Solved

Certificate problem on Exchange 2013

Posted on 2013-02-02
34
2,095 Views
Last Modified: 2013-03-01
Hi
I have an Exchange 2013 server and I install a certificate from godady.com so it resolved to mail.mydomain.com
Internally or externally if I go to https://mail.mydomain.com/ecp it work perfect and I do not get prompted to accept the certificate but internally if anyone start Outlook they get 2 certificate error. Both say that the name does not match the one on the certificate.
If I click view certificate it show the proper one from godady.com but the name outlook try to resolve is first one exchangename alone then exchangesrvname.internaldomain.local.
I did change the internal URL on the virtual directory for ECP, OWA and EWS to match the mail.mydomain.com that is on the certificate and also made the changes on external ling for outlook anywhere but I still get those 2 certificate errors. Any idea were else I should look for?
0
Comment
Question by:infedonetwork
  • 20
  • 11
  • 2
  • +1
34 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 38846241
that should be autodiscover

what is the output of get-clientaccessserver | fl *uri*

if it is wrong fix it

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://correcturl
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38846253
Are you talking about the autodiscover under the virtual directories?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38846258
yes but you change it like the command i gave  you not in the autodiscoervirtual directory
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38846267
Sorry I'm new to exchange 2013.
I assume the command has to be run under powershell but for some reason http://server/powershell does not display a page. It just go blank.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 38846310
You have to go to your exchange server command prompt /powershell area.
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38846312
Ok I run the get-clientaccessserver | fl *uri*  and I got https://server.intdomain.local/Autodiscover/Autodiscover.xml
So up to hear it make sense.
I run Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://mail.mydomain.com
After that I could not connect with any Outlook to the server.
I also run Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://mail.mydomain.com/autodiscover/autodiscover.xml and still nothing
I delete an outlook account and when I try to recreate it Outlook will not see the name anymore
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38846314
Do I need to wait 60 minutes or is there a way to force the autodiscover
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38846318
Now in one outlook the mail work but I keep getting the certificate errors and on another Outlook were I delete the account Outlook does not discover the server or the user.
I will wait until tomorrow morning and see if it find it.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38846486
You have to get the command completely right and then run IISRESET from an elevated command prompt. That will ensure the change is seen by clients.

If you didn't include the /Autodiscover/Autodiscover.xml in the configuration then that will break things.

You also need to ensure that the host name that you have changed it to resolves internally via a SPLIT DNS system.

http://exchange.sembee.info/network/split-dns.asp

Simon.
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38846992
Ok this is what I did including resetting IIS but still no go.


[PS] C:\Windows\system32>get-clientaccessserver | fl *uri*


AutoDiscoverServiceInternalUri : https://ins.domain.local/Autodiscover/Autodiscover.xml


C:\Windows\system32>Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://mail.domain.ca/autodiscover/autodiscover.xml

[PS] C:\Windows\system32>get-clientaccessserver | fl *uri*


AutoDiscoverServiceInternalUri : https://mail.domain.ca/autodiscover/autodiscover.xml


When I start outlook I keep getting the certificate error saying the name does not match: ins.domain.local with mail.domain.ca

"ins" is the name of the exchange server.

And I already did long time ago the DNS config by creating a second zone called domain.local and I create all records including mail.domain.ca and it resolve fine on all Pc's.
The only difference mine is a primary integrated zone. Does it make any difference if everything resolve fine internally? And the external DNS for the domain.ca is handle by a public DNS not internally.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38847003
there is still something pointing to ins.domain.local in your urls


what is the result of
Get-WebServicesVirtualDirectory | fl *url*
Get-OabVirtualDirectory | fl *url*
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847020
For the first one:
InternalNLBBypassUrl :
InternalUrl          : https://ins/EWS/Exchange.asmx
ExternalUrl          : https://mail.domain.ca/ews/exchange.asmx

For the second one

InternalUrl : https://ins/OAB
ExternalUrl : https://mail.domain.ca/OAB

So those are the settings that I already change internal and external to the mail.domain.ca before but it did not work so I change the internal back to ins/ews and left the external one to mail.domain.ca

That was done before I made the changes your recommend.
Should I change the internal URL to match the external one again now after those changes?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38847023
yes please change both of theses internal URL to mail.domain.ca
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847038
Done but still no difference.
The PC that has no account on Outlook it does not find any info about exchange and the one that has the account already setup when I start Outlook the first certificate error say INS "The name on the security certificate is invalid" and the second one is INS.domain.local "The name on the security certificate is invalid"

I also reset IIS but still no go.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38847042
reseting IIS is not enough these setting will take some time to propagate

regarding autodiscover not working is the namemail.domain.ca resolvable from inside to the internal IP address of your server?
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847044
[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl *url*
Creating a new session for implicit remoting of "Get-WebServicesVirtualDirectory" command...


InternalNLBBypassUrl :
InternalUrl          : https://mail.domain.ca/EWS/Exchange.asmx
ExternalUrl          : https://mail.domain.ca/ews/exchange.asmx


[PS] C:\Windows\system32>Get-OabVirtualDirectory | fl *url*


InternalUrl : https://mail.domain.ca/OAB
ExternalUrl : https://mail.domain.ca/OAB
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38847050
looks like our posts crossed so i'll paste again

reseting IIS is not enough these setting will take some time to propagate

regarding autodiscover not working is the namemail.domain.ca resolvable from inside to the internal IP address of your server?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Author Comment

by:infedonetwork
ID: 38847052
Yes when I ping mail.domain.ca it resolve to the internal IP of the exchange server
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847055
Ok I will leave it for an hour or so.
What is the TTL for auto discover? I think is 60 minutes?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38847058
and that user for who autodiscover is not working is it configured with a proxy server ?
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847059
Nope. I don't use proxy
0
 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 38847066
if you CTrl + right click on the outlook icon in the system tray you will have a "test automatic configuration"

fill the username and password and remove all the ticks keep only autodiscover checked and run it

can you give the results of the last tab?
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847083
Well this is Outlook 2013 running on Win8
I don't have this option
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38847088
i have outlook 2013 on windows 8 and i can assure you it is there :)

try again CTRL + right click on the icon that is in the SYSTEM tray while outlook is running
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847113
I did but all I have is create New emails, Contact and so on.
But when think is new.
I did go to mail and delete the old profile and create a new one.
Now I get this and I had this before also.
Get the certificate error but now instead of ins it shows domain.ca and that's good but when I look on the certificate it show Issued to: *hostdomain.com That's the domain of the provider that host the website. If I ping domain.ca it resolve to the IP address of that provider were the domain.ca is hosted but if I ping mail.domain.ca it resolve to my internal server.
I can't create an A record for domain.ca because then I will not be able to see the website internally.
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847120
And like I said the name is compare with is domain.ca not mail.domain.ca
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847124
That's why is looking at the domainhost.com and not at the mail.domain.ca
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847150
It's working now.
I did reboot the client PC and now is not complaining anymore.
I will try from outside to see if it works and let you know.
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847182
Ok so the Pc that I delete the outlook profile it come back after I create a new profile saying the certificate does not match and it was pointing to the domainhost.com were the domain.ca dns is pointing and that is outside my domain.
l click Ok then I close Outlook and it never come back with the certificate error but it was saying for about a minute or so Trying to connect to exchange after what it connect and works fine.
I try the same on the second PC. Delete profile recreate profile and when profile was create it comes with the certificate of the domainhost then I click OK and now no more errors.
The reason is that is looking to mydomain.ca not mail.mydomain.ca
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38847187
Also when I click on Outlook Accounts and chose change I see now on the server something like 2948383b-cbf5-4c79-a4cd-52d8316bf253@mydomain.ca
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38848175
yes it is looking to domain.ca because that's how autodiscovery works it will try to search first for https://domain.ca and then, if it doesn't work, to https://autodiscover.domain.ca

the only way is to make sure that domain.ca is not resolvable from inside

finally is this client we are talking about joined to the AD domain ?
0
 
LVL 2

Author Comment

by:infedonetwork
ID: 38849079
So it is a windows server 2012 AD running also Exchange 2013 on the same server.
All PC are join to the Domain.
Internal domain has the same name as the external one except internal is mydomain.local and external is mydomain.ca
On the DNS server I have 2 primary zone
1. mydomain.local
2. mydomain.ca

Under My Domain.ca zone I create the following A records:
mail.mydomain.ca  192.168.1.2 (This is the IP of the Exchange server and AD)
mydomain.ca 70.X.X.X (External IP were the website is hosted)

So I assume that this last record may create the problems since is looking now at mydomain.ca and sometimes is coming with a certificate that is issue by the domain host when it suppose to come with the one that has mail.mydomain.com

Question now is how I can force it to look at mail.mydomain.com instead of mydomain.com

The DNS that is provide by the DHCP on the router is first the IP of the Server and second the IP of the router.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 38851362
you can't force it this is the way outlook will work, the only thing you can do is make mydomain.ca not resolvable to the external IP (not resovlable at all) and access it using www.mydomain.ca instead or configure mydomain.ca to not accept https connection
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38903464
If the clients are members of the domain, then they will not query autodiscover records in the same was as non-domain clients. Domain clients will get their information from the domain.

You don't need a root zone in your internal DNS. However with DNS provided by the router you are going to have problems, because that isn't Active Directory integrated. DNS should ONLY be provided by an AD integrated DNS server, so that means your domain controllers.

Simon.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now