Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Outlook 2007 Security pop up (Exchange 2007 on SBS 2008)

Posted on 2014-03-13
15
Medium Priority
?
483 Views
Last Modified: 2014-05-05
Hi Experts,

We changed the internet name on SBS 2008 to replace a dyndns by the famous remote one.
Thanks to Sembee, we could finally fix an Autodiscover issue (old URLs remianed)  and the old self-signed dyndns SSL certificate was used instead of the new one.

Now there is a remaining problem. In Outlook, each 5 minutes a popup appears with the email address as login info, we just can click on cancel, if we don't, Outlook stay connected to Exchange and we can work. But we have to put the little windows somewhere...

If we create new profiles, there is no more connection popup.

Do you know a way to avoid to recreate new profile for each user ?


Thank you in advance for your help, best regards,
0
Comment
Question by:jet-info
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
15 Comments
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39927699
It very well could be due to your OAB trying to download from an old location/name.  Also, make sure your SSL is not self signed and that it's from a 3rd party.

Try this:  Hold down the ctrl key and right-click the Outlook icon in the system tray, then select Test Email AutoConfiguration.  Look for the old server name anywhere and let us know the results.
0
 

Author Comment

by:jet-info
ID: 39928600
All is OK this side. There is only in the HTTP section, under Unified Messaging, that there is still the old address. But we don't use Unified Messaging here.

Some computers are on Outlook 2010. One in particular still tries to connect to the server with the email address as login information, with no other choice than cancel. From time to time it try to connect with smart card, which is not used here, not even configured... it can't find valid certificate.

I looked around in the computer local certificates but there is only the server-CA installed.

The other thing that I don't understand is why does it try to connect with the email address as login information while I recorded the login and password with the emailaddress@domain.local as login information.


Edit:

One another computer still try to use the old Dyndns certificate from the outside (in RPC over HTTP). Could I remove the old certificate in Exchange 2007 without riking to disturb the normal opération (which is not so normal for the moment...) ?
If so, I suppose that I should do that, how to do it gently in Power Shell please ?

Can I just remove all dnynds certificates from Exchange with Power Shell (remove-exchangecertificate DED1ER5F41R4R1CFE25R4F65ER41), even the still valid ones (which are normally not used again) without the need  to reactivate the new one ?

Thank you for your time !
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39935199
I'd give removing the certs a shot.  You won't impact flow, but just make sure to back them up in case you need them again.  You will get a few cert warnings per the expected norm when doing this.  But if this fixes your pop up then get a 3rd party cert (a UC SSL is what you're looking for; Comodo, GoDaddy, Entrust, VeriSign, etc. are all places to get one) and install it.

Let me know if you need help doing that.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:jet-info
ID: 39937071
OK, old certificates are backed up and removed from Exchange.

We still experience ask for connection popups. When we create new profies, the popup is different, it is a smart card ask popup. Autodiscover website in  IIS is set to ignore clients certificates. OAB URLs are both remote.domain.com (Which ping from inside and outside correctly) and Outlook email accounts are set to negociate authentication. I run an iisreset with no different result.

What can I check now ?
0
 

Author Comment

by:jet-info
ID: 39941999
Any idea?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39943824
0
 

Author Comment

by:jet-info
ID: 39955897
I found this error in  BPA :

Certificate SAN mismatch: The subject alternative name (SAN) of SSL certificate for https://domain.dyndns.biz/Autodiscover/Autodiscover.xml does not appear to match the host address. Host address: domain.dyndns.biz. Current SAN: DNS Name=remote.domain.com, DNS Name=www.remote.domain.com, DNS Name=server1.domain.local, DNS Name=autodiscover.domain.local.

I don't know where does this URL is wrtitten because when I test Autodiscover from Outlook, all is set to the remote URL except in the Protocol HTTP section under unified messaging. Unified messaging in RPC protocol is set to the remote URL. I precise that we don't use UM...


Where can I find that false URL to replace it ? Or else, do you know how to replace directly ?


Thank you very much for your help, best regards,
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39956093
The first thing I would do is reissue your SSL cert.  Get these names:

If your domain is abc.com, then get:

MAIL.ABC.COM as the main name and add the following 5 names as SAN (subject alternative names)
mail.abc.com
abc.com
autodiscover.abc.com
LOCALEXCHANGESERVERNAME
LOCALEXCHANGESERVERNAME.LOCALDOMAIN.LOCAL
0
 

Author Comment

by:jet-info
ID: 39956971
We don't use the mail.domain.com in our certificate. Users have email addresses on domain.other, we just use domain.com for OWA and remote, all the MX of domain.com are Host servers in another country. On our certificate, there is remote.domain.com first then EXCserver.domain.local and autodiscover.domain.local, no autodiscover.domain.com (maybe the issue is from here). The website domain.com is hosted by a Host service, so I suppose that we do not have to put the name domain.com isn't it ?

Why do we have to put EXCserver and EXCserver.domain.local if we have the second one?
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39957145
If you already have EXCserver.domain.local then don't worry about the NetBIOS name you can just leave that.  As far as the autodiscover goes, whatever autodiscover address is being used will need to be on the cert.  So if you're using autodiscover.domain.com then it has to be on the cert.
0
 

Author Comment

by:jet-info
ID: 39969086
Hello,

Sorry for the delay...
We "Fixed" the issue by forcing the RPC over HTTP connection even in fast Networks. It Works because the remote and local URL are the same (remote.domain.com). So, the issue must be in the local configuration of RPC isn't it ?

It still was two old binding to port 80 for the dyndns.biz URL in the SBS Application Website. I removed it but it changed nothing to the situation.

What can I check now please ?

We will re-issue the SSL certificate but for now, we have to fix the problem which clearly inside the local network, what do you think ?

Thank you for your help !
0
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 1000 total points
ID: 39969701
It still was two old binding to port 80 for the dyndns.biz URL in the SBS Application Website. I removed it but it changed nothing to the situation.
Make sure that the binding to the correct server name is set for https(443) and that http(80) doesn't have a name in the binding in IIS.  443 should be bound to the correct IP and have the SSL I am referring to bound to it.

Make sense?
0
 

Author Comment

by:jet-info
ID: 40020087
There is a lot of websites in IIS. The Default Website is turned off, instead there is the "SBS Web Applications" binded on port 80 for "sites" and have also another binding for http with the name remote.domain.local. In this site, the https (443) is binded to the GoDaddy certificate called "Microsoft Exchange" but no name appears as you can see in the attached screenshot.

I found that there is again two valid certificates, issued by the SBS-Server-CA itself with IMAP, POP and SMTP services activated. The GoDaddy certificate is activated for IIS, SMTP, POP and IMAP. Do I have to remove these SBS-CA issued certificates  or could I let it as is ?


Thank you in advance for your help, best regards,
SBS-Web-Apps-Bindings.jpg
0
 

Author Closing Comment

by:jet-info
ID: 40043732
Thanks anyway.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
This video discusses moving either the default database or any database to a new volume.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question