Solved

Outlook 2007 Security pop up (Exchange 2007 on SBS 2008)

Posted on 2014-03-13
15
433 Views
Last Modified: 2014-05-05
Hi Experts,

We changed the internet name on SBS 2008 to replace a dyndns by the famous remote one.
Thanks to Sembee, we could finally fix an Autodiscover issue (old URLs remianed)  and the old self-signed dyndns SSL certificate was used instead of the new one.

Now there is a remaining problem. In Outlook, each 5 minutes a popup appears with the email address as login info, we just can click on cancel, if we don't, Outlook stay connected to Exchange and we can work. But we have to put the little windows somewhere...

If we create new profiles, there is no more connection popup.

Do you know a way to avoid to recreate new profile for each user ?


Thank you in advance for your help, best regards,
0
Comment
Question by:jet-info
  • 8
  • 6
15 Comments
 
LVL 17

Expert Comment

by:Brad Bouchard
Comment Utility
It very well could be due to your OAB trying to download from an old location/name.  Also, make sure your SSL is not self signed and that it's from a 3rd party.

Try this:  Hold down the ctrl key and right-click the Outlook icon in the system tray, then select Test Email AutoConfiguration.  Look for the old server name anywhere and let us know the results.
0
 

Author Comment

by:jet-info
Comment Utility
All is OK this side. There is only in the HTTP section, under Unified Messaging, that there is still the old address. But we don't use Unified Messaging here.

Some computers are on Outlook 2010. One in particular still tries to connect to the server with the email address as login information, with no other choice than cancel. From time to time it try to connect with smart card, which is not used here, not even configured... it can't find valid certificate.

I looked around in the computer local certificates but there is only the server-CA installed.

The other thing that I don't understand is why does it try to connect with the email address as login information while I recorded the login and password with the emailaddress@domain.local as login information.


Edit:

One another computer still try to use the old Dyndns certificate from the outside (in RPC over HTTP). Could I remove the old certificate in Exchange 2007 without riking to disturb the normal opération (which is not so normal for the moment...) ?
If so, I suppose that I should do that, how to do it gently in Power Shell please ?

Can I just remove all dnynds certificates from Exchange with Power Shell (remove-exchangecertificate DED1ER5F41R4R1CFE25R4F65ER41), even the still valid ones (which are normally not used again) without the need  to reactivate the new one ?

Thank you for your time !
0
 
LVL 17

Expert Comment

by:Brad Bouchard
Comment Utility
I'd give removing the certs a shot.  You won't impact flow, but just make sure to back them up in case you need them again.  You will get a few cert warnings per the expected norm when doing this.  But if this fixes your pop up then get a 3rd party cert (a UC SSL is what you're looking for; Comodo, GoDaddy, Entrust, VeriSign, etc. are all places to get one) and install it.

Let me know if you need help doing that.
0
 

Author Comment

by:jet-info
Comment Utility
OK, old certificates are backed up and removed from Exchange.

We still experience ask for connection popups. When we create new profies, the popup is different, it is a smart card ask popup. Autodiscover website in  IIS is set to ignore clients certificates. OAB URLs are both remote.domain.com (Which ping from inside and outside correctly) and Outlook email accounts are set to negociate authentication. I run an iisreset with no different result.

What can I check now ?
0
 

Author Comment

by:jet-info
Comment Utility
Any idea?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
Comment Utility
0
 

Author Comment

by:jet-info
Comment Utility
I found this error in  BPA :

Certificate SAN mismatch: The subject alternative name (SAN) of SSL certificate for https://domain.dyndns.biz/Autodiscover/Autodiscover.xml does not appear to match the host address. Host address: domain.dyndns.biz. Current SAN: DNS Name=remote.domain.com, DNS Name=www.remote.domain.com, DNS Name=server1.domain.local, DNS Name=autodiscover.domain.local.

I don't know where does this URL is wrtitten because when I test Autodiscover from Outlook, all is set to the remote URL except in the Protocol HTTP section under unified messaging. Unified messaging in RPC protocol is set to the remote URL. I precise that we don't use UM...


Where can I find that false URL to replace it ? Or else, do you know how to replace directly ?


Thank you very much for your help, best regards,
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 17

Expert Comment

by:Brad Bouchard
Comment Utility
The first thing I would do is reissue your SSL cert.  Get these names:

If your domain is abc.com, then get:

MAIL.ABC.COM as the main name and add the following 5 names as SAN (subject alternative names)
mail.abc.com
abc.com
autodiscover.abc.com
LOCALEXCHANGESERVERNAME
LOCALEXCHANGESERVERNAME.LOCALDOMAIN.LOCAL
0
 

Author Comment

by:jet-info
Comment Utility
We don't use the mail.domain.com in our certificate. Users have email addresses on domain.other, we just use domain.com for OWA and remote, all the MX of domain.com are Host servers in another country. On our certificate, there is remote.domain.com first then EXCserver.domain.local and autodiscover.domain.local, no autodiscover.domain.com (maybe the issue is from here). The website domain.com is hosted by a Host service, so I suppose that we do not have to put the name domain.com isn't it ?

Why do we have to put EXCserver and EXCserver.domain.local if we have the second one?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
Comment Utility
If you already have EXCserver.domain.local then don't worry about the NetBIOS name you can just leave that.  As far as the autodiscover goes, whatever autodiscover address is being used will need to be on the cert.  So if you're using autodiscover.domain.com then it has to be on the cert.
0
 

Author Comment

by:jet-info
Comment Utility
Hello,

Sorry for the delay...
We "Fixed" the issue by forcing the RPC over HTTP connection even in fast Networks. It Works because the remote and local URL are the same (remote.domain.com). So, the issue must be in the local configuration of RPC isn't it ?

It still was two old binding to port 80 for the dyndns.biz URL in the SBS Application Website. I removed it but it changed nothing to the situation.

What can I check now please ?

We will re-issue the SSL certificate but for now, we have to fix the problem which clearly inside the local network, what do you think ?

Thank you for your help !
0
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 500 total points
Comment Utility
It still was two old binding to port 80 for the dyndns.biz URL in the SBS Application Website. I removed it but it changed nothing to the situation.
Make sure that the binding to the correct server name is set for https(443) and that http(80) doesn't have a name in the binding in IIS.  443 should be bound to the correct IP and have the SSL I am referring to bound to it.

Make sense?
0
 

Author Comment

by:jet-info
Comment Utility
There is a lot of websites in IIS. The Default Website is turned off, instead there is the "SBS Web Applications" binded on port 80 for "sites" and have also another binding for http with the name remote.domain.local. In this site, the https (443) is binded to the GoDaddy certificate called "Microsoft Exchange" but no name appears as you can see in the attached screenshot.

I found that there is again two valid certificates, issued by the SBS-Server-CA itself with IMAP, POP and SMTP services activated. The GoDaddy certificate is activated for IIS, SMTP, POP and IMAP. Do I have to remove these SBS-CA issued certificates  or could I let it as is ?


Thank you in advance for your help, best regards,
SBS-Web-Apps-Bindings.jpg
0
 

Author Closing Comment

by:jet-info
Comment Utility
Thanks anyway.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now