Exchange SSL certificate

Hi guys,

I am experiencing a problem with a SSL UCC certificate for outlook anywhere.

As some of you might know, after November 1, 2015 Certificates for Internal Names Will No Longer Be Trusted. Therefore I followed the instructions of the below link which is for Redirecting Exchange Server to use the External DNS Name  ( split DNS )

http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm

The company's domain names are:
- mycompany.local   ( internal name )
- mycompany.com    ( external name )

The Certificate was issue for following names:
- autodiscover.mycompany.com
- mail.mycompany.com
- mycompany.com

Unfortunately is not working, i get a certificate error in outlook for autodiscover and mail names, see mail.jpg and autodsicover.jpg attached images

Furthermore, the certificate information says " the integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered. See attached certificate image.

can you guys help me ?
Autodiscover.JPG
mail.JPG
R2_D2Asked:
Who is Participating?
 
Michael OrtegaConnect With a Mentor Sales & Systems EngineerCommented:
I don't see your autodiscover URL's defined. Can you set them?

set-autodiscovervirtualdirectory -identity "Autodiscover (Default Web Site)" -InternalURL "https://autodiscover.mypublicdomain.com/Autodiscover/Autodiscover.xml"

set-autodiscovervirtualdirectory -identity "Autodiscover (Default Web Site)" -ExternalUrl "https://autodiscover.mypublicdomain.com/Autodiscover/Autodiscover.xml"

I would then setup a DNS zone in AD for "autodiscover.mypublicdomain.com" and create a single A record to point it to the private address of your CAS.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
Are these when you access the server internally or externally? Or both?

Can we get a print out of the follow PS command?

get-autodiscovervirtualdirectory | fl

MO
0
 
R2_D2Author Commented:
It happens internally and externally.  Also, I have experienced the issue on my iphone too.


get-autodiscovervirtualdirectory | fl

RunspaceId                      : 11c2479e-9ef9-4355-b8a5-e99e8779125c
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://myserver.mydomain.local/W3SVC/1/ROOT/Autodiscover
Path                            : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : EXCHANGE
InternalUrl                     :
ExternalUrl                     :
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=myserver,CN=Servers,CN=Exc
                                  hange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=my domain
                                  ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local
Identity                        : myserver\Autodiscover (Default Web Site)
Guid                            : 90820539-5672-4e13-9ddb-0205f6a90417
ObjectCategory                  : mydomain.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 11/04/2011 15:22:36
WhenCreated                     : 11/04/2011 15:22:36
WhenChangedUTC                  : 11/04/2011 14:22:36
WhenCreatedUTC                  : 11/04/2011 14:22:36
OrganizationId                  :
OriginatingServer               : MyDC.mydomain.local
IsValid                         : True
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
Michael OrtegaSales & Systems EngineerCommented:
Also check the CAS setup:

Get-ClientAccessServer | fl

Make sure the AutoDiscoverServiceInternalUri is the same as the above or your users will be constantly inundated with certificate messages.

MO
0
 
R2_D2Author Commented:
I ran the commands ( see below ) but unfortunately the issue stills happening.



RunspaceId                      : 7c3831fa-081b-4d14-9770-1073077c2fb8
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://MyExchange.mydomain.local/W3SVC/1/ROOT/Autodiscover
Path                            : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : MyExchange
InternalUrl                     : https://autodiscover.mydomain.com/Autodiscover/Autodiscover.xml
ExternalUrl                     : https://autodiscover.mydomain.com/Autodiscover/Autodiscover.xml
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=MyExchange,CN=Servers,CN=Exc
                                  hange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Mydomain
                                  ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local
Identity                        : EXCHANGE\Autodiscover (Default Web Site)
Guid                            : 90820539-5672-4e13-9ddb-0205f6a90417
ObjectCategory                  : mydomain.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 23/02/2014 20:49:20
WhenCreated                     : 11/04/2011 15:22:36
WhenChangedUTC                  : 23/02/2014 20:49:20
WhenCreatedUTC                  : 11/04/2011 14:22:36
OrganizationId                  :
OriginatingServer               : MyDC.mydomain.local
IsValid                         : True
0
 
Michael OrtegaSales & Systems EngineerCommented:
What about the one for ClientAccessServer? DNS zone setup internally? Basically can you ping autodiscover.mypublicdomain.com and have it resolve internally to the private IP of your CAS?

MO
0
 
Michael OrtegaConnect With a Mentor Sales & Systems EngineerCommented:
Have you checked system time on your Exchange server? Is it in sync with your Domain Controller(s)?

Also, if you navigate to OWA and look at the cert presented to your browser what does it show? Can you post a screen shot?

MO
0
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
Poor Advice above.

"I don't see your autodiscover URL's defined. Can you set them?"

The configuration above is the default and should not be changed. They are blank on all Exchange servers and that is perfectly normal.
Furthermore you don't need Autodiscover DNS records internally unless you have clients on the domain which are NOT members of the domain.

Therefore set them back to $null, it will make no difference.

Then run through setting up Exchange with a split DNS system so the external name can be used internally.

http://semb.ee/hostnames

Simon.
0
 
Michael OrtegaSales & Systems EngineerCommented:
Poor Advice above as well.

It is perfectly normal for them to be blank unless you're using them, of course. You don't need autodiscover DNS "zone" internally because exchange will use SCP to connect...unless you have non-domain clients that connect. Sounds like a good idea to have setup since it's simple and painless and rules out the variable that we're dealing with any non-domain computers, don't you agree Simon? Oh wait, you already agreed by stating what you did above.

So basically all you said that we didn't cover was remove the autodiscover URL from the autodiscovervirtualdirectory, which you admitted would make no difference. You'll note that in the authors question he followed the guide to setup split DNS. Maybe you didn't catch that. If you look at the very beginning of this thread you'll see it.

I've got a pump if you need some more air to inflate your ego.

MO
0
 
R2_D2Author Commented:
Hi guys,

Thank you for your help, i managed to resolved, the problem was a combination of things:

1 - The Exchange server is VM and it had the time synchronized with the Esxi host which is 5 minutes behind.

2 - I was running the tests on a winXP SP2 and w2k3 sp2 machines and apparently those win versions are incompatible with UCC Certificates.

3.- my autodiscover address was incorrect.
0
 
Simon Butler (Sembee)ConsultantCommented:
Sorry I have to disagree.
Do you actually know how the Autodiscover process works?

Populating the internal and external URLs on the Autodiscover virtual directory has NO operational effect whatsoever. It doesn't change the URL that is used for it. While it does no harm, the values are left BLANK on purpose. No process from Microsoft will populate them and you will not find anything from Microsoft that says to populate them. People populate them but they have no effect whatsoever on the operation of Autodiscover, for either domain or non domain clients.

Simon.
0
 
R2_D2Author Commented:
Just one last quick question,

The autodiscover works great on outlook anywhere but it doesn't work in mobile devices (
ipad, android, etc ).

I am missing something but dont know what that could be.
0
 
Michael OrtegaSales & Systems EngineerCommented:
So basically what you're saying, Simon, is don't populate the fields because they don't actually do anything for you? Do you have anything to offer towards a resolution to the problem?

R2_D2, the only way autodiscover works seamlessly on mobile devices is if you set a UPN suffix in AD to support using your public domain name.

MO
0
 
Michael OrtegaConnect With a Mentor Sales & Systems EngineerCommented:
To further detail,

your default login would be jsmith@domain.local, but what you would need to do is add domain.com as a UPN suffix and then change your users (either just the iPhone/Android users or everyone) to use the new UPN suffix.

Then your smartphones will authenticate properly so all you'll need to do is enter email address and password. The email address will then match the username.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
For Simon, I realize there are posts about adding the URL and other posts about not needing the URL. In all my implementations it certainly hasn't negatively implemented autodiscovery, so thus I include them. I do understand how AutoDiscover works and realize that it works even without the URL's specified, but as you've clearly communicated in this post - it doesn't really matter.

MO
0
All Courses

From novice to tech pro — start learning today.