Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Outlook Certificate Problem

Posted on 2013-01-08
21
Medium Priority
?
876 Views
Last Modified: 2013-01-11
Hello,

I have a strange issue that just popped up. We moved a client from Google Apps for Business to a hosted Exchange environment last week for email. This client is new to us so I am not sure how their environment used to be. I setup an external autodiscover record just like I have for the rest of our hosted Exchange clients. When setting up Outlook for a user, autodiscover is finding an old certificate for mail.domain.com and throwing an alert. Everytime a user opens Outlook, the Security Alert attached appears. When I view the cert, it shows it expired in 2009. This only happens internally as I have tested outside the local network. I have checked DNS for any references to mail.domain.com and find none. Nothing returns when I ping mail.domain.com. I have checked IIS on all servers and certs for the local computer account and cannot find this cert referenced anywhere. There may have been an inhouse Exchange server at one point in time but there is not one any longer.

Any ideas would be greatly appreciated. Thanks!
lunar.png
0
Comment
Question by:GIOTechnologies
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
  • 4
21 Comments
 
LVL 5

Expert Comment

by:basil2912
ID: 38756885
Hello,

Is this happening for all the users of the client?

The pop-up mentions the autodiscover cannot be found on the certificate or what error exactly?

If this is only a machine did you look for the certificate in the local store?
0
 

Author Comment

by:GIOTechnologies
ID: 38757166
Yes this is happening for all users. All machines on the internal network. The pop up is attached in my question buy says the certificate is not valid.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38758624
I would suspect there are traces of Exchange on the internal network, or a wildcard DNS entry for their external domain on the internal DNS servers.

Simon.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:GIOTechnologies
ID: 38758633
Simon, I agree with you but I am not sure where to look. Any idea where/what to look for?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38758753
That is a very open ended question.
Traces, which could be anywhere. DNS entries are easily enough to track down. Find out where the URLs that are being accessed resolve to and then follow the track.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38758846
I have looked through DNS and found nothing. mail.domain.com which the certificate is for does not resolve anywhere. This is why I'm confused.
0
 
LVL 5

Expert Comment

by:basil2912
ID: 38759634
Hello,

Click on view certificate and check:
in general tab do you have any error message?
In the certification path tab what do you have? Any red x?

Thanks.
0
 

Author Comment

by:GIOTechnologies
ID: 38759760
In the general tab there is a red x on the cert and says "The integrity of this certificate cannot be guaranteed. The cert may be corrupter or altered." On the cert path tab there is also a red x over the cert and says it has an invalid signature.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38759920
That means the certificate is broken.
The name on the certificate doesn't mean that is the URL it is using. You need to look at the Autodiscover results to see where the URLs go, and that should point you to the where the certificate is installed.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760238
I tested Autodiscover via Outlook and it shows that it is looking for the mail.domain.com record which does not exist. Outside the lan this is not an issue. I know the certificate is broken, I'm trying to find out where it is broadcasting from and am having no luck. Thanks for your help so far.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760261
It must be finding that host somehow to get the prompt.
Which value in Autodiscover is it getting for that record? It could be that there is a self signed certificate on the workstations somewhere.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760361
I'm not sure what you mean by what value in Autodiscover. Could you point me in the direction of how to find that info? We just put in all brand new Win 7 workstations a month ago. If there is a self signed cert it would have come from one of the current servers I guess.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760418
When you do the autodiscover test in Outlook, on the log and resutls tabs it will show you what has been returned by Autodiscover for URLs etc.

Simon.
0
 
LVL 5

Assisted Solution

by:basil2912
basil2912 earned 1000 total points
ID: 38760513
Hello,

Check the following:
Does the file: c:\Windows\System32\Drivers\etc\hosts has any entry added (related to the mail.domain.com?

On the machine:
Start, run, type mmc.
Select File, Add/remve snap-in, add certificates.
Click "Computer account", local computer, finish, ok.
Develop certificate store and have a look for the certificate in question.

As Simon says :), press control and click on the outlook icon.
Click test e-mail autoconfiguration and you should have some links, check if mail.domain.com is mentioned there.
Else check the log to see where outlook tries to connect; one of those links might have a connection to the certificate issue.
0
 

Author Comment

by:GIOTechnologies
ID: 38760542
When I test with just the Use Autodiscover option check it returns the correct Autodiscover URLs on both tabs. When the other options are checked, it looks for mail.domain.com on the Log tab first but still shows the correct URLs on the Results tab.

I have checked the host files on the machines, there is no reference to mail.domain.com

I have checked the Certificate Store and there is no cert for mail.domain.com

Thanks.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38760602
Do the URLs resolve to the right place?

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38760623
Yes they do.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 1000 total points
ID: 38761113
If you browse to each host name that comes from Autodiscover, do you get the certificate prompt? Something has to be generating it, you have to track down what.

Simon.
0
 

Author Comment

by:GIOTechnologies
ID: 38762805
Ok, I think I found the culprit. Autodiscover looks for https://domain.com at some point. When I browse to that site I get a cert error pointing to the mail.domain.com cert. This appears to point to the local server IP. I do not see the cert installed on the server in the cert store or in IIS. Any idea where to go from here?

Thanks!
0
 

Author Comment

by:GIOTechnologies
ID: 38762865
I did some more poking around and believe I found where the cert is coming from. The client apparently has some CommuniGate software that is pointing to the server and at one point used the mail.domain.com cert. I will be removing this. Thanks for all your help!
0
 
LVL 5

Expert Comment

by:basil2912
ID: 38766221
Glad to help in pinpointing the issue.

Dan
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question