Solved

Outlook Certificate Problem

Posted on 2013-01-08
21
818 Views
Last Modified: 2013-01-11
Hello,

I have a strange issue that just popped up. We moved a client from Google Apps for Business to a hosted Exchange environment last week for email. This client is new to us so I am not sure how their environment used to be. I setup an external autodiscover record just like I have for the rest of our hosted Exchange clients. When setting up Outlook for a user, autodiscover is finding an old certificate for mail.domain.com and throwing an alert. Everytime a user opens Outlook, the Security Alert attached appears. When I view the cert, it shows it expired in 2009. This only happens internally as I have tested outside the local network. I have checked DNS for any references to mail.domain.com and find none. Nothing returns when I ping mail.domain.com. I have checked IIS on all servers and certs for the local computer account and cannot find this cert referenced anywhere. There may have been an inhouse Exchange server at one point in time but there is not one any longer.

Any ideas would be greatly appreciated. Thanks!
lunar.png
0
Comment
Question by:GIOTechnologies
  • 10
  • 7
  • 4
21 Comments
 
LVL 5

Expert Comment

by:basil2912
ID: 38756885
Hello,

Is this happening for all the users of the client?

The pop-up mentions the autodiscover cannot be found on the certificate or what error exactly?

If this is only a machine did you look for the certificate in the local store?
0
 

Author Comment

by:GIOTechnologies
ID: 38757166
Yes this is happening for all users. All machines on the internal network. The pop up is attached in my question buy says the certificate is not valid.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38758624
I would suspect there are traces of Exchange on the internal network, or a wildcard DNS entry for their external domain on the internal DNS servers.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38758633
Simon, I agree with you but I am not sure where to look. Any idea where/what to look for?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38758753
That is a very open ended question.
Traces, which could be anywhere. DNS entries are easily enough to track down. Find out where the URLs that are being accessed resolve to and then follow the track.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38758846
I have looked through DNS and found nothing. mail.domain.com which the certificate is for does not resolve anywhere. This is why I'm confused.
0
 
LVL 5

Expert Comment

by:basil2912
ID: 38759634
Hello,

Click on view certificate and check:
in general tab do you have any error message?
In the certification path tab what do you have? Any red x?

Thanks.
0
 

Author Comment

by:GIOTechnologies
ID: 38759760
In the general tab there is a red x on the cert and says "The integrity of this certificate cannot be guaranteed. The cert may be corrupter or altered." On the cert path tab there is also a red x over the cert and says it has an invalid signature.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38759920
That means the certificate is broken.
The name on the certificate doesn't mean that is the URL it is using. You need to look at the Autodiscover results to see where the URLs go, and that should point you to the where the certificate is installed.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760238
I tested Autodiscover via Outlook and it shows that it is looking for the mail.domain.com record which does not exist. Outside the lan this is not an issue. I know the certificate is broken, I'm trying to find out where it is broadcasting from and am having no luck. Thanks for your help so far.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760261
It must be finding that host somehow to get the prompt.
Which value in Autodiscover is it getting for that record? It could be that there is a self signed certificate on the workstations somewhere.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760361
I'm not sure what you mean by what value in Autodiscover. Could you point me in the direction of how to find that info? We just put in all brand new Win 7 workstations a month ago. If there is a self signed cert it would have come from one of the current servers I guess.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760418
When you do the autodiscover test in Outlook, on the log and resutls tabs it will show you what has been returned by Autodiscover for URLs etc.

Simon.
0
 
LVL 5

Assisted Solution

by:basil2912
basil2912 earned 250 total points
ID: 38760513
Hello,

Check the following:
Does the file: c:\Windows\System32\Drivers\etc\hosts has any entry added (related to the mail.domain.com?

On the machine:
Start, run, type mmc.
Select File, Add/remve snap-in, add certificates.
Click "Computer account", local computer, finish, ok.
Develop certificate store and have a look for the certificate in question.

As Simon says :), press control and click on the outlook icon.
Click test e-mail autoconfiguration and you should have some links, check if mail.domain.com is mentioned there.
Else check the log to see where outlook tries to connect; one of those links might have a connection to the certificate issue.
0
 

Author Comment

by:GIOTechnologies
ID: 38760542
When I test with just the Use Autodiscover option check it returns the correct Autodiscover URLs on both tabs. When the other options are checked, it looks for mail.domain.com on the Log tab first but still shows the correct URLs on the Results tab.

I have checked the host files on the machines, there is no reference to mail.domain.com

I have checked the Certificate Store and there is no cert for mail.domain.com

Thanks.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760602
Do the URLs resolve to the right place?

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760623
Yes they do.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 250 total points
ID: 38761113
If you browse to each host name that comes from Autodiscover, do you get the certificate prompt? Something has to be generating it, you have to track down what.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38762805
Ok, I think I found the culprit. Autodiscover looks for https://domain.com at some point. When I browse to that site I get a cert error pointing to the mail.domain.com cert. This appears to point to the local server IP. I do not see the cert installed on the server in the cert store or in IIS. Any idea where to go from here?

Thanks!
0
 

Author Comment

by:GIOTechnologies
ID: 38762865
I did some more poking around and believe I found where the cert is coming from. The client apparently has some CommuniGate software that is pointing to the server and at one point used the mail.domain.com cert. I will be removing this. Thanks for all your help!
0
 
LVL 5

Expert Comment

by:basil2912
ID: 38766221
Glad to help in pinpointing the issue.

Dan
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Find out what you should include to make the best professional email signature for your organization.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now