Solved

Exchange SSL certificate

Posted on 2014-02-23
15
1,257 Views
Last Modified: 2014-02-24
Hi guys,

I am experiencing a problem with a SSL UCC certificate for outlook anywhere.

As some of you might know, after November 1, 2015 Certificates for Internal Names Will No Longer Be Trusted. Therefore I followed the instructions of the below link which is for Redirecting Exchange Server to use the External DNS Name  ( split DNS )

http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm

The company's domain names are:
- mycompany.local   ( internal name )
- mycompany.com    ( external name )

The Certificate was issue for following names:
- autodiscover.mycompany.com
- mail.mycompany.com
- mycompany.com

Unfortunately is not working, i get a certificate error in outlook for autodiscover and mail names, see mail.jpg and autodsicover.jpg attached images

Furthermore, the certificate information says " the integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered. See attached certificate image.

can you guys help me ?
Autodiscover.JPG
mail.JPG
0
Comment
Question by:R2_D2
  • 9
  • 4
  • 2
15 Comments
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Are these when you access the server internally or externally? Or both?

Can we get a print out of the follow PS command?

get-autodiscovervirtualdirectory | fl

MO
0
 

Author Comment

by:R2_D2
Comment Utility
It happens internally and externally.  Also, I have experienced the issue on my iphone too.


get-autodiscovervirtualdirectory | fl

RunspaceId                      : 11c2479e-9ef9-4355-b8a5-e99e8779125c
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://myserver.mydomain.local/W3SVC/1/ROOT/Autodiscover
Path                            : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : EXCHANGE
InternalUrl                     :
ExternalUrl                     :
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=myserver,CN=Servers,CN=Exc
                                  hange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=my domain
                                  ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local
Identity                        : myserver\Autodiscover (Default Web Site)
Guid                            : 90820539-5672-4e13-9ddb-0205f6a90417
ObjectCategory                  : mydomain.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 11/04/2011 15:22:36
WhenCreated                     : 11/04/2011 15:22:36
WhenChangedUTC                  : 11/04/2011 14:22:36
WhenCreatedUTC                  : 11/04/2011 14:22:36
OrganizationId                  :
OriginatingServer               : MyDC.mydomain.local
IsValid                         : True
0
 
LVL 16

Accepted Solution

by:
Michael Ortega (Internetwerx, Inc.) earned 400 total points
Comment Utility
I don't see your autodiscover URL's defined. Can you set them?

set-autodiscovervirtualdirectory -identity "Autodiscover (Default Web Site)" -InternalURL "https://autodiscover.mypublicdomain.com/Autodiscover/Autodiscover.xml"

set-autodiscovervirtualdirectory -identity "Autodiscover (Default Web Site)" -ExternalUrl "https://autodiscover.mypublicdomain.com/Autodiscover/Autodiscover.xml"

I would then setup a DNS zone in AD for "autodiscover.mypublicdomain.com" and create a single A record to point it to the private address of your CAS.

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Also check the CAS setup:

Get-ClientAccessServer | fl

Make sure the AutoDiscoverServiceInternalUri is the same as the above or your users will be constantly inundated with certificate messages.

MO
0
 

Author Comment

by:R2_D2
Comment Utility
I ran the commands ( see below ) but unfortunately the issue stills happening.



RunspaceId                      : 7c3831fa-081b-4d14-9770-1073077c2fb8
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://MyExchange.mydomain.local/W3SVC/1/ROOT/Autodiscover
Path                            : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : MyExchange
InternalUrl                     : https://autodiscover.mydomain.com/Autodiscover/Autodiscover.xml
ExternalUrl                     : https://autodiscover.mydomain.com/Autodiscover/Autodiscover.xml
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=MyExchange,CN=Servers,CN=Exc
                                  hange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Mydomain
                                  ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local
Identity                        : EXCHANGE\Autodiscover (Default Web Site)
Guid                            : 90820539-5672-4e13-9ddb-0205f6a90417
ObjectCategory                  : mydomain.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 23/02/2014 20:49:20
WhenCreated                     : 11/04/2011 15:22:36
WhenChangedUTC                  : 23/02/2014 20:49:20
WhenCreatedUTC                  : 11/04/2011 14:22:36
OrganizationId                  :
OriginatingServer               : MyDC.mydomain.local
IsValid                         : True
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
What about the one for ClientAccessServer? DNS zone setup internally? Basically can you ping autodiscover.mypublicdomain.com and have it resolve internally to the private IP of your CAS?

MO
0
 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 400 total points
Comment Utility
Have you checked system time on your Exchange server? Is it in sync with your Domain Controller(s)?

Also, if you navigate to OWA and look at the cert presented to your browser what does it show? Can you post a screen shot?

MO
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
Comment Utility
Poor Advice above.

"I don't see your autodiscover URL's defined. Can you set them?"

The configuration above is the default and should not be changed. They are blank on all Exchange servers and that is perfectly normal.
Furthermore you don't need Autodiscover DNS records internally unless you have clients on the domain which are NOT members of the domain.

Therefore set them back to $null, it will make no difference.

Then run through setting up Exchange with a split DNS system so the external name can be used internally.

http://semb.ee/hostnames

Simon.
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
Poor Advice above as well.

It is perfectly normal for them to be blank unless you're using them, of course. You don't need autodiscover DNS "zone" internally because exchange will use SCP to connect...unless you have non-domain clients that connect. Sounds like a good idea to have setup since it's simple and painless and rules out the variable that we're dealing with any non-domain computers, don't you agree Simon? Oh wait, you already agreed by stating what you did above.

So basically all you said that we didn't cover was remove the autodiscover URL from the autodiscovervirtualdirectory, which you admitted would make no difference. You'll note that in the authors question he followed the guide to setup split DNS. Maybe you didn't catch that. If you look at the very beginning of this thread you'll see it.

I've got a pump if you need some more air to inflate your ego.

MO
0
 

Author Comment

by:R2_D2
Comment Utility
Hi guys,

Thank you for your help, i managed to resolved, the problem was a combination of things:

1 - The Exchange server is VM and it had the time synchronized with the Esxi host which is 5 minutes behind.

2 - I was running the tests on a winXP SP2 and w2k3 sp2 machines and apparently those win versions are incompatible with UCC Certificates.

3.- my autodiscover address was incorrect.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Sorry I have to disagree.
Do you actually know how the Autodiscover process works?

Populating the internal and external URLs on the Autodiscover virtual directory has NO operational effect whatsoever. It doesn't change the URL that is used for it. While it does no harm, the values are left BLANK on purpose. No process from Microsoft will populate them and you will not find anything from Microsoft that says to populate them. People populate them but they have no effect whatsoever on the operation of Autodiscover, for either domain or non domain clients.

Simon.
0
 

Author Comment

by:R2_D2
Comment Utility
Just one last quick question,

The autodiscover works great on outlook anywhere but it doesn't work in mobile devices (
ipad, android, etc ).

I am missing something but dont know what that could be.
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
So basically what you're saying, Simon, is don't populate the fields because they don't actually do anything for you? Do you have anything to offer towards a resolution to the problem?

R2_D2, the only way autodiscover works seamlessly on mobile devices is if you set a UPN suffix in AD to support using your public domain name.

MO
0
 
LVL 16

Assisted Solution

by:Michael Ortega (Internetwerx, Inc.)
Michael Ortega (Internetwerx, Inc.) earned 400 total points
Comment Utility
To further detail,

your default login would be jsmith@domain.local, but what you would need to do is add domain.com as a UPN suffix and then change your users (either just the iPhone/Android users or everyone) to use the new UPN suffix.

Then your smartphones will authenticate properly so all you'll need to do is enter email address and password. The email address will then match the username.

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega (Internetwerx, Inc.)
Comment Utility
For Simon, I realize there are posts about adding the URL and other posts about not needing the URL. In all my implementations it certainly hasn't negatively implemented autodiscovery, so thus I include them. I do understand how AutoDiscover works and realize that it works even without the URL's specified, but as you've clearly communicated in this post - it doesn't really matter.

MO
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
What exchange role handles the GAL 6 24
Macro to Send Appointment from Excel 1 27
OUtlook missing email alert 9 15
outlook 4 21
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now