?
Solved

Exchange SSL certificate

Posted on 2014-02-23
15
Medium Priority
?
1,326 Views
Last Modified: 2014-02-24
Hi guys,

I am experiencing a problem with a SSL UCC certificate for outlook anywhere.

As some of you might know, after November 1, 2015 Certificates for Internal Names Will No Longer Be Trusted. Therefore I followed the instructions of the below link which is for Redirecting Exchange Server to use the External DNS Name  ( split DNS )

http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm

The company's domain names are:
- mycompany.local   ( internal name )
- mycompany.com    ( external name )

The Certificate was issue for following names:
- autodiscover.mycompany.com
- mail.mycompany.com
- mycompany.com

Unfortunately is not working, i get a certificate error in outlook for autodiscover and mail names, see mail.jpg and autodsicover.jpg attached images

Furthermore, the certificate information says " the integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered. See attached certificate image.

can you guys help me ?
Autodiscover.JPG
mail.JPG
0
Comment
Question by:R2_D2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
  • 2
15 Comments
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 39881045
Are these when you access the server internally or externally? Or both?

Can we get a print out of the follow PS command?

get-autodiscovervirtualdirectory | fl

MO
0
 

Author Comment

by:R2_D2
ID: 39881101
It happens internally and externally.  Also, I have experienced the issue on my iphone too.


get-autodiscovervirtualdirectory | fl

RunspaceId                      : 11c2479e-9ef9-4355-b8a5-e99e8779125c
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://myserver.mydomain.local/W3SVC/1/ROOT/Autodiscover
Path                            : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : EXCHANGE
InternalUrl                     :
ExternalUrl                     :
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=myserver,CN=Servers,CN=Exc
                                  hange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=my domain
                                  ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local
Identity                        : myserver\Autodiscover (Default Web Site)
Guid                            : 90820539-5672-4e13-9ddb-0205f6a90417
ObjectCategory                  : mydomain.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 11/04/2011 15:22:36
WhenCreated                     : 11/04/2011 15:22:36
WhenChangedUTC                  : 11/04/2011 14:22:36
WhenCreatedUTC                  : 11/04/2011 14:22:36
OrganizationId                  :
OriginatingServer               : MyDC.mydomain.local
IsValid                         : True
0
 
LVL 16

Accepted Solution

by:
Michael Ortega earned 1600 total points
ID: 39881109
I don't see your autodiscover URL's defined. Can you set them?

set-autodiscovervirtualdirectory -identity "Autodiscover (Default Web Site)" -InternalURL "https://autodiscover.mypublicdomain.com/Autodiscover/Autodiscover.xml"

set-autodiscovervirtualdirectory -identity "Autodiscover (Default Web Site)" -ExternalUrl "https://autodiscover.mypublicdomain.com/Autodiscover/Autodiscover.xml"

I would then setup a DNS zone in AD for "autodiscover.mypublicdomain.com" and create a single A record to point it to the private address of your CAS.

MO
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 16

Expert Comment

by:Michael Ortega
ID: 39881118
Also check the CAS setup:

Get-ClientAccessServer | fl

Make sure the AutoDiscoverServiceInternalUri is the same as the above or your users will be constantly inundated with certificate messages.

MO
0
 

Author Comment

by:R2_D2
ID: 39881163
I ran the commands ( see below ) but unfortunately the issue stills happening.



RunspaceId                      : 7c3831fa-081b-4d14-9770-1073077c2fb8
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://MyExchange.mydomain.local/W3SVC/1/ROOT/Autodiscover
Path                            : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : MyExchange
InternalUrl                     : https://autodiscover.mydomain.com/Autodiscover/Autodiscover.xml
ExternalUrl                     : https://autodiscover.mydomain.com/Autodiscover/Autodiscover.xml
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=MyExchange,CN=Servers,CN=Exc
                                  hange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Mydomain
                                  ,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=local
Identity                        : EXCHANGE\Autodiscover (Default Web Site)
Guid                            : 90820539-5672-4e13-9ddb-0205f6a90417
ObjectCategory                  : mydomain.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 23/02/2014 20:49:20
WhenCreated                     : 11/04/2011 15:22:36
WhenChangedUTC                  : 23/02/2014 20:49:20
WhenCreatedUTC                  : 11/04/2011 14:22:36
OrganizationId                  :
OriginatingServer               : MyDC.mydomain.local
IsValid                         : True
0
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 39881168
What about the one for ClientAccessServer? DNS zone setup internally? Basically can you ping autodiscover.mypublicdomain.com and have it resolve internally to the private IP of your CAS?

MO
0
 
LVL 16

Assisted Solution

by:Michael Ortega
Michael Ortega earned 1600 total points
ID: 39881174
Have you checked system time on your Exchange server? Is it in sync with your Domain Controller(s)?

Also, if you navigate to OWA and look at the cert presented to your browser what does it show? Can you post a screen shot?

MO
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 400 total points
ID: 39881924
Poor Advice above.

"I don't see your autodiscover URL's defined. Can you set them?"

The configuration above is the default and should not be changed. They are blank on all Exchange servers and that is perfectly normal.
Furthermore you don't need Autodiscover DNS records internally unless you have clients on the domain which are NOT members of the domain.

Therefore set them back to $null, it will make no difference.

Then run through setting up Exchange with a split DNS system so the external name can be used internally.

http://semb.ee/hostnames

Simon.
0
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 39882547
Poor Advice above as well.

It is perfectly normal for them to be blank unless you're using them, of course. You don't need autodiscover DNS "zone" internally because exchange will use SCP to connect...unless you have non-domain clients that connect. Sounds like a good idea to have setup since it's simple and painless and rules out the variable that we're dealing with any non-domain computers, don't you agree Simon? Oh wait, you already agreed by stating what you did above.

So basically all you said that we didn't cover was remove the autodiscover URL from the autodiscovervirtualdirectory, which you admitted would make no difference. You'll note that in the authors question he followed the guide to setup split DNS. Maybe you didn't catch that. If you look at the very beginning of this thread you'll see it.

I've got a pump if you need some more air to inflate your ego.

MO
0
 

Author Comment

by:R2_D2
ID: 39882783
Hi guys,

Thank you for your help, i managed to resolved, the problem was a combination of things:

1 - The Exchange server is VM and it had the time synchronized with the Esxi host which is 5 minutes behind.

2 - I was running the tests on a winXP SP2 and w2k3 sp2 machines and apparently those win versions are incompatible with UCC Certificates.

3.- my autodiscover address was incorrect.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39882794
Sorry I have to disagree.
Do you actually know how the Autodiscover process works?

Populating the internal and external URLs on the Autodiscover virtual directory has NO operational effect whatsoever. It doesn't change the URL that is used for it. While it does no harm, the values are left BLANK on purpose. No process from Microsoft will populate them and you will not find anything from Microsoft that says to populate them. People populate them but they have no effect whatsoever on the operation of Autodiscover, for either domain or non domain clients.

Simon.
0
 

Author Comment

by:R2_D2
ID: 39882807
Just one last quick question,

The autodiscover works great on outlook anywhere but it doesn't work in mobile devices (
ipad, android, etc ).

I am missing something but dont know what that could be.
0
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 39882830
So basically what you're saying, Simon, is don't populate the fields because they don't actually do anything for you? Do you have anything to offer towards a resolution to the problem?

R2_D2, the only way autodiscover works seamlessly on mobile devices is if you set a UPN suffix in AD to support using your public domain name.

MO
0
 
LVL 16

Assisted Solution

by:Michael Ortega
Michael Ortega earned 1600 total points
ID: 39882842
To further detail,

your default login would be jsmith@domain.local, but what you would need to do is add domain.com as a UPN suffix and then change your users (either just the iPhone/Android users or everyone) to use the new UPN suffix.

Then your smartphones will authenticate properly so all you'll need to do is enter email address and password. The email address will then match the username.

MO
0
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 39882897
For Simon, I realize there are posts about adding the URL and other posts about not needing the URL. In all my implementations it certainly hasn't negatively implemented autodiscovery, so thus I include them. I do understand how AutoDiscover works and realize that it works even without the URL's specified, but as you've clearly communicated in this post - it doesn't really matter.

MO
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Changing a few Outlook Options can help keep you organized!
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses
Course of the Month11 days, 5 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question