tech.  It works pretty well, even though it is obvious that he did most of the configuration manually rather than with the wizards.  I have had to clean up some things.

The issue that has come up is that a remote user who has been able to access his Exchange email via Outlook Anywhere is now receiving a message indicating the certificate cannot be verified.  Also, when I tried to setup a test Outlook Anywhere for the Administor account, I was not able to connect to the server.

I may have inadvertantly caused this by running the Certificate Wizard.  But frankly, I am not real familiar with certificates and could really use some guidence.

I will refer to my environment as:
   Domain: mydomain.com
   Mail server: mail.mydomain.com
   SBS Box: myservername

I have run the Microsoft Remote Connectivity Analyzer.  The analyzer returned with "Certificate trust validation failed".

Here is a summary of the Analyzer steps:

    Remote Conectivity Analyzer
    Outlook Anywhere (RPC over HTTP)

    Email Address: administrator@mydomain.com
    Domain\User name: mydomain\administrator
    Password: xxxx
    Manually specify server settings:
    - RPC proxy server: mail.mydomain.com
    - Exchange server: MDSRVR
    - Mutual authentication principle name (auto fill): msstd.mail.stonegatefoods.com
    - PRPC proxy authentication method: Basic (I also tried Ntlm)

    Test Steps:
    Certificate trust is being validated.
    Certificate trust validation failed.
    Test Steps
    - The host name resolved successfully
    - The port was opened successfully
    Failed: Test SSL certificate to make sure it's valid
    - ExRCA successfully obtained the remote SSL certificate
    - The certificate name was validated successfully

    Certificate trust validation failed
    Test Steps:
       - ExRCA is attempting to build certificate chains for certificate CN=mail.mydomain.com.
       - A certificate chain couldn't be constructed for the certificate.
       -Additional Details
      - The certificate chain couldn't be built. You may be missing required intermediate certificates
 

On the SBS Managem Console, I ran the Trusted Certificate Wizard to view the installed certificate.  It appears that there may be more than one certificate.  I believe there is a self-issued certificate that is the child of a purchased certificate (this is where I am confused).  The date on the child certificate corresponds with the date that the user started receiving the certificate message in Outlook.  So, I think I might have screwed it up without intention.

Here is a summary of the Trusted Certificate Wizard:

Add a Trusted Certificate Wizard.
 Use a certificate that is already installed on the server.
 Choose an installed certificate (NOTE: There was only one certificate listed)
   Issued to: mail.mydomian.com
   Issued by: mydomain-myservername-CA
   Expiration: 3/10/14
   Type: Self-Issued

View Certificate button:
General tab:
   This certificate is intended for the following purpose(s):
       - Ensures the identity of a remote computer
   Shows the same information as above.
   Valid from: 3/10/12 - 3/10/14  (NOTE: The problem started on 3/10)

Certificate Path tab:
   Root: mydomain-myservername-CA (Certificate Status = OK; View Certificate button = Enabled)
         Sub: mail.mydomain.com (Certificate Status = OK; View Certificate button = Disabled)

Selecton the Root Certificate, click the View Certificate button:
   This certificate is intended for the following purpose(s):
       - All issuance policies
       - All application policies
   Issued to: mydomain-myservername-CA
   Issued by: mydomain-myservername-CA
   Valid from: 3/2/11 - 3/2/16

So, I need help resolving this issue so I can test and confirm it by setting up Outlook Anywhere.  I also need to notify the client that things are back to normal, and what he need to do (if anything) to get his mail via Outlook.

This is a burning issue and I appreciate all the help I can get.  As well as insight as to what happened.

Thanks!!
0
Comment
Question by:beyondt
  • 3
  • 3
6 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
So go to Public - Download and get the certificate distribution folder there.   put it on a flash drive...then run on the problem computer and report back if still an issue
0
 

Author Comment

by:beyondt
Comment Utility
When you say go to public, do you mean the Public folder?
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
On the server you should see Users > Public > Downloads

If you're browsing from a workstation you should see a share called Public Downloads I believe
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Accepted Solution

by:
beyondt earned 0 total points
Comment Utility
I found it.
I am working remotely.  Can I run the InstallCertificate.exe from the Public\Downloads folder directly?  Do I need to run it from an external device?
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
the whole folder needs to be copied to the machine where the cert is needed and then run it there
0
 

Author Closing Comment

by:beyondt
Comment Utility
I ended up calling Microsoft Support.  I installed teh certificate as suggested, by running the installcertificate.exe file but the certificate would not install.  I had to manually import the certificate by creating a Certificate mmc and importing the cer file into the Trusted Root Certificates folder.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now