Solved

Outlook Certificate Problem

Posted on 2013-01-08
21
805 Views
Last Modified: 2013-01-11
Hello,

I have a strange issue that just popped up. We moved a client from Google Apps for Business to a hosted Exchange environment last week for email. This client is new to us so I am not sure how their environment used to be. I setup an external autodiscover record just like I have for the rest of our hosted Exchange clients. When setting up Outlook for a user, autodiscover is finding an old certificate for mail.domain.com and throwing an alert. Everytime a user opens Outlook, the Security Alert attached appears. When I view the cert, it shows it expired in 2009. This only happens internally as I have tested outside the local network. I have checked DNS for any references to mail.domain.com and find none. Nothing returns when I ping mail.domain.com. I have checked IIS on all servers and certs for the local computer account and cannot find this cert referenced anywhere. There may have been an inhouse Exchange server at one point in time but there is not one any longer.

Any ideas would be greatly appreciated. Thanks!
lunar.png
0
Comment
Question by:GIOTechnologies
  • 10
  • 7
  • 4
21 Comments
 
LVL 5

Expert Comment

by:basil2912
ID: 38756885
Hello,

Is this happening for all the users of the client?

The pop-up mentions the autodiscover cannot be found on the certificate or what error exactly?

If this is only a machine did you look for the certificate in the local store?
0
 

Author Comment

by:GIOTechnologies
ID: 38757166
Yes this is happening for all users. All machines on the internal network. The pop up is attached in my question buy says the certificate is not valid.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38758624
I would suspect there are traces of Exchange on the internal network, or a wildcard DNS entry for their external domain on the internal DNS servers.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38758633
Simon, I agree with you but I am not sure where to look. Any idea where/what to look for?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38758753
That is a very open ended question.
Traces, which could be anywhere. DNS entries are easily enough to track down. Find out where the URLs that are being accessed resolve to and then follow the track.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38758846
I have looked through DNS and found nothing. mail.domain.com which the certificate is for does not resolve anywhere. This is why I'm confused.
0
 
LVL 5

Expert Comment

by:basil2912
ID: 38759634
Hello,

Click on view certificate and check:
in general tab do you have any error message?
In the certification path tab what do you have? Any red x?

Thanks.
0
 

Author Comment

by:GIOTechnologies
ID: 38759760
In the general tab there is a red x on the cert and says "The integrity of this certificate cannot be guaranteed. The cert may be corrupter or altered." On the cert path tab there is also a red x over the cert and says it has an invalid signature.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38759920
That means the certificate is broken.
The name on the certificate doesn't mean that is the URL it is using. You need to look at the Autodiscover results to see where the URLs go, and that should point you to the where the certificate is installed.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760238
I tested Autodiscover via Outlook and it shows that it is looking for the mail.domain.com record which does not exist. Outside the lan this is not an issue. I know the certificate is broken, I'm trying to find out where it is broadcasting from and am having no luck. Thanks for your help so far.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760261
It must be finding that host somehow to get the prompt.
Which value in Autodiscover is it getting for that record? It could be that there is a self signed certificate on the workstations somewhere.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760361
I'm not sure what you mean by what value in Autodiscover. Could you point me in the direction of how to find that info? We just put in all brand new Win 7 workstations a month ago. If there is a self signed cert it would have come from one of the current servers I guess.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760418
When you do the autodiscover test in Outlook, on the log and resutls tabs it will show you what has been returned by Autodiscover for URLs etc.

Simon.
0
 
LVL 5

Assisted Solution

by:basil2912
basil2912 earned 250 total points
ID: 38760513
Hello,

Check the following:
Does the file: c:\Windows\System32\Drivers\etc\hosts has any entry added (related to the mail.domain.com?

On the machine:
Start, run, type mmc.
Select File, Add/remve snap-in, add certificates.
Click "Computer account", local computer, finish, ok.
Develop certificate store and have a look for the certificate in question.

As Simon says :), press control and click on the outlook icon.
Click test e-mail autoconfiguration and you should have some links, check if mail.domain.com is mentioned there.
Else check the log to see where outlook tries to connect; one of those links might have a connection to the certificate issue.
0
 

Author Comment

by:GIOTechnologies
ID: 38760542
When I test with just the Use Autodiscover option check it returns the correct Autodiscover URLs on both tabs. When the other options are checked, it looks for mail.domain.com on the Log tab first but still shows the correct URLs on the Results tab.

I have checked the host files on the machines, there is no reference to mail.domain.com

I have checked the Certificate Store and there is no cert for mail.domain.com

Thanks.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760602
Do the URLs resolve to the right place?

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760623
Yes they do.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 250 total points
ID: 38761113
If you browse to each host name that comes from Autodiscover, do you get the certificate prompt? Something has to be generating it, you have to track down what.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38762805
Ok, I think I found the culprit. Autodiscover looks for https://domain.com at some point. When I browse to that site I get a cert error pointing to the mail.domain.com cert. This appears to point to the local server IP. I do not see the cert installed on the server in the cert store or in IIS. Any idea where to go from here?

Thanks!
0
 

Author Comment

by:GIOTechnologies
ID: 38762865
I did some more poking around and believe I found where the cert is coming from. The client apparently has some CommuniGate software that is pointing to the server and at one point used the mail.domain.com cert. I will be removing this. Thanks for all your help!
0
 
LVL 5

Expert Comment

by:basil2912
ID: 38766221
Glad to help in pinpointing the issue.

Dan
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now