• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7176
  • Last Modified:

Outlook pulling incorrect SSL certificate from Exchange 2010 SP 2 server

I have a 3 year old Exchange 2010 server that is fully patched.

I replaced an expiring SSL cert with a new one.  The new one is valid from 6/17/13 to 6/27/15 with the subject of mail.publicdomainname.com.  However, when I open up Outlook, it pulls up an expired certificate that is for publicdomainname.com.  What's odd is that I don't have that invalid certificate anywhere, and it's not something I created as far as I can tell.  I've deleted all other certificates on the server and left only the new valid certificate that expires in 2015.  I've restarted IIS and the mxexchangetransport services.

Screen shot 1 and 2 attached are what I get when I open Outlook and connect to my Exchange server (from outside the LAN).  That is the invalid certificate that I should not see and I want to replace with the valid certificate, but not sure where it's configured in Exchange Management Console.  

Screen shot 3 is what I see from Exchange webmail.  It shows my valid certificate.  Screen shot 4 is the list of certs you can see from Exchange Management Console.  Do you have any suggestions for where I should go to make sure that Outlook is using the right certificate?  I've gone in and assigned all services to the proper certificate (screen shot 5).

Thanks in advance.
screenshot1.png
screenshot2.png
screenshot3.png
screenshot4.png
screenshot5.png
1
dmessman
Asked:
dmessman
2 Solutions
 
gkousikanCommented:
1.run Get-ExchangeCertificate |fl cmdlet to verify if the certificate was assigned to services.
   SAN(Subject Alternative Name) of the certificate includes autodiscover.

2.Any other device issuing the old certificate. Like proxy server/loadbalancer device.
0
 
suriyaehnopCommented:
It seem that your Outlook Anywhere used old certificate.

Could you try this link to Outlook Anywhere: https://www.testexchangeconnectivity.com/

http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/5b381aaf-c34f-4cc8-9df6-bd4dd13e0f78
0
 
Simon Butler (Sembee)ConsultantCommented:
This sounds like Autodiscover issues.
If you browse to https://example.com then you should get an SSL prompt of some description. That will allow you to see the SSL certificate and possibly where it is coming from.
You should also check where the host name resolves to.

If it is happening from outside the network then it will be Autodiscover and it will be because there is an SSL certificate on the public web site. Autodiscover queries a number of URLs, one of which is the root of the domain.

This is further complicated by some hosting control panels having Autodiscover support for their own purposes, to the URL that Outlook is querying is actually valid. If that is the case then you will need to speak to your hosting company to get them to block it.

You can see what Autodiscover is doing via the Microsoft test site at the link above, or through Outlook itself. http://semb.ee/adt

Simon.
0
 
dmessmanAuthor Commented:
you are all totally right - it is autodiscover, and it is not my certificate that is the problem.

If I go to https://publicdomainname.com - it shows me the invalid certificate that expired on 4/27/13 that I am having the truoble with and https://publicdomainname.com/autodiscover/autodiscover.xml DOES respond with a 404 error.  The page doesn't exist, but the web site is responding with a 404 error.  

I'll have to figure this out with my web host.

Thanks for your help
0
 
dmessmanAuthor Commented:
https://publicdomainname.com/autodiscover/audtodiscover.xml did not exist on my web host, but the SSL certificate that was being used by the web host was out of date.  If the certificate was in date, this would have been a non-issue as the autodiscover process would have realized the web server wasn't giving a proper response, but when the certificate became out of date, this generated an error so that the autodiscover process could not move on.

I had our web server people disable port 443 on the web server since we don't use SSL on our web site anyway.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now