Solved

Exchange CAS certificate expired and renewed and replaced but all Outlook clients still getting Certification expired error.

Posted on 2014-03-05
11
4,584 Views
Last Modified: 2014-03-17
Our SSL certificate recently expired and was renewed but Outlook 2010 Clients are still getting SSL errors. We use Exchange 2010. We use DNS to point to our external certificate and have the following in place to cater for that:

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Our Outlook Web Access is getting the correct certificate and it seems to be only affecting our internal clients. When I run the Get-exchangeservercertificate command the correct certificates are in place. The old certificate is not visible anywhere yet I still get the error. I have even checked the registry and also under MMC but cannot find the reference point for the old certificate anywhere. Can anyone help?
0
Comment
Question by:MSSC_support
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 9

Expert Comment

by:Ahmed786
ID: 39906553
What are the Errors in the event logs of CAS server, check that and update us here.
0
 

Author Comment

by:MSSC_support
ID: 39906754
I've got this one error but this does not make sense.

Log Name:      Application
Source:        MSExchangeTransport
Date:          05/03/2014 16:04:22
Event ID:      12023
Task Category: TransportService
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      V-EXCHCAS1.sea-cadets.org
Description:
Microsoft Exchange could not load the certificate with thumbprint of CF414B5D61320B56C88AADCEB8FD5CDEF52F75CC from the personal store on the local computer. This certificate was configured for authentication with other Exchange servers. Mail flow to other Exchange servers could be affected by this error. If the certificate with this thumbprint still exists in the personal store, run Enable-ExchangeCertificate CF414B5D61320B56C88AADCEB8FD5CDEF52F75CC -Services SMTP to resolve the issue. If the certificate does not exist in the personal store, restore it from backup by using the Import-ExchangeCertificate cmdlet, or create a new certificate for the FQDN or the server enabled for SMTP by running the following command: New-ExchangeCertificate -DomainName serverfqdn -Services SMTP. Meanwhile, the certificate with thumbprint A799EBE84C069ED91755EB73FDE9AF4FF92A3689 is being used.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSExchangeTransport" />
    <EventID Qualifiers="32772">12023</EventID>
    <Level>3</Level>
    <Task>12</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2014-03-05T16:04:22.000000000Z" />
    <EventRecordID>364065</EventRecordID>
    <Channel>Application</Channel>
    <Computer>V-EXCHCAS1.sea-cadets.org</Computer>
    <Security />
  </System>
  <EventData>
    <Data>CF414B5D61320B56C88AADCEB8FD5CDEF52F75CC</Data>
    <Data>A799EBE84C069ED91755EB73FDE9AF4FF92A3689</Data>
  </EventData>
</Event>


This certificate is not one on the list when executing GET-EXCHANGECERTIFICATE | FL. The above is our old certificate.
0
 

Author Comment

by:MSSC_support
ID: 39906794
I have tried to assign the certificate to services which asked to overwrite the old certificate but I still get the certificate errors.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:MSSC_support
ID: 39906881
Since then the error logs have stopped but I still receive the certificate warning message.
0
 

Author Comment

by:MSSC_support
ID: 39908728
Any ideas?
0
 
LVL 9

Expert Comment

by:Ahmed786
ID: 39908916
Hi,

Please go through below technet article, this may help you.
0
 

Author Comment

by:MSSC_support
ID: 39908925
Can you please send me the link to the article?
0
 
LVL 9

Accepted Solution

by:
Ahmed786 earned 500 total points
ID: 39908971
0
 

Author Comment

by:MSSC_support
ID: 39909569
Thank you very much. Using the article I was able to identify that we had two cas servers on DNS for the same certificate address and the second CAS server although it had the correct certificate, was not assigned in IIS. After setting this and rebooting all is well.
0
 
LVL 9

Expert Comment

by:Ahmed786
ID: 39911942
Its nice to hear that your issue has been resolved.
So please accept your desired answer so that others can be benifited if they found any issue related to this.
0
 

Author Closing Comment

by:MSSC_support
ID: 39933842
This resolved our issue over DNS and hence installing the correct Certificates on all other Servers.

However, I also required another KB article:

support.microsoft.com/kb/940726

This completed the fix.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question