Solved

Outlook pulling incorrect SSL certificate from Exchange 2010 SP 2 server

Posted on 2013-06-17
5
5,257 Views
1 Endorsement
Last Modified: 2013-06-19
I have a 3 year old Exchange 2010 server that is fully patched.

I replaced an expiring SSL cert with a new one.  The new one is valid from 6/17/13 to 6/27/15 with the subject of mail.publicdomainname.com.  However, when I open up Outlook, it pulls up an expired certificate that is for publicdomainname.com.  What's odd is that I don't have that invalid certificate anywhere, and it's not something I created as far as I can tell.  I've deleted all other certificates on the server and left only the new valid certificate that expires in 2015.  I've restarted IIS and the mxexchangetransport services.

Screen shot 1 and 2 attached are what I get when I open Outlook and connect to my Exchange server (from outside the LAN).  That is the invalid certificate that I should not see and I want to replace with the valid certificate, but not sure where it's configured in Exchange Management Console.  

Screen shot 3 is what I see from Exchange webmail.  It shows my valid certificate.  Screen shot 4 is the list of certs you can see from Exchange Management Console.  Do you have any suggestions for where I should go to make sure that Outlook is using the right certificate?  I've gone in and assigned all services to the proper certificate (screen shot 5).

Thanks in advance.
screenshot1.png
screenshot2.png
screenshot3.png
screenshot4.png
screenshot5.png
1
Comment
Question by:dmessman
5 Comments
 
LVL 1

Assisted Solution

by:gkousikan
gkousikan earned 100 total points
ID: 39255261
1.run Get-ExchangeCertificate |fl cmdlet to verify if the certificate was assigned to services.
   SAN(Subject Alternative Name) of the certificate includes autodiscover.

2.Any other device issuing the old certificate. Like proxy server/loadbalancer device.
0
 
LVL 18

Expert Comment

by:suriyaehnop
ID: 39255262
It seem that your Outlook Anywhere used old certificate.

Could you try this link to Outlook Anywhere: https://www.testexchangeconnectivity.com/

http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/5b381aaf-c34f-4cc8-9df6-bd4dd13e0f78
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 400 total points
ID: 39255462
This sounds like Autodiscover issues.
If you browse to https://example.com then you should get an SSL prompt of some description. That will allow you to see the SSL certificate and possibly where it is coming from.
You should also check where the host name resolves to.

If it is happening from outside the network then it will be Autodiscover and it will be because there is an SSL certificate on the public web site. Autodiscover queries a number of URLs, one of which is the root of the domain.

This is further complicated by some hosting control panels having Autodiscover support for their own purposes, to the URL that Outlook is querying is actually valid. If that is the case then you will need to speak to your hosting company to get them to block it.

You can see what Autodiscover is doing via the Microsoft test site at the link above, or through Outlook itself. http://semb.ee/adt

Simon.
0
 
LVL 9

Author Comment

by:dmessman
ID: 39255847
you are all totally right - it is autodiscover, and it is not my certificate that is the problem.

If I go to https://publicdomainname.com - it shows me the invalid certificate that expired on 4/27/13 that I am having the truoble with and https://publicdomainname.com/autodiscover/autodiscover.xml DOES respond with a 404 error.  The page doesn't exist, but the web site is responding with a 404 error.  

I'll have to figure this out with my web host.

Thanks for your help
0
 
LVL 9

Author Closing Comment

by:dmessman
ID: 39260975
https://publicdomainname.com/autodiscover/audtodiscover.xml did not exist on my web host, but the SSL certificate that was being used by the web host was out of date.  If the certificate was in date, this would have been a non-issue as the autodiscover process would have realized the web server wasn't giving a proper response, but when the certificate became out of date, this generated an error so that the autodiscover process could not move on.

I had our web server people disable port 443 on the web server since we don't use SSL on our web site anyway.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now