Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 889
  • Last Modified:

Outlook Certificate Problem

Hello,

I have a strange issue that just popped up. We moved a client from Google Apps for Business to a hosted Exchange environment last week for email. This client is new to us so I am not sure how their environment used to be. I setup an external autodiscover record just like I have for the rest of our hosted Exchange clients. When setting up Outlook for a user, autodiscover is finding an old certificate for mail.domain.com and throwing an alert. Everytime a user opens Outlook, the Security Alert attached appears. When I view the cert, it shows it expired in 2009. This only happens internally as I have tested outside the local network. I have checked DNS for any references to mail.domain.com and find none. Nothing returns when I ping mail.domain.com. I have checked IIS on all servers and certs for the local computer account and cannot find this cert referenced anywhere. There may have been an inhouse Exchange server at one point in time but there is not one any longer.

Any ideas would be greatly appreciated. Thanks!
lunar.png
0
GIOTechnologies
Asked:
GIOTechnologies
  • 10
  • 7
  • 4
2 Solutions
 
basil2912Commented:
Hello,

Is this happening for all the users of the client?

The pop-up mentions the autodiscover cannot be found on the certificate or what error exactly?

If this is only a machine did you look for the certificate in the local store?
0
 
GIOTechnologiesAuthor Commented:
Yes this is happening for all users. All machines on the internal network. The pop up is attached in my question buy says the certificate is not valid.
0
 
Simon Butler (Sembee)ConsultantCommented:
I would suspect there are traces of Exchange on the internal network, or a wildcard DNS entry for their external domain on the internal DNS servers.

Simon.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
GIOTechnologiesAuthor Commented:
Simon, I agree with you but I am not sure where to look. Any idea where/what to look for?
0
 
Simon Butler (Sembee)ConsultantCommented:
That is a very open ended question.
Traces, which could be anywhere. DNS entries are easily enough to track down. Find out where the URLs that are being accessed resolve to and then follow the track.

Simon.
0
 
GIOTechnologiesAuthor Commented:
I have looked through DNS and found nothing. mail.domain.com which the certificate is for does not resolve anywhere. This is why I'm confused.
0
 
basil2912Commented:
Hello,

Click on view certificate and check:
in general tab do you have any error message?
In the certification path tab what do you have? Any red x?

Thanks.
0
 
GIOTechnologiesAuthor Commented:
In the general tab there is a red x on the cert and says "The integrity of this certificate cannot be guaranteed. The cert may be corrupter or altered." On the cert path tab there is also a red x over the cert and says it has an invalid signature.
0
 
Simon Butler (Sembee)ConsultantCommented:
That means the certificate is broken.
The name on the certificate doesn't mean that is the URL it is using. You need to look at the Autodiscover results to see where the URLs go, and that should point you to the where the certificate is installed.

Simon.
0
 
GIOTechnologiesAuthor Commented:
I tested Autodiscover via Outlook and it shows that it is looking for the mail.domain.com record which does not exist. Outside the lan this is not an issue. I know the certificate is broken, I'm trying to find out where it is broadcasting from and am having no luck. Thanks for your help so far.
0
 
Simon Butler (Sembee)ConsultantCommented:
It must be finding that host somehow to get the prompt.
Which value in Autodiscover is it getting for that record? It could be that there is a self signed certificate on the workstations somewhere.

Simon.
0
 
GIOTechnologiesAuthor Commented:
I'm not sure what you mean by what value in Autodiscover. Could you point me in the direction of how to find that info? We just put in all brand new Win 7 workstations a month ago. If there is a self signed cert it would have come from one of the current servers I guess.
0
 
Simon Butler (Sembee)ConsultantCommented:
When you do the autodiscover test in Outlook, on the log and resutls tabs it will show you what has been returned by Autodiscover for URLs etc.

Simon.
0
 
basil2912Commented:
Hello,

Check the following:
Does the file: c:\Windows\System32\Drivers\etc\hosts has any entry added (related to the mail.domain.com?

On the machine:
Start, run, type mmc.
Select File, Add/remve snap-in, add certificates.
Click "Computer account", local computer, finish, ok.
Develop certificate store and have a look for the certificate in question.

As Simon says :), press control and click on the outlook icon.
Click test e-mail autoconfiguration and you should have some links, check if mail.domain.com is mentioned there.
Else check the log to see where outlook tries to connect; one of those links might have a connection to the certificate issue.
0
 
GIOTechnologiesAuthor Commented:
When I test with just the Use Autodiscover option check it returns the correct Autodiscover URLs on both tabs. When the other options are checked, it looks for mail.domain.com on the Log tab first but still shows the correct URLs on the Results tab.

I have checked the host files on the machines, there is no reference to mail.domain.com

I have checked the Certificate Store and there is no cert for mail.domain.com

Thanks.
0
 
Simon Butler (Sembee)ConsultantCommented:
Do the URLs resolve to the right place?

Simon.
0
 
GIOTechnologiesAuthor Commented:
Yes they do.
0
 
Simon Butler (Sembee)ConsultantCommented:
If you browse to each host name that comes from Autodiscover, do you get the certificate prompt? Something has to be generating it, you have to track down what.

Simon.
0
 
GIOTechnologiesAuthor Commented:
Ok, I think I found the culprit. Autodiscover looks for https://domain.com at some point. When I browse to that site I get a cert error pointing to the mail.domain.com cert. This appears to point to the local server IP. I do not see the cert installed on the server in the cert store or in IIS. Any idea where to go from here?

Thanks!
0
 
GIOTechnologiesAuthor Commented:
I did some more poking around and believe I found where the cert is coming from. The client apparently has some CommuniGate software that is pointing to the server and at one point used the mail.domain.com cert. I will be removing this. Thanks for all your help!
0
 
basil2912Commented:
Glad to help in pinpointing the issue.

Dan
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 10
  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now