TheDeaner
asked on
Outlook Auto Discover Certificate Error
Hello,
I realize this question has been asked many times on this site, but I've read through most of them and I still don't know what to do.
everytime i open outlook. I am getting 2 security alerts. I am running outlook 2007 with exhange 2007. it reads as follows
contoso.com
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.
green check mark The security certificate is from a trusted certifying authority.
green check mark The security certificate date is valid
red X The name on the security certificate is invalid or does not match the name of the site
Do you want to proceed
Yes No View Certificate
i hit yes and it comes up again, i hit yes again and it goes away
now if i hit no twice instead of yes. i get another box that says
Allow this website to configure User@domain.com server settings?
http://contso.com/autodiscover/autodiscover.xml
your account was redirected to this website for settings
You should only allow settings from souces you know and trust.
Allow Cancel
The network I work on is a closed secure network. We recently migrated to a new domain, and are now getting these errors.
Everything looks right when I go through http://support.microsoft.com/kb/940726
I'm not worried about external clients because we have none. Therefore I don't have any "external Url's" listed in the OWA or OAB
We have two CAS servers. And two clustered Mailbox servers
We have are own CA server that I think has issued the certs correctly, but I'm not PKI expert.
It doesn't look like the self-signed cert is there anymore either.
I'm not sure about the dns settings either.
There is a host record for mail.blahblahbalah.com but it points to an the mailbox server cluster and not the CAS server. Is that the problem?
Their are records for the CAS servers as well. And the internal URL for everything is set to the CAS server fqdn.
So when i type Get-ClientAccessServer | Select Name, *Internal* | fl
I get
Name: CAS_server_name1 (with out the fqdn)
AutoDSIUri: https://CAS_servername.fqdn/autodiscover/autodiscover.xml
Name: CAS_server_name2 (with out the fqdn)
AutoDSIUri: https://CAS_servername2.fqdn/autodiscover/autodiscover.xml
And when I run Get-OABVirtualDirectory | Select Name, *Internalurl* | fl
I get
Name: OAB (Default Web Sites)
InternalUrl: https://CAS_servername.fqdn/OAB
Name: OAB (Default Web Sites)
InternalUrl: https://CAS_servername2.fqdn/OAB
I've read though http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
For a few hours now too.
HELP!
I realize this question has been asked many times on this site, but I've read through most of them and I still don't know what to do.
everytime i open outlook. I am getting 2 security alerts. I am running outlook 2007 with exhange 2007. it reads as follows
contoso.com
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.
green check mark The security certificate is from a trusted certifying authority.
green check mark The security certificate date is valid
red X The name on the security certificate is invalid or does not match the name of the site
Do you want to proceed
Yes No View Certificate
i hit yes and it comes up again, i hit yes again and it goes away
now if i hit no twice instead of yes. i get another box that says
Allow this website to configure User@domain.com server settings?
http://contso.com/autodiscover/autodiscover.xml
your account was redirected to this website for settings
You should only allow settings from souces you know and trust.
Allow Cancel
The network I work on is a closed secure network. We recently migrated to a new domain, and are now getting these errors.
Everything looks right when I go through http://support.microsoft.com/kb/940726
I'm not worried about external clients because we have none. Therefore I don't have any "external Url's" listed in the OWA or OAB
We have two CAS servers. And two clustered Mailbox servers
We have are own CA server that I think has issued the certs correctly, but I'm not PKI expert.
It doesn't look like the self-signed cert is there anymore either.
I'm not sure about the dns settings either.
There is a host record for mail.blahblahbalah.com but it points to an the mailbox server cluster and not the CAS server. Is that the problem?
Their are records for the CAS servers as well. And the internal URL for everything is set to the CAS server fqdn.
So when i type Get-ClientAccessServer | Select Name, *Internal* | fl
I get
Name: CAS_server_name1 (with out the fqdn)
AutoDSIUri: https://CAS_servername.fqdn/autodiscover/autodiscover.xml
Name: CAS_server_name2 (with out the fqdn)
AutoDSIUri: https://CAS_servername2.fqdn/autodiscover/autodiscover.xml
And when I run Get-OABVirtualDirectory | Select Name, *Internalurl* | fl
I get
Name: OAB (Default Web Sites)
InternalUrl: https://CAS_servername.fqdn/OAB
Name: OAB (Default Web Sites)
InternalUrl: https://CAS_servername2.fqdn/OAB
I've read though http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
For a few hours now too.
HELP!
ASKER
JJ,
When I run that command it spits out information on about 9 different certs. I do see a few that have the FQDN of the CAS server.
Which cert do I need to ensure is correct? Is there a thumbprint that I should be looking for?
When I run that command it spits out information on about 9 different certs. I do see a few that have the FQDN of the CAS server.
Which cert do I need to ensure is correct? Is there a thumbprint that I should be looking for?
You are looking for the one that has a status of "valid" and has IIS listed beside Services.
JJ
JJ
ASKER
They seem to be fine.
CAS 1:
CertificateDomains : {casserver1.blah.blah.blah
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=ourCAserver, DC=blah, DC=blah, DC=blah, DC=com
NotAfter : 1/19/2013
NotBefore : 1/20/2012
PublicKeysize : 2048
RootCAType : Registry
SerialNumber : 7B0F.......
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=CASserver1.blah.blah.bl
Thumbprint : 51B.....
CAS 2:
CertificateDomains : {casserver2.blah.blah.blah
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=ourCAserver, DC=blah, DC=blah, DC=blah, DC=com
NotAfter : 1/19/2013
NotBefore : 1/20/2012
PublicKeysize : 2048
RootCAType : Registry
SerialNumber : 7B0E.......
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=CASserver1.blah.blah.bl
Thumbprint : 282.....
CAS 1:
CertificateDomains : {casserver1.blah.blah.blah
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=ourCAserver, DC=blah, DC=blah, DC=blah, DC=com
NotAfter : 1/19/2013
NotBefore : 1/20/2012
PublicKeysize : 2048
RootCAType : Registry
SerialNumber : 7B0F.......
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=CASserver1.blah.blah.bl
Thumbprint : 51B.....
CAS 2:
CertificateDomains : {casserver2.blah.blah.blah
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=ourCAserver, DC=blah, DC=blah, DC=blah, DC=com
NotAfter : 1/19/2013
NotBefore : 1/20/2012
PublicKeysize : 2048
RootCAType : Registry
SerialNumber : 7B0E.......
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=CASserver1.blah.blah.bl
Thumbprint : 282.....
So casserver1.blah.blah.blah.
When the certificate error comes up, click "View Certificate". What is the name on the certificate and what date is the certificate valid for?
JJ
When the certificate error comes up, click "View Certificate". What is the name on the certificate and what date is the certificate valid for?
JJ
ASKER
I'm confused at the first question.
Our CAS server name is: Casserver1
Our domain is: blah.blah.blah.com
the the fqdn of that server is casserver1.blah.blah.blah.
But "cas_" is no where to be found. Does that part need to be part of it?
When I click view certificate it shows me:
Issued to: casserver1.blah.blah.blah.
Issued by: blah-CAserver-CA
Valid from 1/20/2012 to 1/19/2013
Sorry I can't put the actual details to make it easier but its a mil network.
Our CAS server name is: Casserver1
Our domain is: blah.blah.blah.com
the the fqdn of that server is casserver1.blah.blah.blah.
But "cas_" is no where to be found. Does that part need to be part of it?
When I click view certificate it shows me:
Issued to: casserver1.blah.blah.blah.
Issued by: blah-CAserver-CA
Valid from 1/20/2012 to 1/19/2013
Sorry I can't put the actual details to make it easier but its a mil network.
In your original post, you said when you type get-clientaccessserver, you get;
AutoDSIUri: https://CAS_servername.fqdn/autodiscover/autodiscover.xml
Do you mean you get https://casserver1.blah.blah.blah.com/autodiscover/autodiscover.xml
JJ
AutoDSIUri: https://CAS_servername.fqdn/autodiscover/autodiscover.xml
Do you mean you get https://casserver1.blah.blah.blah.com/autodiscover/autodiscover.xml
JJ
ASKER
yes. Sorry for the confusion.
Is Outlooking connecting with HTTPS or MAPI? You can check by right-click the Outlook icon in the system tray and selecting Connection Status. Can you also please right-click and select Test E-Mail autoconfiguration and share the results after you sanitize it?
JJ
JJ
ASKER
When I view the connection status is see
Server Name Type Interface Conn Status Req/Fail Avg Resp Avg Proc Notif RPC Version
4 of the server names are the same and is one of my domain controllers. they type for all of those is directory.
the one that says type, mail, has the server name Mail.blah.blah.blah.com
All conn type is TCP/IP
What exactly am I looking for. I see no HTTPS or MAPI listed anyway.
For the other dump, I have three questions first.
1. Do you want the dump before or after I answer the questions that pop up? (the questions that started this problem)
2. Do you want me to check all 3 check boxes or just AutoDiscover?
3. How to I save the output?
Server Name Type Interface Conn Status Req/Fail Avg Resp Avg Proc Notif RPC Version
4 of the server names are the same and is one of my domain controllers. they type for all of those is directory.
the one that says type, mail, has the server name Mail.blah.blah.blah.com
All conn type is TCP/IP
What exactly am I looking for. I see no HTTPS or MAPI listed anyway.
For the other dump, I have three questions first.
1. Do you want the dump before or after I answer the questions that pop up? (the questions that started this problem)
2. Do you want me to check all 3 check boxes or just AutoDiscover?
3. How to I save the output?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First run get-exchangecertificate | fl on each CAS server. This will tell you what certificates are enabled for each service on each CAS server. Make note of the CertificateDomains field. You need to ensure that each CAS server has a certificate installed that matches that CAS's FQDN.
JJ