Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Outlook Certificate Problem

Posted on 2013-01-08
21
Medium Priority
?
882 Views
Last Modified: 2013-01-11
Hello,

I have a strange issue that just popped up. We moved a client from Google Apps for Business to a hosted Exchange environment last week for email. This client is new to us so I am not sure how their environment used to be. I setup an external autodiscover record just like I have for the rest of our hosted Exchange clients. When setting up Outlook for a user, autodiscover is finding an old certificate for mail.domain.com and throwing an alert. Everytime a user opens Outlook, the Security Alert attached appears. When I view the cert, it shows it expired in 2009. This only happens internally as I have tested outside the local network. I have checked DNS for any references to mail.domain.com and find none. Nothing returns when I ping mail.domain.com. I have checked IIS on all servers and certs for the local computer account and cannot find this cert referenced anywhere. There may have been an inhouse Exchange server at one point in time but there is not one any longer.

Any ideas would be greatly appreciated. Thanks!
lunar.png
0
Comment
Question by:GIOTechnologies
  • 10
  • 7
  • 4
21 Comments
 
LVL 5

Expert Comment

by:basil2912
ID: 38756885
Hello,

Is this happening for all the users of the client?

The pop-up mentions the autodiscover cannot be found on the certificate or what error exactly?

If this is only a machine did you look for the certificate in the local store?
0
 

Author Comment

by:GIOTechnologies
ID: 38757166
Yes this is happening for all users. All machines on the internal network. The pop up is attached in my question buy says the certificate is not valid.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38758624
I would suspect there are traces of Exchange on the internal network, or a wildcard DNS entry for their external domain on the internal DNS servers.

Simon.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:GIOTechnologies
ID: 38758633
Simon, I agree with you but I am not sure where to look. Any idea where/what to look for?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38758753
That is a very open ended question.
Traces, which could be anywhere. DNS entries are easily enough to track down. Find out where the URLs that are being accessed resolve to and then follow the track.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38758846
I have looked through DNS and found nothing. mail.domain.com which the certificate is for does not resolve anywhere. This is why I'm confused.
0
 
LVL 5

Expert Comment

by:basil2912
ID: 38759634
Hello,

Click on view certificate and check:
in general tab do you have any error message?
In the certification path tab what do you have? Any red x?

Thanks.
0
 

Author Comment

by:GIOTechnologies
ID: 38759760
In the general tab there is a red x on the cert and says "The integrity of this certificate cannot be guaranteed. The cert may be corrupter or altered." On the cert path tab there is also a red x over the cert and says it has an invalid signature.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38759920
That means the certificate is broken.
The name on the certificate doesn't mean that is the URL it is using. You need to look at the Autodiscover results to see where the URLs go, and that should point you to the where the certificate is installed.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760238
I tested Autodiscover via Outlook and it shows that it is looking for the mail.domain.com record which does not exist. Outside the lan this is not an issue. I know the certificate is broken, I'm trying to find out where it is broadcasting from and am having no luck. Thanks for your help so far.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760261
It must be finding that host somehow to get the prompt.
Which value in Autodiscover is it getting for that record? It could be that there is a self signed certificate on the workstations somewhere.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760361
I'm not sure what you mean by what value in Autodiscover. Could you point me in the direction of how to find that info? We just put in all brand new Win 7 workstations a month ago. If there is a self signed cert it would have come from one of the current servers I guess.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760418
When you do the autodiscover test in Outlook, on the log and resutls tabs it will show you what has been returned by Autodiscover for URLs etc.

Simon.
0
 
LVL 5

Assisted Solution

by:basil2912
basil2912 earned 1000 total points
ID: 38760513
Hello,

Check the following:
Does the file: c:\Windows\System32\Drivers\etc\hosts has any entry added (related to the mail.domain.com?

On the machine:
Start, run, type mmc.
Select File, Add/remve snap-in, add certificates.
Click "Computer account", local computer, finish, ok.
Develop certificate store and have a look for the certificate in question.

As Simon says :), press control and click on the outlook icon.
Click test e-mail autoconfiguration and you should have some links, check if mail.domain.com is mentioned there.
Else check the log to see where outlook tries to connect; one of those links might have a connection to the certificate issue.
0
 

Author Comment

by:GIOTechnologies
ID: 38760542
When I test with just the Use Autodiscover option check it returns the correct Autodiscover URLs on both tabs. When the other options are checked, it looks for mail.domain.com on the Log tab first but still shows the correct URLs on the Results tab.

I have checked the host files on the machines, there is no reference to mail.domain.com

I have checked the Certificate Store and there is no cert for mail.domain.com

Thanks.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760602
Do the URLs resolve to the right place?

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760623
Yes they do.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 1000 total points
ID: 38761113
If you browse to each host name that comes from Autodiscover, do you get the certificate prompt? Something has to be generating it, you have to track down what.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38762805
Ok, I think I found the culprit. Autodiscover looks for https://domain.com at some point. When I browse to that site I get a cert error pointing to the mail.domain.com cert. This appears to point to the local server IP. I do not see the cert installed on the server in the cert store or in IIS. Any idea where to go from here?

Thanks!
0
 

Author Comment

by:GIOTechnologies
ID: 38762865
I did some more poking around and believe I found where the cert is coming from. The client apparently has some CommuniGate software that is pointing to the server and at one point used the mail.domain.com cert. I will be removing this. Thanks for all your help!
0
 
LVL 5

Expert Comment

by:basil2912
ID: 38766221
Glad to help in pinpointing the issue.

Dan
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
Suggested Courses
Course of the Month12 days, 21 hours left to enroll

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question