Solved

Unable to access Exchange from Remote Outlook Client

Posted on 2014-03-14
30
291 Views
Last Modified: 2014-03-14
Hi just today one of our outlook clients is experiencing issues trying to connect to exchange

when opening outlook he is getting the following

Security Alert Box

Information you exchange with this site cannot be viewed or changed by others however there is a problem with the sites security certificate

There is a cross by the following

The name on the security certificate is invalid or does not match the name of the site do you wish to proceed.

If I click yes nothing happens.

This issue has only just occurred everything has been fine

John
0
Comment
Question by:pepps11976
  • 14
  • 11
  • 5
30 Comments
 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
What operating system on the server ?
Do you use a self cert or a third party one ?
0
 

Author Comment

by:pepps11976
Comment Utility
Its a SBS 2003 Server

what is the easiest way to check if its a self cert etc,

I did not set this up
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
SBS 2003 doesn't use web services to connect the client, so the error is coming from somewhere else.
I presume this is Outlook 2007 or higher? If so it is probably Autodiscover, which is an Exchange 2007 or higher feature. However Outlook 2007 and higher doesn't know that you aren't using Exchange 2007 so will attempt to do Autodiscover.

Autodiscover attempts to connect to https://example.com/Autodiscover/Autodiscover.xml and then https://autodiscover.example.com/Autodiscover/Autodiscover.xml (where example.com is your domain name after the @ in the email address).

When you get the SSL error, you can choose to look at the SSL certificate. That should give you an indication of where the prompt is coming from. It could be a router or it could be your web host.

Check whether Autodiscover.example.com resolves. If it does, then you need to remove the wildcard from the DNS entry.
If it does not, then check whether the first URL I posted works. If it does, then check where example.com resolves to. If it is the web host, speak to the web host about turning off the Autodiscover feature that comes with their control panel.

Simon.
0
 

Author Comment

by:pepps11976
Comment Utility
also if I view the certificate on the client machine when you open up exchange it looks like a completely different one it has no reference to the company etc
0
 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
http://blog.feutl.com/2011/05/25/self-signed-ssl-certificat-with-windows-sbs-2003/

This should help
Also you can view certificate from the error message on the client


For sbs running a repair using the Internet connection wizard in server management might help

Is this just one client or all of them ?
0
 

Author Comment

by:pepps11976
Comment Utility
Hi Simon this only just seems to have happened though why would it have been working then just stop?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
It would start happening because the source of the certificate has changed something, that now means you get the errors. As I wrote above, as you are using SBS 2003 this is NOT coming from the Exchange server, so the change was not something made by you, but by an outside party, most likely the web host.

Simon.
0
 

Author Comment

by:pepps11976
Comment Utility
Just realised that I cannot browse

https://domain.com/exchnage

I have checked the server and all services are running?
0
 

Author Comment

by:pepps11976
Comment Utility
and I cannot browse locally either https://127.0.0.1/exchange
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
That would be an unrelated issue, because Autodiscover goes elsewhere.
Is the internal WINDOWS domain domain.com? If not then I wouldn't expect you to be able to browse to domain.com/exchange.

Does the non-https URL work? It might be that someone has tried to fix it by removing the SSL certificate.

Simon.
0
 

Author Comment

by:pepps11976
Comment Utility
the domain is domain.local

HTTP://127.0.0.1/exchnage also not working

I have restarted IIS and also Exchange Services
0
 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
Just to be sure can you confirm
Exchange version on sbs and
Client outlook version and they are not using OWA or webbrowsing to email

Check your cert and that it is valid
0
 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
Also check the time and date on your server ?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
If the WINDOWS domain is domain.local, then domain.com almost certainly does NOT resolve to the SBS Server. It will probably resolve elsewhere.

You need to look through the event viewer to see if there is a problem with IIS.

Simon.
0
 

Author Comment

by:pepps11976
Comment Utility
Hi cpmcomputers

Time is fine, im going to forget client side for the minute because if you cannot even browse from the actual machine, then this is going to be the cause I assume

version 6.5 (Build 7226.6 Service pack 1
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
Check your certificate If it is a self-cert the following may help

The self-issued certificate that the CEICW creates is valid for five years. Therefore, if you plan to continue using a self-issued certificate, you should create a new certificate before the existing certificate expires. As a best practice, after you create a self-issued certificate, set a reminder in your calendar to notify you when the expiration date is near. Self-issued certificates for early installations of Windows SBS 2003 begin to expire in 2008. After you create a new certificate, you must distribute it to your network client computers and mobile devices.
 
You can use the Configure E-mail and Internet Connection Wizard (CEICW) that is included with Windows SBS 2003 to create a certificate that is signed by your server.
 
For more information about Creating, Obtaining, and Installing Trusted Certificates in a Windows SBS 2003 Network Environment:
 
http://technet.microsoft.com/en-us/library/cc949119(WS.10).aspx
0
 

Author Comment

by:pepps11976
Comment Utility
ok I will give that a go,

ill post back
0
 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
Something you might want to try to help diagnose your problem

goto https://testconnectivity.microsoft.com/

Run the manual activesync test for your mailserver with a valid user and domain,etc

When the test completes - view the full results

It should return the following if it is sbs2003 with a valid self-cert
Any error will at least show what cert your server is using and allow us to check whether the problem is server side or something to do with autodiscover/DNS as simon suggests



Exchange ActiveSync was tested successfully.
       Additional Details
      Elapsed Time: 91021 ms.

       Test Steps
             Attempting to resolve the host name mail.cpmcomputers.com in DNS.
      The host name resolved successfully.
             Additional Details
      IP addresses returned: 11.11.11.11
Elapsed Time: 2668 ms.

       Testing TCP port 443 on host mail.cpmcomputers.com to ensure it's listening and open.
      The port was opened successfully.
             Additional Details
      Elapsed Time: 740 ms.

       Testing the SSL certificate to make sure it's valid.
      The certificate passed all validation requirements.
             Additional Details
      Elapsed Time: 611 ms.

             Test Steps
             The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.cpmcomputers.com on port 443.
      The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
             Additional Details
      Remote Certificate Subject: CN=mail.cpmcomputers.com, Issuer: CN=mail.cpmcomputers.com.
Elapsed Time: 502 ms.

       Validating the certificate name.
      The certificate name was validated successfully.
             Additional Details
      Host name mail.cpmcomputers.com was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.

       Testing the certificate date to confirm the certificate is valid.
      Date validation passed. The certificate hasn't expired.
             Additional Details
      The certificate is valid. NotBefore = 4/20/2010 8:53:28 AM, NotAfter = 4/20/2015 8:53:28 AM
Elapsed Time: 0 ms.



       Checking the IIS configuration for client certificate authentication.
      Client certificate authentication wasn't detected.
             Additional Details
      Accept/Require Client Certificates isn't configured.
Elapsed Time: 736 ms.
0
 

Author Comment

by:pepps11976
Comment Utility
I Have checked the Server Certificate and it says that the issuer seems to be itself although I am unsure whether that determines if it is a third party one or not.

it also says that it expires 03 August 2014
0
 

Author Comment

by:pepps11976
Comment Utility
Also even if the Certificate had expired you should still get some kind of login page?
0
 

Author Comment

by:pepps11976
Comment Utility
would it be worth recreating directories as in this article?

http://support.microsoft.com/kb/883380
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
You should be able to browse https://localhost - at most get an SSL prompt, then the default IIS screen. If you don't get that then recreating the virtual directories isn't going to get you anywhere.

Simon.
0
 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
Thats a real sledge hammer to crack a nut at the moment

did you run the testexchange connectivity test ?
If so can you post the results ( Alter the IP info before posting)

How many users on the system ?
Is email in outlook and or Outlook Web access working for them ?
0
 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
Agree with Simon here

There is something basic here ?

Check all sites are started in IIS
0
 

Author Comment

by:pepps11976
Comment Utility
Ok I can confirm I cannot even browse http://localhost

I have checked sites and all are started
0
 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
If you cannot browse http://localhost or http://serveripaddress then this is a more fundamental problem than the certificate

(Either should take you to companyweb homepage)

I would revisit each stage as follows :

Check you have sufficient hard drive space on the server drives and that there are no apparent errors/corruption

Check the event logs for any significant errors

Reboot the server

Run the internet connection wizard from the server management console
This will identify and hopefully fix any basic errors on the server.

SBS loves doing things with the wizards !!

Then check all services are up and running
Check basic server connectivity and outlook connectivity from a local client?

How many clients on the system - are they all affected ?
0
 

Author Comment

by:pepps11976
Comment Utility
Internal Clients are fine, its just external clients

I have rerun Internet connection wizard with no luck.

I have checked services

the server can access the internet etc

the only think I have not done is rebooted it
0
 
LVL 10

Accepted Solution

by:
cpmcomputers earned 500 total points
Comment Utility
struggling :-)

reboot might help

can you run the testexchangeconnectivity test
0
 

Author Comment

by:pepps11976
Comment Utility
Yep good old Reboot did the trick Thanks
0
 
LVL 10

Expert Comment

by:cpmcomputers
Comment Utility
think it was probably the internet connection wizard and reboot perhaps?

Glad you got it fixed either way
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
how to add IIS SMTP to handle application/Scanner relays into office 365.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now