Can't autoconfigure external devices / Outlook on SBS 2011

The safest and easiest way is to configure Outlook Anywhere (Webmail) access instead of direct access from Outlook. See http://technet.microsoft.com/en-us/library/bb123741.aspx for details.

Alternately you can follow the guidelines at http://technet.microsoft.com/en-us/library/aa995928.aspx for Outlook access across the Internet. Another non-Microsoft reference for that is at http://araihan.wordpress.com/2010/03/16/how-to-configure-exchange-2010-client-access-server-cas-role/.

Additional information can be found http://technet.microsoft.com/en-us/library/dd297950.aspx and in the linked articles found there.

Thanks for the feedback and sorry for the delay - I've been trying to work this out systematically so I could provide an informed response.

I did not purchase a certificate from a third-party I used the self-signed certificate but RWW and OWA work fine. There has been a development in the last two hours, it seems that the DNS for the autodiscover. A record I created before I posted has propogated and all active sync devices (Ipads and Iphones) are working perfectly. I have since read the link JJ posted above and it seems the A record works for me because:

"If you want to create an A or CNAME record for ‘autodiscover’ that points to your server’s public IP and allow port 80 to your server, autodiscover will work, but you would then have allowed port 80 traffic to your server"

As it turns out I had already forwarded port 80 to my server - are there any negative security implications about that or my configuration as described above. Also what issues could I expect if I proceed to use the self-signed certificate (a colleage of mine who has more experience of sbs 2011 than me says he has set up a load like that without problems).

OK I get it now - I was getting OWA confused with Outlook Anywhere. The latter is exactly what I need and you're quite right it will not let me access it with the self-signed certificate. How / where do I get one from!? (I'm in the UK - not sure if that's relevant).

Hi there pal - that's perfect timing!

I had Just this second completed the purchase (5x domains - it said perfect for exchange) but I haven't got the first clue where to start. I just attempted to validate install but it threw up an error (see screengrab). I suspect I was going about it wrongly.

I'm in the uk so not really viable to call them now. Can you remember the procedure?
godaddy.png

Here's their step by step...

http://support.godaddy.com/help/article/5863/installing-an-ssl-certificate-in-microsoft-exchange-server-2010

Nice one pal - perfect timing again just found that same article!

We are here to help. (Assuming this solves the problem, don't forget to assign at least some of the points to jjmck who pointed out the certificate issue in the first place.)

Will do pal - I always agonise for ages about who to give the points to!

Not sure if I'm missing something here but I'm following those instructions on how to first download my certificate (before installing it) and it showing there in accounts but when I click on launch there are no certificates for me to download (see screenshot).

Any thoughts?
go-daddy-screenshot.png

Incidentally I'm not being lazy and getting you lot to do the legwork for me - I am looking through the go daddy interface myself at the same time!

You may have to wait a little while for them to generate the certificates - they are not automatic and are actually checked for accuracy, as they represent a significant security problem if issued to the wrong people. They want to double check to make sure you actually are who you say you are and that it is really your domain, etc.

See these articles for more details:

http://support.godaddy.com/help/article/2213/requesting-a-premium-extended-validation-ssl-certificate

http://support.godaddy.com/help/article/858/determining-how-long-it-takes-to-issue-an-ssl-certificate

http://support.godaddy.com/help/article/562/requesting-a-standard-ssl-certificate

Understood.

Just want to make sure I'd done everything I need to do. I have only purchased the 5x certificate package at this stage. Obviously I submitted my name and credit card information. Do I have to specifically request one for each domain now or am I waiting for them to come back to me?

Just seen your next post pal cheers.

Watch your email or send them one to check on the status...it shouldn't take too long.

Thanks very much again.

Just one more quick question while I'm waiting I have two domains on this exchange server. Will I just need to follow the same process for the other domain?

I believe so. See http://technet.microsoft.com/en-us/library/aa995942.aspx

You need to be very careful because SBS relies on the wizards to ensure everything is configured correctly. You can't just use the standard Exchange methods to install the cert and must use the SBS wizards. You did not need to purchase a SAN cert and could have saved yourself some money by purchasing a single name cert. You only need a SAN cert if your DNS provider doesn't support SRV records.

When you say you have two domains, do you mean your users have secondary email addresses? You don't need anything on the cert for the secondary domain.

Please this for the details on how to install the cert - http://exchange.sembee.info/2010/install/ssl-sbs2011.asp

JJ

Many thanks JJ,

Will the SAN cert work just as well as a single name cert (apart from obviously being less cost effective in my case)? Its ok about the extra ones though as I plan on rolling out more SBS 2011 machines in the near future once I have the procedures nailed - so I will use the other 4 along the way.

Yes that's correct they send and receive from domain1 and domain2.

Cheers reading that article now.

Just got a a verification link through from godaddy - I've clicked on that, checked in the control panel and approval is still pending.

Going to turn in now as its after 3Am here. Will check back first thing - many thanks for your ongoing efforts guys.

We are here to help!

You can use the SAN cert as long as you follow the instructions in the article I linked.

Not sure what you mean by using the "other 4" on other SBS servers. Did you purchase 5 single name certs or did you purchase one 5 name SAN cert?

JJ

Cheers.

I believe that's a misunderstanding on my part - looks like i purchased one 5 name cert (see screenshot). Am I right then in thinking that it covers a single exchange server for up to 5 domains?

Just to confirm then I dont use the godaddy instructions for installing my certificate (pictured) I use the main trusted certificate wizard in the SBS console?

That cert covers a single server and the common name on the cert must match the name you chose when running through the wizard, which defaults to remote.company.com.

Again, you do not need names on the cert for all your SMTP domains, only for the URLs you will be using.

Do not use the GoDaddy instructions. Use the instructions in the link I posted.

JJ

Many thanks pal - site has been validated. About to initiate install now...

Hi again,

I installed the certificate but am still getting certificate errors when attempting to configure outlook anywhere. It gets further than it did before but it keeps asking for / rejecting the username and password.

Before I waste anyone's time I think I may have inadvertantly deviated a bit from those instructions in the link JJ provided. Here are the steps I've taken (extracts from instructions in italics)

To ensure that you work with the common configuration for SBS 2011, some DNS entries need to be made on the internet facing DNS services (usually your domain name registrar).
Specifically these are

    remote.example.com
    autodiscover.example.com


I had already created autodiscover.domain1.co.uk but then i also created autodiscover.domain2.co.uk (not sure if this was necessary). Also not sure if I needed to create remote.domain1.co.uk as my hostname is mail. - but I did this for both domains to be on the safe side.

This is where I may have gone wrong in my initial haste!

To generate the request you will use the Exchange 2010 wizard. However the name "Sites" will be added to the list of domains that you include. That makes the full list:

    remote.example.com
    autodiscover.example.com
    server.domain.local
    (the server's internal FQDN)
    server
    (the server's NETBIOS name)
    sites

    Create the SSL request through the Exchange Management Console in the usual way - instructions here.
    Ensure that when creating the request that the common name is set to remote.example.com (where example.com is your public domain name).
    When the response comes back, install it through the Exchange Management Console (instructions), but do not enable any services.

At this point the SSL certificate is not active, and therefore there is no disruption to the end users.

I skipped the above and jumped straight to the instructions for activating the certificate I had just downloaded from godaddy:

    Start the SBS 2011 Management Console. On the "Getting Started Tasks" panel, choose "Add a trusted certificate". You can also start the wizard on the Networking panel, under Connectivity, by choosing "Web Server Certificate" then "Add a trusted certificate".
    After choosing Next on the first screen, on the second screen select "I want to use a certificate that is already installed on the server." and click Next.
    A list of certificates that can be used are now shown. Choose the trusted certificate and select Next. The wizard is then imported.

Do you think this is where the problem is and should I follow the certificate request generation steps that I skipped and attempt to reimport the certificate?

What is the external hostname of your server? When you ran the "Setup your Internet Address" wizard, what did you set? This default is remote.yourdomain.com.

What names are on your certificate and what is the first name listed on your certificate? The first name listed must match the external hostname of your server.

You have two SMTP domains. Do any of your users have primary SMTP addresses of domain2.co.uk or do they just use this domain as secondary addresses? If any of them have this as a primary address, you need an SRV record in this zone that points to autodiscover.domain1.co.uk.

JJ

Thanks for the response guys

Simon

1) I take it I substitute remote.domain1.co.uk for mail.domain1.co.uk as that is the hostname I assigned (i'll use remote. in future)

2) I did not do anything to the SSL certificate - i simply requested one from Godaddy then followed the "add a trusted certificate wizard" - is this where I'm going wrong?

3) Internally you need to activate the certificate through SBS after doing the request/response through Exchange. When you say "request / response through exchange" is that the add a trusted certificate wizard? If so how do I then go about activating the certificate through SBS?


JJ

1) When we ran the "setup your internet address" wizard we changed it from remote.domain1.com to mail.domain1.com (I will leave it in future though.)

2) Looking at the certificate (EMC > Server configuration > bottom pane - Exchange Certificates) I can see 6 entries (screenshot 1). The first one is issued by godaddy and says issued to mail.domain1.co.uk (screenshot 2). The next 4 are issued my mydomain.exchangeserver-CA and the final one by WMSvc etc. Is this correct or do I need to remove / edit any?

3) Yes in fact the majority of users have their primary address as domain2 as domain 1 was initially just for testing purposes as it was my first installation. I currently have no SRV records setup - what would they contain and where should they be installed?
screenshot1.png
screenshot2.png

Hi again,

Quick update on SVR front: had a dig around in DNS control panel and can see how these are created. In terms of point 3 (JJ) should I go into SRV section for domain 2 and create a SRV record pointing to domain 1? And should i then remove the autodiscover. A record for domain 2?

If so please could you advise on what to put in the boxes in accompanying screenshot.
screenshot.png

Proto: TCP
Server: autodiscover.domain1.co.uk
Port: 443
Pri: 0
Wei: 0

Yes, you should remove the autodiscover record for domain 2.

JJ

Thanks again pal,

Any thoughts on point number 2 - looking at the certificate from go daddy it appears correct with mail.domain1.co.uk in all the right places. But I literally just downloaded the certificate from godaddy and ran the "add a trusted certificate wizard" - have I missed any steps out.

Also would I be better to just scrap the SAN certificate, purchase a single name certificate then do it all with SRV records?

Your certificate looks correct. Unless you can get a refund on the SAN certificate, i would just keep it. You already have it installed.

JJ

Cheers.

Not sure what to do next. At present OWA, RWW, Active sync on Iphone / Ipads working perfectly. Exchange on local network working perfect (except it does produce the below  autodiscover error every time someone launches Outlook 2007 or above (it then works perfectly until you exit and restart)

The only issue is still Outlook Anywhere:

* I launch the outlook add account wizard. I put the details in for a mailbox on domain1
* It immediately pops up the security alert for autodiscover.domain1.co.uk and says
* the security certificate is from a trusted authority
* the security date is valid,
BUT * the name on the security certificate is invalid or doesn't match name on site.

When I click view certificate under general it says issued to mail.domain1.co.uk (the correct host name)
Then under details > subject
CN = mail.domain1.co.uk
OU = Domain Control Validated
O – mail.domain1.co.uk
And under Subject Alternative Name
DNS Name=mail.domain1.co.uk
DNS Name=www.mail.domain1.co.uk
DNS Name=domain1.co.uk
DNS Name=exchangeservername.domain.local

* If I click yes to add certificate I get the outlook user name / password box up. I type in the correct username and password but it just keeps popping the back up as if its rejected. I click on cancel and I get a window saying the connection to Microsoft exchange server is unavailable followed by a window saying Microsoft Exchange Server: exchangeservername.localdomainname.local / Mailbox: =SMTP:me@domain1.co.uk. When I click ok, autoconfiguration of the account is abandoned. When I try setting up it up manually (as I have done with hosted exchange accounts in the past) with mail.domain1.co.uk under "use this url to connect to my proxy server for exchange" it appears to work and seems partly configured it but I get the password box coming up constantly.

Any thoughts on what to try next?

You need autodiscover.domain1.co.uk on the certificate as well.

JJ

The wizard in SBS for purchasing/request a certificate does NOT include Autodiscover, as SBS presumes that you will use a single name certificate with SRV records.

On my site above you will find instructions on how to request the certificate through Exchange 2010. I would suggest that you do a new certificate request, include the autodiscover host name in the reqest as one of the additional names, then do a REKEY in the Godaddy SSL management site.

When you get the new response, go through Exchange 2010 again to complete the request, followed by using the SBS management console to select the new wizard. By doing a rekey you have 24 hours to get the certificate installed before the old one stops working, and if you use the same COMMON name as your existing certificate then existing clients will work without any interaction from your or the end users.

Simon.

Many thanks just checking that out now.

One thing - just want to make sure I'm barking up the right tree: If the password prompt issues are caused by the absence of the autodiscover reference on the certificate, surely when I set it up manually it would work?

I found this article (extract below): http://clintboessen.blogspot.co.uk/2009/06/outlook-anywhere-keeps-prompting-for.html 

It turned out to be the certificate... Outlook anywhere does not allow for Subject Alternate Names on certificates like OWA (Outlook Web Access), and OMA (Outlook Mobile Access) do. This company had the same dns name space internally as what they use externally, and registered their certificate to be that of the host name of their old exchange server!!! (yuck). In result I just ignored it and used a subject alternate name that of webmail which they also registered for all services. Bottom line - Outlook Anywhere will not use subject alternative names, only the correct issued to: name of the certificate. I did not find this documented anywhere!

Do you think this could this be causing the password issue I am experiencing? I have reread it several times but am unsure of how I would apply the fix in my scenario?

The CN on your cert is mail.domain1.co.uk, which is what you setup in the SBS wizard, so you are fine.

JJ

OK many thanks!

Last question then I'll leave you in peace! Due to pressure from the customer, Just for now I may have to take the £50 on the chin and attempt it using a single name cert and SRV records as I can now see how this is the preferred way of approaching it. Then when they are all working on outlook anywhere I can continue to investigate this in my own time.

I have just bought this standard SSL for £8.50 (80% off from godaddy): http://www.godaddy.com/compare/gdcompare3_ssl.aspx?isc=sslfguka08¤cytype=GBP&ef_id=wAFQScKpimcAAFuy:20120917195837:s

Could anyone just check the link / screenshot and confirm that is the correct kind of single name certificate I have this time?
screenshot.png

You don't need a new certificate - the existing certificate credit would be fine, just get it rekeyed.

Simon.

Cheers Simon,

Will attempt that now. To confuse matters more whilst I can access RWW fine, when I attempt to connect to a computer I get "your computer can't connect to the remote computer because the remote desktop gateway server address requested and the certificate subject name do not match..." It worked fine with the self-signed certificate before so I tried reinstalling the self-signed certificate again but now RDP through RWW wont work generating the following message: "the computer can't verify the identity of the RD gateway "mail.mydomain1.co.uk". Its not safe to connect to computers that can't be identified"

Hi again,

I followed your procedure here for creating a new certificate (http://exchange.sembee.info/2010/install/ssl-request.asp). I ticked Outlook Web App on internet and intranet an, active sync and outlook anywhere and autodiscover etc. Then as instructed on certificate domains I added mail.domain1.co.uk (the common name), autodiscover.domain1.co.uk, myserver.mydomain.local, myserver. I clicked on next etc and completed. I then assigned all services to it apart from unified messaging. I got two messages at this point: First it said do you want to enforce SSL communication on the root web site? If not, rerun the cmdlet with the –donotrequiressl parameter (I clicked yes) Then it asked me if I wanted to overwrite the default SMTP certificate and once again I clicked yes. What did these options mean and did I do the right thing? Then I browsed to the certificate file and opened in notepad, requested a rekey from the godaddy site, then copied the text out of notepad and pasted it into the window. I then downloaded the certificate to the server and clicked on the pending certificate and selected complete in the action pane then navigated to the certificate I’d just downloaded. Finally I ran the “add a trusted certificate wizard” and ensured I selected the new certificate.

Unfortunately Outlook Anywhere is still the same. Did I do all that correctly?

Everything that you have done is correct.
Run the tool from Microsoft's test site at http://exrca.com/ and see if that flags anything.
Ensure that autodiscover.example.com resolves to your Exchange server, and not somewhere else. If you browse to https://autodiscover.example.com/owa then you shoudl get the OWA login screen.

Simon.

This is the current situation - I am now using the rekeyed certificate the procedure for which I outlined (and Simon verified) above:

In practise:
Exchange is working fine on local network (apart from prompting with a certificate error as described above on Outlook startup).
OWA works fine
RWW works fine but now with the rekeyed certificate I get a logon attempt failure when using it to access remote desktop. This worked fine with the self-signed certificate but threw up a (different) certificate issue with first bought certificate.
Outlook anywhere does not work with or without manual configuration.

Remote connectivity analyser (everything fails apart from internet email):

Active Sync Connectivity Tests
Exchange Activesync: ExRCA is testing Exchange ActiveSync.  The Exchange ActiveSync test failed.  
       Test Steps
              Attempting the Autodiscover and Exchange ActiveSync test (if requested).
       Testing of Autodiscover for Exchange ActiveSync failed.
              Test Steps
Exchange Activesync Autodiscover:
 Attempting the Autodiscover and Exchange ActiveSync test (if requested).  Testing of Autodiscover for Exchange ActiveSync failed.  
       Test Steps
              Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
              Test Steps


Microsoft Exchange Web Services Connectivity Tests
 Exchange Web Services synchronization, notification, availability, and Automatic Replies (OOF). Not all of the tests of Exchange Web Services tasks completed.  
       Test Steps
Exchange Web Services service account access verification  ExRCA failed to complete all tests with the service account.  
       Test Steps
              ExRCA is attempting to test Autodiscover for user@mydomain1it.co.uk.
       Testing Autodiscover failed.
              Test Steps



Microsoft Office Outlook Connectivity Tests
Test Details
Outlook Anywhere (RPC over HTTP)
       Testing RPC/HTTP connectivity
       The RPC/HTTP test failed.
              Test Steps
              ExRCA is attempting to test Autodiscover for user@mydomain1it.co.uk.
       Testing Autodiscover failed.
              Test Steps


Outlook Autodiscover
 ExRCA is attempting to test Autodiscover for user@mydomain1it.co.uk.  Testing Autodiscover failed.  
       Test Steps
              Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
              Test Steps



Internet Email Tests
 Testing inbound SMTP mail flow for domain user@mydomain1it.co.uk.  Inbound SMTP mail flow was verified successfully.  
       Test Steps
              Attempting to retrieve DNS MX records for domain mydomain1it.co.uk.
       One or more MX records were successfully retrieved from DNS.
              Additional Details

       Testing Mail Exchanger mail.mydomain1it.co.uk.
       This Mail Exchanger was tested successfully.
              Test Steps


 Performing Outbound SMTP Test  The outbound SMTP test was successful.  
       Test Steps
              Attempting reverse DNS lookup for IP address myipaddress.
       ExRCA successfully resolved IP address myipaddress via reverse DNS lookup.
              Additional Details

       Performing Real-Time Black Hole List (RBL) Test
       Your IP address wasn't found on any of the block lists selected.
              Test Steps

       Performing Sender ID validation.
       Sender ID validation was performed successfully.
              Test Steps

Hi again,

Does anyone have any further thoughts on this. I'm still getting certificate errors when people open outlook on the local network (screenshot1). RDP direct works fine but when running through remote workplace it fails first with a certificate error which I fixed by downloading and installing the certificates from the download folder (http://www.andrewstechnology.co.uk/reference/tips/44-sbs2011-rd-gateway-cant-verify-error.html) and then with a failure at the user / password prompt (screenshot2). Neither of these issues were there at first using the self-issued certificate but now I can't get it to work even when I reinstall the original self-signed. As a last resort I tried installing that single name cert I'd bought but it was exactly the same.

I've tried to keep everything standard in terms of hardware etc - I don't get why this is proving so problematic...
screenshot1.png
screenshot2.png

Does the autodiscover test that I outlined above actually work?
You should be able to browse to the autodiscover URL and get the OWA login screen.

This is either
- incorrect DNS in the PUBLIC DNS, not your internal DNS.
- incorrect port mapping (if the OWA test doesn't work)
- or the SSL certificate isn't working.

Simon.

Hi again pal and thanks for your ongoing attention,

Sorry I did that check but never reported the results: yes the autodiscover test does indeed resolve correctly to OWA.

1) If its is down to Public DNS do you know where I would start addressing this?
2) It would appear not to be a port mapping issue as the OWA test worked on both domains.
3) At present this seems the most promising avenue. I have also been following this up with godaddy and in their most recent communication they informed me that the SSL does not show installed properly (see extract below). Do you have any suggestions on what to try next as it seems as though I have tried every permutation of certificate installation including the one you confirmed was ok...

The certificate for mail.yourdomain.co.uk on the account is a standard single domain certificate.  Currently your SSL does not show installed properly.

If you are having issues with your installation, you will need to generate a new CSR and re-key your certificate. Re-keying is the process of generating a new private key for your existing SSL. You cannot change the identifying information, such as organization or domain name, in the certificate details.

When you re-key your certificate, you need to provide a certificate signing request (CSR) from your server. For more information, see Certificate Signing Request (CSR) Generation Instructions. The information in your CSR must be identical to the information from your existing certificate.

NOTE: We automatically deactivate the previous certificate when we issue the new, re-keyed certificate. Please do not revoke unless you are certain you want to cancel the existing certificate. When you revoke, the SSL credit is canceled and you cannot re-key the certificate.

To Re-key an SSL Certificate

• Log in to your Account Manager.
• Click SSL Certificates.
• Next to the certificate you want to re-key, click Launch.
• In the Filters list, click Certificates.
• Click the common name for the certificate you want to re-key.
• Click Re-Key.
• There might be a step here, depending on hosted here/elsewhere.
• In CSR, paste your CSR text.
• Select a certificate issuing organization, and then click Re-Key.
• Select a Server type, and then click Download.

After the download completes, install the re-keyed certificate on your Web server. For more information, see SSL Installation Instructions. If you need to install the intermediate certificates, you can download them from the repository.

Did you install the intemediate certificate on to the server? When you got your certificate from GoDaddy it would have been in a zip file, containing your certificate and the intemediates. You need to ensure that the intemediates are installed on your server. It isn't hard to do, just requires a custom MMC console.

Public DNS either works or it doesn't. From an external machine on the internet autodiscover.example.com should resolve to your server. If it doesn't not, then you need to get that corrected. Furthermore remote.example.com should also resolve.
Both of those should be available in the browser - with NO SSL prompts.

Simon.

Hi there pal - sorry about the delay - was waiting to see if I could get anything helpful back from godaddy support:

Did you install the intemediate certificate on to the server?

Yes. I followed the instructions they provided (http://support.godaddy.com/help/article/5863/installing-an-ssl-certificate-in-microsoft-exchange-server-2010) up until point 23 (In Exchange Certificates, select your certificate, and then, from the Actions panel on the right, click Complete Pending Request.). However neither new intermediate or full certificate appeared in this list. At this point I switched and used the SBS 2011 import trusted certificate wizard and completed the procedure by importing my full certificate. It seems like it is a SSL certificate issue (godaddy have confirmed its not installed properly). Can you see anywhere that I went wrong with that certificate installation?

Public DNS appears to be ok. autodiscover.mydomain.co.uk and remote.mydomain.co.uk both resolve to default IIS landing page (see screenshot). They do however sometimes throw up the mozilla untrusted connection warning and I have to add an exception.
landing-page.png

Th eintemediate certificate you install through an MMC control panel applet.
The pending request you do through Exchange 2010. Therefore it looks like it is the certificate installation piece that is causing you problems.

In the zip file there are two certificate bits.
You need the intemediate ones first.
Start, run, and type MMC. Then choose add/remove snap in. Choose certificates, then when prompted Computer, Local Computer. Press ok and open up the certificates. Expand Intermediate Certificates and then right click on Intemediate Certificates and choose All Tasks, Import. Go to the location of the intemediate certificate. You will have to change the file view to all files to see the file.
Once installed, close MMC, you don't need to save it.

In Exchange 2010, you should see the pending certificate request. If you don't, then you will have to do a new one through the wizard as per my instructions, then do a rekey. This is for the UC 5 name certificate.
When you get the response back, complete the pending request in Exchange 2010, then activate it in SBS console.

Simon.

Sorry pal - just want to make sure I get everything right this time. When you say you will have to do a new one through the wizard as per my instructions which instructions / wizard are you referring to?

Really appreciate your help by the way.

The new SSL reques tis done through the Exchange 2010 New Certificate wizard.

http://exchange.sembee.info/2010/install/ssl-request.asp
Then the response:

http://exchange.sembee.info/2010/install/ssl-response.asp

Then enable it through the SSL wizard in the SBS management console.

Simon.

Many thanks for that Simon - going to systematically run through those instructions now.

Just wondered about something - every time a certificate is imported does it replace the previous one? There are now 8 certificates (both preinstalled and from my previous attempts) listed (see screenshot) under server configuration > exchange certificates including the self signed ones. Should I delete any of them or does it not matter?
certificates.png

Each certificate is different, it doesn't replace another one. if you keep doing a rekey then the certificates will become invalid. You should remove the ones that are wrong or have been revoked, they should say invalid next to them. If they don't run get-exchangecertificate from a EMS and see which ones are invalid.

Simon.

Thanks for your patience on this one pal.

At present all apart from one (the first godaddy certificate) say valid for exchange server usage.

I've never run a get-exchangecertificate command before and wasn't sure what to enter for the variables in bold Get-ExchangeCertificate [-Thumbprint <String>] [-DomainController <Fqdn>] [-DomainName <MultiValuedProperty>] [-Server <ServerIdParameter>]

Could the problem therefore be that the certificates are conflicting with each other? And should I have deleted the self-issued ones after I installed the godaddy one?


The ones I have at present are as follows

1) issued to mail.mydomain.co.uk; issued by go daddy; following purposes: ensure the identity of a remote computer,  proves your identity to a remote computer, 2.16.840.**************.1
2) issued to mail.mydomain.co.uk; issued by mydomain-myservername-CA; following purposes: ensure the identity of a remote computer.
3) issued to myservername.mylocaldomain.local; issued by mydomain-myservername-CA; following purposes: Proves your identity to a remote computer, ensures the identity of a remote computer.
4) issued to sites; issued by mydomain-myservername-ca; following purposes: ensure the identity of a remote computer.
5) issued to mylocaldomain-myservername-CA; issued by mylocaldomain-myservername-CA; following purposes: all issuance policies, all application policies
6) issued to WMSvc-WIN-*C********H; issued by WMSvc-WIN-*C********H; following purpose: ensures the identity of a remote computer; all issuance policies
7) issued to mail.mydomain.co.uk; issued by godaddy; following purposes: ensure the identity of a remote computer,  proves your identity to a remote computer, 2.16.840.**************.1

Which of these do you reckon I require. Or should I delete them all and start afresh?

Just running get-exchangecertificate with no variables will list the certificates that are installed, you do not need to add anything else.

Certificates cannot conflict - It looks like the regular mess of SSL certificates on SBS. The only ones you really need to worry about are the GoDaddy certiifcates, I would leave them alone except for any that are not valid.

Simon.

Many thanks Simon - will remove superceded godaddy and invalid ones then work through the steps above when i get back to office. Will report back...

Hi again pal,

I slowly and systematically worked through all the steps. Sorry its another war and peace post but unless I'm exhaustive we wont be able to see where I'm going wrong. I've included a summary of the current situation followed by the exact steps I just followed.

Current Situation

1) Locally inbound and outbound mail working but local exchange clients prompted with autodiscover certificate message for autodiscover.domain2.co.uk each time they startup. It has ticks next to security certificate is from a trusted authority and date valid then a cross next to the name on the security certfiicate is invalid or does not match the name of the site

2) OWA works without issue

3) RWW works but when attempting to connect to a computer from within remote workspace the password box keeps reappearing with logon attempt failed. It is noteworthy that this facility initially worked with the self-issued certificate

4) Outlook anywhere fails on autoconfiguration exactly as before


Steps just taken

SSL Request

1) Browsed certificates and deleted the one that said invalid

2) EMC > Server configuration > new exchange certificate > name: “new” > didn’t enable wildcard > under client access server (outlook web app) ticked “outlook web app is on the intranet” and typed in mail.mydomain.co.uk under “domain name you use to access outlook web app internally”


3) Clicked on next (bringing us up to point 6 on your instructions: http://exchange.sembee.info/2010/install/ssl-request.asp) and added the following domains:
Autodiscover.domain1.co.uk
Autodiscover.domain2.com
MYSERVERNAME
MYSERVERNAME.mylocaldomainname.local
Mail.domain1.co.uk
Mail.domain2.com

* Did I do the right thing at this stage by including mail.domain2 and autodiscover.domain2?

4) I added a company name and selected the same path to store the req file as in your instructions > next > new > finish (and then verified it appeared as a pending certificate in the list)

Rekeyed Certificate

5) At this point I proceeded to obtain the rekeyed from godaddy (using the 5x domain SAN).

Logged into godaddy account manager > clicked on SSL certificates > selected launch next to “Standard Multiple Domain (UCC) Up to 5 Domains” > under filters selected certificates > selected certificate > rekey > opened C:\ssl-request in notepad and copied contents into CSR box on godaddy site > received rekey successful notification then specified exchange 2010 and downloaded the zip file containing both the intermediate and main certificate.

Response installation / Intermediate certificate

6) I now moved onto your response installation instructions (http://exchange.sembee.info/2010/install/ssl-response.asp). I noted that I must first install the intermediate certificate and using these instructions from godaddy as my guide (http://support.godaddy.com/help/article/5863/installing-an-ssl-certificate-in-microsoft-exchange-server-2010) proceeded to do the following:

Copied certificates zip file to server > start > run > mmc > console1 window > file > add / remove snapin > certificates > add > computer account > local computer > finish
Expand certificates > intermediate certificate authorities > all tasks > import > next > browsed to intermediate certificate > next > place in following store > intermediate certification authorities > ok > next, finish and ok then no to not save console settings.

7) I now switched back to your response installation instructions (which looked roughly the same as the go daddy ones)

Open EMC > server configuration > right click newly created pending certificate and selected complete request > browsed to mydomain.co.uk.crt file and selected complete. I received a completed successfully message. I noted that there were currently no services assigned to it so followed your assign services instructions (http://exchange.sembee.info/2010/install/ssl-services.asp)

Assigning Services

Right-clicked new certificate > assign services > next > ticked top 4 and left unified messaging unticked as directed > next > assign > then clicked yes to override default smtp certificate

Activating certificate

SBS console > add a trusted certificate > next > replace the existing certificate with a new one > next > I want to use a certificate that is already installed on the server > selected my certificate (by verifying start date as today) then imported.

Further steps

I tried rebooting the server but that made no difference. I tested my ssl certificate from ssl installation tool on the godaddy site (it defaults to port 443) and mail.domain1.co.uk reports no issues found whilst domain2 reports Common name in your SSL does not match the entered domain name

The common name issue is fine - that is because you only have one common name per SSL certificate.

Clients that are connected to the internal network shouldn't be using autodiscover.example.com as their host name, unless they are not members of the domain. They should get their information from the domain. By default SBS will configure that as the same common name as per the wizard, with DNS as appropriate.

If you have clients on the local network who are not members of the domain, then configure a split DNS system so that autodiscover for the second domain resolves to the internal IP address of the server.
http://exchange.sembee.info/network/split-dns.asp

Ensure that no external DNS servers are configured in the network at all - so on the servers or DHCP. Only the local server should be used.

Simon.

Once again thanks pal for your sustained attention to this!

1) That makes total sense - as long as I know what it is and there are no underlying issues with the installation its not a problem.

2) Again that makes sense as some of the machines are not joined to the domain. I will keep the procedure on file for future reference but I don't think I'll bother implementing a split DNS system on this occasion as the machines in question will probably be replaced in the not too distant future. Now I know the installation isn't somehow broken I'm happy.

3) I've just tried autodiscover on a fresh remote Outlook client (just in case any residual settings from previous attempts could somehow have been interfering). AND IT WORKED! I have tried every permutation along the way but it is worth noting (though this may be obvious) that after it autodiscovered the settings and asked for my username / password I had to type LOCALDOMAIN\username and password in order for it to work.

I am still getting the issue with "logon attempt failed" when using remote desktop through RWW (even though RDP directly works fine) - however I intend to start a new post for that as the initiating question here has been perfectly resolved. If you can keep an eye out for my new post that would be appreciated as I would be grateful for your input again!

I will assign points now - I hate this bit as I always think I'm going to leave someone out. Mate I can't thank you enough for all your assistance. In addition to directly resolving my issue, you have pointed me to some really useful articles that have enhanced my general understanding of the area.

All the best...

Thanks everyone for the invaluable assistance provided and perseverance shown - this post will also prove a really useful resource for future installations I carry out and hopefully anyone who stumbles on it in the PAQs. It was really tricky to divide points equitably as all three contributors were really helpful and there were two equally viable solutions - I just had to base it on which bits I used most in my particular situation. I hope I've done this fairly. Thanks again.