Solved

Outlook 2007 Security pop up (Exchange 2010 on SBS 2011)

Posted on 2014-02-07
25
712 Views
Last Modified: 2014-03-13
Hi Experts,

We encounter a strange behavior with Outlook on all the client computers, a small window intituled "Windows Security" appears, if we let it alone Outlook stay connected to Exchange and work properly.
It doesn't do anything if we click Yes but it disconnect Outlook from Exchange if we click Cancel. It reconnect to Exchange very quick when we click on "Need Password". But the pop up still appears after one minute.

It was an issue with Autodiscover but I fixed it with the Network fix wizard and added the autodiscover Host A record in the local domain for the Server IP address. Now the Outlook email auto configuration test return no error.

A strange thing also is that we can ping the SBSservername, even in reverse DNS, but we can't use it in the OWA URL, we need to enter the IP address.

I found a post about it but it was about multiple account configuration. We have only the Exchange account configured on each Outlook profile.
I ran a few Exchange PS commands so that you can see where the problem come from.


Get-ExchangeCertificate |fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDOMAINs : {SBSSERVER.DOMAIN.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DOMAIN-SBSSERVER-CA
NotAfter           : 09/06/2014 04:16:16
NotBefore          : 09/06/2013 04:16:16
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 1CC4***************000010
Services           : None
Status             : Valid
Subject            : CN=SBSSERVER.DOMAIN.local
Thumbprint         : CE4B65D71E***************89E284A36FB7F3

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDOMAINs : {DOMAIN.dyndns.biz, dyndns.biz, SBSSERVER.DOMAIN.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DOMAIN-SBSSERVER-CA
NotAfter           : 15/10/2014 10:50:33
NotBefore          : 15/10/2012 10:50:33
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 4951****************00000E
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=DOMAIN.dyndns.biz
Thumbprint         : 2C6882DDCC****************C63B75B553EC

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDOMAINs : {DOMAIN.dyndns.biz, dyndns.biz, SBSSERVER.DOMAIN.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DOMAIN-SBSSERVER-CA
NotAfter           : 04/08/2013 07:45:18
NotBefore          : 05/08/2011 07:45:18
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 1929B6***********0000B
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=DOMAIN.dyndns.biz
Thumbprint         : FA7186EA556****************EA20E6EE1B27

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDOMAINs : {DOMAIN.dyndns.biz, dyndns.biz, SBSSERVER.DOMAIN.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DOMAIN-SBSSERVER-CA
NotAfter           : 14/10/2012 17:02:35
NotBefore          : 15/10/2010 17:02:35
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 12E60*************0009
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=DOMAIN.dyndns.biz
Thumbprint         : F454005490A09F0*****************B80323002

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDOMAINs : {DOMAIN.dyndns.biz, dyndns.biz, SBSSERVER.DOMAIN.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DOMAIN-SBSSERVER-CA
NotAfter           : 14/10/2012 11:14:08
NotBefore          : 15/10/2010 11:14:08
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 11A6FC***********00008
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=DOMAIN.dyndns.biz
Thumbprint         : FE718D49************************27D1D78032

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDOMAINs : {DOMAIN.dyndns.biz, dyndns.biz, SBSSERVER.DOMAIN.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DOMAIN-SBSSERVER-CA
NotAfter           : 13/10/2012 11:37:48
NotBefore          : 14/10/2010 11:37:48
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 616EC**************0007
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=DOMAIN.dyndns.biz
Thumbprint         : 40FD5E8AEA********************2B87C6C7

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDOMAINs : {DOMAIN.dyndns.biz, dyndns.biz, SBSSERVER.DOMAIN.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DOMAIN-SBSSERVER-CA
NotAfter           : 13/10/2012 11:36:35
NotBefore          : 14/10/2010 11:36:35
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 616DA*****************0006
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=DOMAIN.dyndns.biz
Thumbprint         : 9727C0277*********************DE255E58

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDOMAINs : {remote.DOMAIN.dyndns.biz, DOMAIN.dyndns.biz, SBSSERVER
                     .DOMAIN.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DOMAIN-SBSSERVER-CA
NotAfter           : 13/10/2012 11:35:09
NotBefore          : 14/10/2010 11:35:09
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 616C5A**************000005
Services           : IMAP, POP, SMTP
Status             : DateInvalid
Subject            : CN=remote.DOMAIN.dyndns.biz
Thumbprint         : 3ABB7E6153DF****************2B7E1B8B5

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDOMAINs : {Sites, SBSSERVER.DOMAIN.local}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=DOMAIN-SBSSERVER-CA
NotAfter           : 12/10/2012 21:27:42
NotBefore          : 13/10/2010 21:27:42
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 618A58****************0002
Services           : SMTP
Status             : DateInvalid
Subject            : CN=Sites
Thumbprint         : 01132A86925DB******************526CD783

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDOMAINs : {DOMAIN-SBSSERVER-CA}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=DOMAIN-SBSSERVER-CA
NotAfter           : 13/10/2015 21:36:26
NotBefore          : 13/10/2010 21:26:26
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 73C1803A9*****************5C3FC9
Services           : None
Status             : Valid
Subject            : CN=DOMAIN-SBSSERVER-CA
Thumbprint         : 91278B6260*********************06BEACF17

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule}
CertificateDOMAINs : {WMSvc-DOMCOM-TLZP5WU}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=WMSvc-DOMCOM-TLZP5WU
NotAfter           : 14/09/2020 15:32:11
NotBefore          : 17/09/2010 15:32:11
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 725C964*********************F3ADA1B1
Services           : None
Status             : Valid
Subject            : CN=WMSvc-DOMCOM-TLZP5WU
Thumbprint         : AFA82FDAA************************88559501D2

Open in new window


Get-autodiscovervirtualdirectory | fl
 
Name                            : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://SBSSERVER.DOMAIN.local/W3SVC/3/ROOT/Au
                                  todiscover
Path                            : C:\Program Files\Microsoft\Exchange Server\Cl
                                  ientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : SBSSERVER
InternalUrl                     : https://DOMAIN.dyndns.biz/Autodiscover/Auto
                                  discover.xml
ExternalUrl                     : https://DOMAIN.dyndns.biz/Autodiscover/Auto
                                  discover.xml
AdminDisplayName                : 
ExchangeVersion                 : 0.1 (8.0.535.0)
DistinguishedName               : CN=Autodiscover (SBS Web Applications),CN=HTT
                                  P,CN=Protocols,CN=SBSSERVER,CN=Servers,CN=Exch
                                  ange Administrative Group (FYDIBOHF23SPDLT),C
                                  N=Administrative Groups,CN=DOMAIN,CN=Micros
                                  oft Exchange,CN=Services,CN=Configuration,DC=
                                  DOMAIN,DC=local
Identity                        : SBSSERVER\Autodiscover (SBS Web Applications)
Guid                            : 29e4e341-019e-4d7e-8dd8-30f8ffdd7fe3
ObjectCategory                  : DOMAIN.local/Configuration/Schema/ms-Exch-A
                                  uto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDisco
                                  verVirtualDirectory}
WhenChanged                     : 14/10/2010 11:46:49
WhenCreated                     : 13/10/2010 21:52:21
OriginatingServer               : SBSSERVER.DOMAIN.local
IsValid                         : True

Open in new window


Get-clientaccessserver | fl

Name                           : SBSSERVERNAME
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : SBSSERVER
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://domain.com/Autodiscover/Autod
                                 iscover.xml
AutoDiscoverServiceGuid        : 77*****6-2**6-4**9-a6a6-3e********96
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SBSSERVER.DOMAIN.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SBSSERVER,CN=Servers,CN=Exchange Administrat
                                 ive Group (FYDIBOHF23SPDLT),CN=Administrative 
                                 Groups,CN=DOMAIN,CN=Microsoft Exchange,CN=Se
                                 rvices,CN=Configuration,DC=DOMAIN,DC=local
Identity                       : SBSSERVER
Guid                           : 94*****0b-2**e-4**f-bd**-ca******049d
ObjectCategory                 : domain.local/Configuration/Schema/ms-Exch-Ex
                                 change-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 15/10/2012 11:01:07
WhenCreated                    : 13/10/2010 21:46:46

Open in new window


Thank you in advance for your help, best regards,
0
Comment
Question by:jet-info
  • 15
  • 10
25 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Loads of things wrong there.
You should not have any URL configured on the Autodiscover virtual directory. They should be set to $null so they are blank.

Are you using a trusted or self signed SSL certificate? The authentication prompt in Outlook can usually be a sign that the client doesn't trust the SSL certificate.

Autodiscover DNS record is not required internally unless you have clients which are NOT members of the domain.

Also ensure that you are using the SBS Server for DNS records/DHCP exclusively, not the router. That can give you false DNS records which cause problems with Exchange connectivity.

If the SBS server was setup with the wizards, then for OWA use you would use remote.example.com both internally and externally, unless you use the Advanced options to modify the host name.

Simon.
0
 

Author Comment

by:jet-info
Comment Utility
Dear Simon,

I checked the certificat and it is a self signed one, it is like that since a long time and the problem didn't occur before.
The SBS is the only server which taking care about DHCP and DNS on the network.
I didn't installed this server myself, so I don't know if the Wizard was used but I can tell you that the remote.domain.com is not used, they use a dyndns.biz address for external and internal OWA, OAB and Activesync.

Could you please tell me how to edit the Autodiscover virtual directory ?


Thank you for your help !


Guillaume
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
The fact that it was working before doesn't mean that it was setup correctly or will continue to work correctly.
I suspect that the wizards were not used, because the use of a domain they don't own is a huge error. The other configurations clearly point at the server being configured manually, by someone who doesn't know what they are doing.
Are you they on a dynamic IP address or static?

Personally I would be looking to get the server setup correctly, that means correcting the DNS, SSL certificate, host names etc. Running the wizards so that everything is setup as SBS wants, running the SBS BPA to find and correct the problems etc.

As for Autodiscover, if you run the wizards SBS should correct that for you. Manually it is done thus:

get-autodiscovervirtualdirectory | set-autodiscovervirtualdirectory -internalURL $null -externalvirtualdirectory $null

Simon.
0
 

Author Comment

by:jet-info
Comment Utility
Dear Simon,
Thank you and sorry for the delay, we have many customers to take care and we are a small team of three...

The public IP is static now, but was dynamic before.
I already launched the connect to internet and Fix my network Wizards to fix a long time opening client sessions. The PS commands above were launched after the use of the Wizards.

Thank you again for your help !
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
If you are now using a static IP address, I would revert to using the client's actual name for the SSL certificate and run the wizards to apply that. Correct the server so it is configured correctly, rather than using the dynamic DNS host name.

Simon.
0
 

Author Comment

by:jet-info
Comment Utility
The dyndns.biz address is used in Exchange for OWA and Activesync. Does that the "connect to internet", "Setup your internet address" and "Fix my network" SBS wizards will change it or do I have to change it manually?

I don't want to break anything that's working now.

Thanks !
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
It will change it, to the correct URL which will be one in their domain.
They key thing here is to add the existing host name to the trusted SSL certificate so they continue to work. Although depending on the device, it may not actually matter! Some of them will ignore the error, others will Autodiscover to the correct information.

Simon.
0
 

Author Comment

by:jet-info
Comment Utility
Dear Simon,

So finally we changed the SSL certificate with remote.domain.com, launched the SBS Wizards "Connect to internet" was OK, "Set up your internet address" failed two times, but it take the remote name instead of the dyndns one... I installed the SSL certificate through Exchange Management Shell following the GoDaddy tutorial, launched the SBS Wizard "Add a Trusted Certificate" with no error. and finally launched the "Fix my Network" Wizard two times, the second time was OK. The OWA and Activesync URLs remained with the dyndns address, so I changed this manually with https://remote.domain.com/OWA and https://remote.domain.com/Microsoft-Server-ActiveSync for internal and external. I restarted the server, maybe for nothing... I could set up an Exchange account on a smartphone with the remote.domain.com server address, all is working fine, even on the OWA from outside or inside.

The problem is that in Outlook I get a certificate error, the certificate used is the dyndns one, when I check the Autodicover from Outlook, the dyndns address still remains... I tried to create a new Outlook profile from scratch and still receive the same certificate error.
I checked the web.config and Autodiscover.xml files, there is nothing about the dyndns address.

I don't know what to do now, I hesitate to launch the command you gave me :

get-autodiscovervirtualdirectory | set-autodiscovervirtualdirectory -internalURL $null -externalvirtualdirectory $null

Any idea ?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
The command that I gave you should still be run - it will have nothing to do with the error you are getting either way though.

Autodiscover comes from this value:

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

The wizard should have changed that to the remote.example.com host.
If it is still wrong, then use this command to correct it:

Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverServiceInternalUri https://remote.example.com/autodiscover/autodiscover.xml

Simon.
0
 

Author Comment

by:jet-info
Comment Utility
I launched the last command you gave me and tried to create a new Outlook profile. I received the dyndns address in the RPC over HTTP proxy address settings and Outlook still give me the dyndns certificate error. Why does it still use this certificate ?
I checked the Autodiscover from Outlook. The OOF address is still the dyndns one while the OAB is the remote one.
See details in the attached files.

The certificate principal name is stil the dyndns one.

I tried also  Test-OutlookWebServices -ClientAccessServer srv01 |FL

We can see that Autodiscover still connects to the dyndns address :

Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address test@domain.com.

Id      : 1007
Type    : Information
Message : Testing server SRV01.domain.local with the published name https://domain.dyndns.biz/EWS/Excomange.asmx & https://domain.dyndns.biz/EWS/Excomange.asmx.

Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://remote.domain.com/autodiscover/autodiscover.xml.

Id      : 1006
Type    : Information
Message : The Autodiscover service was contacted at https://remote.domain.com/autodiscover/autodiscover.xml.

Id      : 1004
Type    : Error
Message : The certificate for the URL https://domain.dyndns.biz/EWS/Excomange.asmx is incorrect. For SSL to work it needs to have a subject of domain.dyndns.biz, instead the subject was remote.domain.com. Consider correcting service discovery, or installing a correct SSL certificate.

Id      : 1016
Type    : Success
Message : [EXcom]-Successfully contacted the AS service at https://domain.dyndns.biz/EWS/Excomange.asmx. The elapsed time was 29 milliseconds.

Id      : 1015
Type    : Success
Message : [EXcom]-Successfully contacted the OAB service at https://domain.dyndns.biz/EWS/Excomange.asmx. The elapsed time was 0 milliseconds.

Id      : 1014
Type    : Success
Message : [EXcom]-Successfully contacted the UM service at https://domain.dyndns.biz/UnifiedMessaging/Service.asmx. The elapsed time was 13 milliseconds.

Id      : 1016
Type    : Success
Message : [EXPR]-Successfully contacted the AS service at https://domain.dyndns.biz/EWS/Excomange.asmx. The elapsed time was 39 milliseconds.

Id      : 1015
Type    : Success
Message : [EXPR]-Successfully contacted the OAB service at https://domain.dyndns.biz/EWS/Excomange.asmx. The elapsed time was 0 milliseconds.

Id      : 1014
Type    : Success
Message : [EXPR]-Successfully contacted the UM service at https://domain.dyndns.biz/UnifiedMessaging/Service.asmx. The elapsed time was 18 millise
          conds.

Id      : 1013
Type    : Error
Message : When contacting https://domain.dyndns.biz/Rpc received the error The server committed a protocol violation. Section=ResponseStatusLine

Id      : 1017
Type    : Error
Message : [EXPR]-Error when contacting the RPC/HTTP service at https://domain.dyndns.biz/Rpc. The elapsed time was 10 milliseconds.

Id      : 1006
Type    : Success
Message : The Autodiscover service was tested successfully.

Id      : 1021
Type    : Information
Message : The following web services generated errors.
              Contacting server in EXPR
          Please use the prior output to diagnose and correct the errors.

Open in new window


Thank you for your help.
Autodiscover1.jpg
Autodiscover2.jpg
0
 

Author Comment

by:jet-info
Comment Utility
We have problem to connect from the outside in rpc over http now. If we leave the dyndns address in the proxy address, the name don't match and the connection can't be done. When we change the proxy address for the remote one, the connection is OK but still use the dyndns certificate.
Where could we change the used certificate in RPC please ?

Thank you in advance for your help, best regards,
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Your other question says SBS 2008. This one refers to SBS 2011. Which is it?

I suspect the server wasn't setup correctly using the wizards and therefore you have a screwed up system. SBS 2008 does things in an odd way and if you did things outside of SBS then the wrong web site is used.

That is the only reason I can think of for what you are seeing.

If it is SBS 2008, then ensure the SSL certificate is bound to the correct site and that port 443 is being used. You should have two sites, it does NOT use the Default Web Site.

Simon.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:jet-info
Comment Utility
Sorry for this very big mistake... It is SBS 2008 with Exchange 2007...

I looked for the bindings and saw that Default Website and SBS Web Applications (Which hold RPC, EWS, Autodiscover, OWA, ... sites) are both binded with the new GoDaddy certificate for port 443.

Do I have to remove the default website binding for port 443 ?

Which mistake could be done with the SBS Wizards ? I choose the domain.com domain and SBS added the remote extension. An error occured for the internet name Wizard, but I can't find logs. I didn't check the router option in the Fix My Network because it put the server on another IP address.

Thank you for your assistance Simon.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
If you enable the certificate through Exchange, then it will bind to the default web site.
You need to remove that binding.

The Default web site will have HTTP, and then some net.xxx bindings - leave those alone, just remove the HTTPS binding.

Then on the SBS Web Applications site, ensure that you have 443, with your trusted certificate.

After making the changes, run IISRESET in an elevated command prompt before testing further.

Simon.
0
 

Author Comment

by:jet-info
Comment Utility
OK, I test it tomorow when I'll be back to work.

Thank you Simon !
0
 

Author Comment

by:jet-info
Comment Utility
When I want to remove the HTTPS binding from the Default Website, this message appears : see in attachment. Can I remove it from Default Website without problem for the HTTPS SBS Website  binding ?

Sorry for this dumb question, but I don't want to break what is working.

I suppose that I just have to recreate the binding on the SBS Applications Website if it is deleted by the removal of the one on the Default Website, but I need to be sure first.


Edit: Is there a way to check why does the Internet Name SBS Wizard failed?
Do you know where to find the log for it please?


Thank you
140310-Reomve-binding-from-defau.bmp
0
 

Author Comment

by:jet-info
Comment Utility
I found something in the Microsoft support http://support.microsoft.com/kb/981954/en-us
I checked this :

[PS] C:\Windows\system32>get-ClientAccessServer | FL

Name                           : SRV01
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : SRV01
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://remote.domain.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid        : ****
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : SRV01.DOMAIN.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=SRV01,CN=Servers,CN=Exchange Administrative Group (FYD*****DLT),CN=Administrative
                                 Groups,CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=local
Identity                       : SRV01
Guid                           : ***
ObjectCategory                 : DOMAIN.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 07/03/2014 08:00:58
WhenCreated                    : 13/10/2010 21:46:46

Open in new window


[PS] C:\Windows\system32>get-WebServicesVirtualDirectory | FL

InternalNLBBypassUrl            : https://SRV01.DOMAIN.local/ews/exchange.asmx
Name                            : EWS (SBS Web Applications)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://SRV01.DOMAIN.local/W3SVC/3/ROOT/EWS
Path                            : C:\Program Files\Microsoft\Exchange Server\ClientAccess\exchweb\EWS
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : SRV01
InternalUrl                     : https://DOMAIN.dyndns.biz/EWS/Exchange.asmx
ExternalUrl                     : https://DOMAIN.dyndns.biz/EWS/Exchange.asmx
AdminDisplayName                :
ExchangeVersion                 : 0.1 (8.0.535.0)
DistinguishedName               : CN=EWS (SBS Web Applications),CN=HTTP,CN=Protocols,CN=SRV01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=local
Identity                        : SRV01\EWS (SBS Web Applications)
Guid                            : ***
ObjectCategory                  : DOMAIN.local/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
WhenChanged                     : 05/08/2011 07:54:28
WhenCreated                     : 13/10/2010 21:52:04
OriginatingServer               : SRV01.DOMAIN.local
IsValid                         : True

Open in new window


[PS] C:\Windows\system32>get-OABVirtualDirectory | FL

Name                            : OAB (SBS Web Applications)
PollInterval                    : 30
OfflineAddressBooks             : {\Default Offline Address List}
RequireSSL                      : True
BasicAuthentication             : True
WindowsAuthentication           : True
MetabasePath                    : IIS://SRV01.DOMAIN.local/W3SVC/3/ROOT/OAB
Path                            : C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : SRV01
InternalUrl                     : https://remote.domain.com/OAB
InternalAuthenticationMethods   : {Basic, WindowsIntegrated}
ExternalUrl                     : https://remote.domain.com/OAB
ExternalAuthenticationMethods   : {Basic, WindowsIntegrated}
AdminDisplayName                :
ExchangeVersion                 : 0.1 (8.0.535.0)
DistinguishedName               : CN=OAB (SBS Web Applications),CN=HTTP,CN=Protocols,CN=SRV01,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=local
Identity                        : SRV01\OAB (SBS Web Applications)
Guid                            : ****
ObjectCategory                  : DOMAIN.local/Configuration/Schema/ms-Exch-OAB-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchOABVirtua
                                  lDirectory}
WhenChanged                     : 07/03/2014 08:20:13
WhenCreated                     : 13/10/2010 21:52:12
OriginatingServer               : SRV01.DOMAIN.local
IsValid                         : True

Open in new window


[PS] C:\Windows\system32>get-UMVirtualDirectory | FL

Name                            : UnifiedMessaging (SBS Web Applications)
InternalAuthenticationMethods   : {Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods   : {Ntlm, WindowsIntegrated}
BasicAuthentication             : False
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://SRV01.DOMAIN.local/W3SVC/3/ROOT/UnifiedMessaging
Path                            : C:\Program Files\Microsoft\Exchange Server\UnifiedMessaging\WebService
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : SRV01
InternalUrl                     : https://DOMAIN.dyndns.biz/UnifiedMessaging/Service.asmx
ExternalUrl                     : https://DOMAIN.dyndns.biz/UnifiedMessaging/Service.asmx
AdminDisplayName                :
ExchangeVersion                 : 0.1 (8.0.535.0)
DistinguishedName               : CN=UnifiedMessaging (SBS Web Applications),CN=HTTP,CN=Protocols,CN=SRV01,CN=Servers,CN=Exchange Administrative Group (FY*****LT),CN=Administrative Groups,CN=DOMAIN,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=local
Identity                        : SRV01\UnifiedMessaging (SBS Web Applications)
Guid                            : ****
ObjectCategory                  : DOMAIN.local/Configuration/Schema/ms-Exch-UM-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchUMVirtualDirectory}
WhenChanged                     : 14/10/2010 11:46:48
WhenCreated                     : 13/10/2010 21:52:16
OriginatingServer               : SRV01.DOMAIN.local
IsValid                         : True

Open in new window


So the right command I have to launch are :

Set-WebServicesVirtualDirectory -Identity "SRV01\EWS (SBS Web Applications)" -InternalUrl https://remote.domain.com/ews/exchange.asmx

Set-UMVirtualDirectory -Identity "SRV01\unifiedmessaging (SBS Web Applications)" -InternalUrl https://remote.domain.com/unifiedmessaging/service.asmx

Is there correct ?

The second one is useless if we do not use Unified Messaging isn't it?

Thank you Simon !
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Have you run the fix my network wizard and/or the SBS BPA? That will usually fixed these binding errors.

Simon.
0
 

Author Comment

by:jet-info
Comment Utility
I run the FMNW three times already. on the KB981954 I can see that the Internet name Wizard fix this problem too, but it fails with errors.

Can I remove the HTTPS binding from Default Website without problem for SBS App website ?

Does the command above are correct ?

Thank you cery much for your time Simon.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
What are the errors coming back from the wizard?
It may well be something simple. You can remove the binding from the Default Web Site without affecting the SBS applications site, because it shouldn't be there in the first place. After doing so, run IISRESET from an elevated command prompt and then check the bindings on the SBS Applications. web site.

Simon.
0
 

Author Comment

by:jet-info
Comment Utility
OK, I do that.
0
 

Author Comment

by:jet-info
Comment Utility
Binding removed from Default Website, and GoDaddy certificate rebinded to SBS App Website. It works as before for everything.
I launched the two above commands (set-WebServicesVirtualDirectory and Set-UMVirtualDirectory), the remote URL is in place now for Exchange RPC but not for Exchange HTTP. The server is still the dyndns URL. All is still set to dyndns except for OAB.
See attachment.

Which command can change it please ?

For the Internet Name Wizard errors, Where can I find the logs please ?

Thanks a lot for your patience !
140311-Autodiscover-test.jpg
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
If you have corrected the bindings, then the fix my network wizard should now correct things.

You can run

get-webservicesvirtualdirectory | select identity, internalurl, externalurl

to see what has been configured.
Likewise for Outlook Anywhere you can run

get-outlookanywhere | select identity, externalhostname

to confirm the host name being used.

Log file locations:
https://blogs.technet.com/b/sbs/archive/2008/10/01/key-small-business-server-2008-log-files.aspx

Simon.
0
 

Author Comment

by:jet-info
Comment Utility
So, I run the "Fiy my Network Wizard" and the two commands that you gave me.
 
The result was :

get-outlookanywhere | select identity, externalhostname | FL

Identity         : SRV01\Rpc (SBS Web Applications)
ExternalHostname : domain.dyndns.biz


get-webservicesvirtualdirectory | select identity, internalurl, externalurl | FL

Identity    : SRV01\EWS (SBS Web Applications)
InternalUrl : https://remote.domain.com/ews/exchange.asmx
ExternalUrl : https://domain.dyndns.biz/EWS/Exchange.asmx


So I launched these commands to fix it :

Set-WebServicesVirtualDirectory -Identity "SRV01\EWS (SBS Web Applications)" -ExternalUrl https://remote.domain.com/ews/exchange.asmx

Set-outlookanywhere -Identity "SRV01\Rpc (SBS Web Applications)" -ExternalHostname remote.domain.com


Now the result is :

get-webservicesvirtualdirectory | select identity, internalurl, externalurl | FL

Identity    : SRV01\EWS (SBS Web Applications)
InternalUrl : https://remote.domain.com/ews/exchange.asmx
ExternalUrl : https://remote.domain.com/ews/exchange.asmx


get-outlookanywhere | select identity, externalhostname | FL

Identity         : SRV01\Rpc (SBS Web Applications)
ExternalHostname : remote.domain.com


I then run an iisreset and tested in Outlook. All is working fine now, I could even create a new profile with the good values for the RPC over HTTP proxy !


Thank you very much for your help and your patience Simon !
0
 

Author Closing Comment

by:jet-info
Comment Utility
Thanks again !
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now