• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1501
  • Last Modified:

Outlook Auto Discover Certificate Error

Hello,

I realize this question has been asked many times on this site,  but I've read through most of them and I still don't know what to do.

everytime i open outlook.  I am getting 2 security alerts.  I am running outlook 2007 with exhange 2007.  it reads as follows

contoso.com

Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.

green check mark   The security certificate is from a trusted certifying authority.

green check mark  The security certificate date is valid

red X  The name on the security certificate is invalid or does not match the name of the site
 
Do you want to proceed

Yes  No  View Certificate


i hit yes and it comes up again, i hit yes again and it goes away

now if i hit no twice instead of yes.  i get another box that says

Allow this website to configure User@domain.com server settings?
http://contso.com/autodiscover/autodiscover.xml

your account was redirected to this website for settings
You should only allow settings from souces  you know and trust.

Allow  Cancel

The network I work on is a closed secure network. We recently migrated to a new domain, and are now getting these errors.

Everything looks right when I go through http://support.microsoft.com/kb/940726

I'm not worried about external clients because we have none.  Therefore I don't have any "external Url's" listed in the OWA or OAB

We have two CAS servers. And two clustered Mailbox servers

We have are own CA server that I think has issued the certs correctly, but I'm not PKI expert.

It doesn't look like the self-signed cert is there anymore either.

I'm not sure about the dns settings either.

There is a host record for mail.blahblahbalah.com but it points to an the mailbox server cluster and not the CAS server. Is that the problem?

Their are records for the CAS servers as well. And the internal URL for everything is set to the CAS server fqdn.

So when i type Get-ClientAccessServer | Select Name, *Internal* | fl
I get
Name:  CAS_server_name1 (with out the fqdn)
AutoDSIUri: https://CAS_servername.fqdn/autodiscover/autodiscover.xml
Name:  CAS_server_name2 (with out the fqdn)
AutoDSIUri: https://CAS_servername2.fqdn/autodiscover/autodiscover.xml

And when I run Get-OABVirtualDirectory | Select Name, *Internalurl* | fl
I get
Name: OAB (Default Web Sites)
InternalUrl: https://CAS_servername.fqdn/OAB
Name: OAB (Default Web Sites)
InternalUrl: https://CAS_servername2.fqdn/OAB

I've read though http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/configuring-exchange-server-2007-web-services-urls.html
For a few hours now too.

HELP!
0
TheDeaner
Asked:
TheDeaner
  • 6
  • 6
1 Solution
 
Jamie McKillopCommented:
Hello,

First run get-exchangecertificate | fl on each CAS server. This will tell you what certificates are enabled for each service on each CAS server. Make note of the CertificateDomains field. You need to ensure that each CAS server has a certificate installed that matches that CAS's FQDN.

JJ
0
 
TheDeanerAuthor Commented:
JJ,

When I run that command it spits out information on about 9 different certs. I do see a few that have the FQDN of the CAS server.

Which cert do I need to ensure is correct? Is there a thumbprint that I should be looking for?
0
 
Jamie McKillopCommented:
You are looking for the one that has a status of "valid" and has IIS listed beside Services.

JJ
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
TheDeanerAuthor Commented:
They seem to be fine.

CAS 1:
CertificateDomains : {casserver1.blah.blah.blah.com}
HasPrivateKey         :  True
IsSelfSigned             : False
Issuer                      :  CN=ourCAserver, DC=blah,  DC=blah, DC=blah, DC=com
NotAfter                  : 1/19/2013
NotBefore               :  1/20/2012
PublicKeysize           :  2048
RootCAType             :   Registry
SerialNumber         :    7B0F.......
Services                   :    IMAP, POP, IIS, SMTP
Status                       :   Valid
Subject                     :  CN=CASserver1.blah.blah.blah.com
Thumbprint             :    51B.....

CAS 2:
CertificateDomains : {casserver2.blah.blah.blah.com}
HasPrivateKey         :  True
IsSelfSigned             : False
Issuer                      :  CN=ourCAserver, DC=blah,  DC=blah, DC=blah, DC=com
NotAfter                  : 1/19/2013
NotBefore               :  1/20/2012
PublicKeysize           :  2048
RootCAType             :   Registry
SerialNumber         :    7B0E.......
Services                   :    IMAP, POP, IIS, SMTP
Status                       :   Valid
Subject                     :  CN=CASserver1.blah.blah.blah.com
Thumbprint             :    282.....
0
 
Jamie McKillopCommented:
So casserver1.blah.blah.blah.com = cas_servername.fqdn?

When the certificate error comes up, click "View Certificate". What is the name on the certificate and what date is the certificate valid for?

JJ
0
 
TheDeanerAuthor Commented:
I'm confused at the first question.

Our CAS server name is:   Casserver1
Our domain is: blah.blah.blah.com
the the fqdn of that server is casserver1.blah.blah.blah.com

But "cas_" is no where to be found. Does that part need to be part of it?

When I click view certificate it shows me:

Issued to: casserver1.blah.blah.blah.com
Issued by: blah-CAserver-CA
Valid from 1/20/2012 to 1/19/2013


Sorry I can't put the actual details to make it easier but its a mil network.
0
 
Jamie McKillopCommented:
In your original post, you said when you type get-clientaccessserver, you get;

AutoDSIUri: https://CAS_servername.fqdn/autodiscover/autodiscover.xml

Do you mean you get https://casserver1.blah.blah.blah.com/autodiscover/autodiscover.xml

JJ
0
 
TheDeanerAuthor Commented:
yes. Sorry for the confusion.
0
 
Jamie McKillopCommented:
Is Outlooking connecting with HTTPS or MAPI? You can check by right-click the Outlook icon in the system tray and selecting Connection Status. Can you also please right-click and select Test E-Mail autoconfiguration and share the results after you sanitize it?

JJ
0
 
TheDeanerAuthor Commented:
When I view the connection status is see

Server Name           Type     Interface       Conn Status     Req/Fail    Avg Resp Avg  Proc Notif RPC Version



4 of the server names are the same and is one of my domain controllers.  they type for all of those is directory.

the one that says type, mail, has the server name Mail.blah.blah.blah.com

All conn type is TCP/IP

What exactly am I looking for. I see no HTTPS or MAPI listed anyway.

For the other dump, I have three questions first.

1. Do you want the dump before or after I answer the questions that pop up? (the questions that started this problem)
2. Do you want me to check all 3 check boxes or just AutoDiscover?
3. How to I save the output?
0
 
TheDeanerAuthor Commented:
0
 
Jamie McKillopCommented:
Are both CAS servers in the same site? If they are, are you using NLB or a hardware load balancer?

You have your web services URL incorrect. It needs to point to the CAS servers, not the mailbox servers. Run this command for each cas server:

Set-WebServicesVirtualDirectory -identity "CAS01\EWS (Default Web Site)"  -internalURL "casserver.blah.blah.blah.com"

JJ
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now